1.    02 Jun 2016 #1
    Join Date : Mar 2016
    Posts : 17
    Windows 10

    Idea for ransomware protection of network drives


    I like backing up to local drives--I back up to the cloud also, but I like knowing I can get my data back quickly, even if the internet is down, as long as it's a simple problem like a main hard drive failure. But in order to do automatic local backups that don't require constant attendance, I need to keep the drive always connected through USB or the network. And that means it is vulnerable to ransomware--if it can see my files it can encrypt the entire backup.

    So I have been wondering if there is some way to protect my backups even when the drive is connected. I am learning about Windows Firewall right now, and it occurred to me---could Firewall rules be used to block access to the network drive except for the backup program?

    EDIT: another idea is to create a User Account specifically for running the backup program. All other users or user groups would then be denied permission to modify the network drive. It would be very helpful if it were possible to deny the Administrators group such permission, because I think the ransomware may be running as an admin. But can an admin just change the permissions back? Would the ransomware authors have thought of that capability, or would the ransomware just skip the network drive if it doesn't immediately have write/modify permission? Not sure anyone has a hard answer to these questions.
      My ComputerSystem Spec
  2.    02 Jun 2016 #2

    Hi there
    If it's a backup server the really easy way to do this is via a LINUX simple script - perhaps someone more experienced with Windows than me could replicate this on a Windows server.)

    You MOUNT the backup device (it can be permanently connected via USB - but left "Unmounted" by default.
    Run your backup -- this can be done presumably from a remote Windows machine or the local server via a scheduled job (Linux CRONTAB) or some type of scheduling system (Windows).
    After the backup has run unmount (UMOUNT) the device.

    Click image for larger version. 

Name:	snapshot13.png 
Views:	3 
Size:	118.1 KB 
ID:	82873

    While the device is UNMOUNTED the OS won't have any access to the device even though it's still physically connected to the machine -- not strictly speaking 100% true - but you need to have root privileges and even here any alteration to the file system will require a response from the console so effectively it's decently protected.

    There should be some commands in windows to attach / detach devices -- if you can do that then your problem is essentially solved.

    My stuff (Windows) is backed up to a NAS server running Linux where I use that type of script.

    Cheers
    jimbo
      My ComputerSystem Spec
  3.    02 Jun 2016 #3
    Join Date : Mar 2016
    Posts : 17
    Windows 10
    Thread Starter

    Thanks, good idea!

    One minor flaw is that the drive is still vulnerable during the period it is mounted. Once ransomware is on the computer, it will probably just keep running and looking for more files. If I don't catch it before the next time the network drive mounts, there's still a risk of loss. I wonder if Firewall rules can, possibly, prevent any unwanted access, at any time. I am not clear on how sophisticated the firewall rules get. It would have to filter out traffic that (1) originates from a program other than the backup program, and (2) is headed to or from the network drive. So the rules would have something to do with both the executable and the network destination.
      My ComputerSystem Spec
  4.    02 Jun 2016 #4

    Quote Originally Posted by mike1127 View Post
    Thanks, good idea!

    One minor flaw is that the drive is still vulnerable during the period it is mounted. Once ransomware is on the computer, it will probably just keep running and looking for more files. If I don't catch it before the next time the network drive mounts, there's still a risk of loss. I wonder if Firewall rules can, possibly, prevent any unwanted access, at any time. I am not clear on how sophisticated the firewall rules get. It would have to filter out traffic that (1) originates from a program other than the backup program, and (2) is headed to or from the network drive. So the rules would have something to do with both the executable and the network destination.
    Hi there

    While backup is running disconnect from the Internet.

    So your program / script should look something like this

    1) Disconnect from Internet
    2) Run scan for Ransomware -- if detected take remedial action otherwise continue.
    3) Mount remote HDD's / Attached HDD's - target for your Backup
    4) run the backup
    5) detach / unmount the HDD's.
    6)re-connect to Internet etc.
    7) optionally send notification - job finished.

    I'd suggest disconnecting from the internet (you can keep your LAN internally connected of course) first - otherwise you theoretically could catch some ransomware even while the backup is running. You need the Internet to be disconnected from the machine which has the SOURCE disks (the disks that are being backed up). I'd also disconnect internet from the server too (Destination for backups).

    I don't think a windows firewall will either help or hinder installation of Ransomware -- it could pose as a perfectly innocent program so how would you detect that it's not the genuine program say photoshop.exe and a rogue version also called photoshop.exe. Malware attacks can dynamically (i.e on the fly) change the name of a program temporarily so a bog standard firewall isn't the answer in this case. After doing its business the ransomware will quietly disappear so your say photoshop.exe program is just as it was before.

    A decent SCAN for ransomware while disconnected from the net is probably the best answer - run BEFORE starting backup. What some of the best scanning programs will do is have a map of your installed programs with release etc and compare against a catalog of the "official" versions of these programs --this can never be 100% effective but probably reasonably so. Usually the best defense against Ransomware is to surf safely and never open unknown attachments or emails from people you don't know.

    The real problem with HDD access is to ensure only programs with the correct privileges has them - and unfortunately Windows is a bit weak in that area as there are all sorts of nasties that people can do to get into "admin mode". In Linux gaining unauthorized Root (admin) access is not impossible but a whole lot tougher to do so you shouldn't have any significant problems if you use that type of server for your destination -- of course it's no point copying / backing up an encrypted by Ransomware HDD though.

    A decent firewall will protect against some sites and prevent unauthorised external users gaining access (or even unauthorised INTERNAL users gaining access to sites and programs you don't want them to access so it's good to have one of those - but things like ransomware and other types of malware and addware are very difficult if not impossible to block by just a firewall. A lot of these types of protections were developed a while ago when the OS'es and threats were very different to what we have now. IMO Computer security is still stick in 20th century -- we need something MUCH better today --what it is and how to do it I've no idea -- but remember a lot of problems are caused by SCAMS which software can't defend against so whatever system you employ you will need to always use common sense. Too many people just sling on some 3rd part AV software and think that's OK my machine is 100% protected --BIG MISTAKE.

    Cheers
    jimbo
    Last edited by jimbo45; 02 Jun 2016 at 02:28.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Performance & Maintenance Turn On or Off System Protection for Drives in Windows 10
System protection is a feature that allows you to undo unwanted system changes by being able to do a System Restore. System Restore enables users, in the event of a problem, to restore their computers to a previous state (restore point) without...
Tutorials
Problems Trying to Map Network Drives
Hi, I have windows 10 on my home laptop which I have brought in to work, connected up to the wireless network and attemping (and failed) to map the networks drives that are attached to our server. For some reasons, when I try and browser for...
Network and Sharing
Solved 2 network drives missing in action
We have 2 desktops, 2 convertibles and an hp tablet. We started with total mess network wise - tried most of the fixes and none really helped. I removed homegroup and started over making sure ALL units were in homegroup and still had problems. After...
Network and Sharing
I cant connect to network drives
it was working back on 10049 and then i updated to 10051 and it still was working fine. but recently i did a fresh install and now i can re add a network device i have a "New" Nintendo 3ds and i cant setup the MicroSD management which requires...
Network and Sharing
Solved Question: Move Up Or Down Hard Drives within System Protection
Good Day Everyone! Question does anyone know how to move up or down " hard drives within the System Protection " Picture is provided, I like to permanently move the C: Hard Drive above the D: Drive maybe there is a windows registry...
Performance & Maintenance
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:53.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums