Comprehensive data protection for all workloads
Post Reply
gingerdazza
Expert
Posts: 191
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Ransomware Protection - File Screening

Post by gingerdazza »

I just wondered if anyone had even attempted installing FSRM on their Veeam Repository server (if it's Windows) and enabling File Screening to only allow known Veeam file extensions in order to protect from ransomware?
JamesMcG
Enthusiast
Posts: 39
Liked: 8 times
Joined: Jul 11, 2012 3:39 pm
Full Name: James McGuinness
Contact:

Re: Ransomware Protection - File Screening

Post by JamesMcG » 1 person likes this post

I did this in a slight rush Friday afternoon to put my mind at ease over the weekend. I had planned to do so for a while, so I just got it done. So far so good, I used the following I found here on the forums. Wish I knew where so I could give credit to the OP!

"I setup File Server Resource Manager (FSRM) on my Veeam copy job top level folder. I followed a different route to other suggestions on this thread and instead of trying to prevent known ransomware extensions on the drive I blocked ALL files and made an exception just for Veeam files. In this way I don't have to continuously update with new file extensions as they become available.
Many ransomware attacks will encrypt the file and change the extension. Changing the extension in this scenario will fail as FSRM will block it.

If you interested in how I setup FSRM, this is what I did:

Block all files:
.

Exclude the following:
*.vbk
.vbm* (note the trailing *)
*.vib
*.vrb
heartbeat.bin (This may be unique to my environment only)

I am only doing this on Copy jobs but I suspect it will work fine on normal jobs too."
gingerdazza
Expert
Posts: 191
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Ransomware Protection - File Screening

Post by gingerdazza »

I was going to take the same route as you, block all with a whitelist, as opposed to attempt to block a blacklist.

Veeam Support - would this strategy not be a powerful piece addition to your recommendations for ransomware mitigation, complete with your official list of required file extensions?
bg.ranken
Expert
Posts: 121
Liked: 21 times
Joined: Feb 18, 2015 8:13 pm
Full Name: Randall Kender
Contact:

Re: Ransomware Protection - File Screening

Post by bg.ranken »

Would this actually block the ransomware though? Wouldn't it encrypt the file and then try to rename it and just fail at only the renaming?

That being said, I believe your vbm should be *.vbm*

Also you should add *.bco (Veeam B&R configuration backup file) to the exclusions list.
gingerdazza
Expert
Posts: 191
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Ransomware Protection - File Screening

Post by gingerdazza »

According to McAfee the extension blocking seems to prevent the encryption: https://kc.mcafee.com/corporate/index?p ... id=KB89335
"VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures

NOTE: The VSE and ENS Access Protection rules will prevent creation of the .WNRY file. This rule prevents the encryption routine, which is where one will see encrypted files that contain a .WNCRYT, .WNCRY and/or .WCRY extension. By implementing the block against .WNRY, other blocks are not necessary for the encrypted file types."

At the end of the day it's about layers of protection. No one single defense strategy will suffice for WannaCry or any other future ransomware. I s'pose the question might be, why NOT use file screening?
mickyv
Novice
Posts: 9
Liked: never
Joined: Apr 04, 2017 2:38 am
Full Name: Michael V
Location: Adelaide, Australia
Contact:

Re: Ransomware Protection - File Screening

Post by mickyv »

Great suggestion with this, recently did this to all our file servers but found out that only NTFS drives are supported, so cannot do this on our backup server drive.... Dang
ChrisGundry
Veteran
Posts: 258
Liked: 40 times
Joined: Aug 26, 2015 2:56 pm
Full Name: Chris Gundry
Contact:

Re: Ransomware Protection - File Screening

Post by ChrisGundry »

I had the same idea and wanted to implement it on our backup servers, then realised that ReFS is not supported for file screening :(

MS suggestion is use AppLocker instead, but to me they are two different things and we don't want to use AppLocker for this purpose as it doesn't do what file screening does...
gingerdazza
Expert
Posts: 191
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Ransomware Protection - File Screening

Post by gingerdazza »

If you have enterprise AV such as McAfee's EPO, you can actually setup file blocking rules using AV too https://kc.mcafee.com/corporate/index?p ... cale=en_US
gingerdazza
Expert
Posts: 191
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Ransomware Protection - File Screening

Post by gingerdazza » 1 person likes this post

Veeam Support - what's your thoughts on this File Screening.

I really think it's worth adding to your ransomware blog articles and setting out a clear list of required extensions.
remko.de.koning
Enthusiast
Posts: 92
Liked: 18 times
Joined: May 21, 2014 12:15 pm
Full Name: Remko de Koning
Contact:

Re: Ransomware Protection - File Screening

Post by remko.de.koning » 1 person likes this post

Last year I posted this post : veeam-backup-replication-f2/ransomware- ... 35854.html which got some very good feedback and improvements. As soon as we heard about the threat last Friday we added the Wannacry file extensions to get this extra layer of protection updated.

I like this idea even better... A good example of out-of-the-box thinking. Thanks!!!
gingerdazza
Expert
Posts: 191
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Ransomware Protection - File Screening

Post by gingerdazza »

Thanks Remko. I'm glad you see the benefit of the block-all-with-exceptions strategy, as opposed to the block-only-known strategy.
JamesMcG
Enthusiast
Posts: 39
Liked: 8 times
Joined: Jul 11, 2012 3:39 pm
Full Name: James McGuinness
Contact:

Re: Ransomware Protection - File Screening

Post by JamesMcG »

bg.ranken wrote:Would this actually block the ransomware though? Wouldn't it encrypt the file and then try to rename it and just fail at only the renaming?

That being said, I believe your vbm should be *.vbm*

Also you should add *.bco (Veeam B&R configuration backup file) to the exclusions list.
Correct, *.vbm* and .bco should be there. In the end I gave in and added *.tmp as well since Windows kept attempting writes with it.
evander
Enthusiast
Posts: 86
Liked: 5 times
Joined: Nov 17, 2011 7:55 am
Contact:

Re: Ransomware Protection - File Screening

Post by evander »

JamesMcG wrote:I did this in a slight rush Friday afternoon to put my mind at ease over the weekend. I had planned to do so for a while, so I just got it done. So far so good, I used the following I found here on the forums. Wish I knew where so I could give credit to the OP!
You're welcome :D Glad it helped.
evander
Enthusiast
Posts: 86
Liked: 5 times
Joined: Nov 17, 2011 7:55 am
Contact:

Re: Ransomware Protection - File Screening

Post by evander »

JamesMcG wrote:
Correct, *.vbm* and .bco should be there. In the end I gave in and added *.tmp as well since Windows kept attempting writes with it.
Hey James, I send my Veeam configurations backup to another server/repository which is why I didn't need the .bco extension, but yes if you do, then you do :)
Also, because my repository is a dedicated volume on a windows box (i.e "D" drive) it doesn't need to write any tmp files to that volume, or at least mine doesn't. Any tmp files will probably be written to the "C" drive instead.
evander
Enthusiast
Posts: 86
Liked: 5 times
Joined: Nov 17, 2011 7:55 am
Contact:

Re: Ransomware Protection - File Screening

Post by evander »

To also add to this, I have setup an alert to email me immediately something attempts to write to that volume and fails, so not only does this tell me if I have got my config wrong but it will also hopefully alert me to any possible ransomware attacks which will hopefully give me time to yank the network from this box saving my backups while I frantically fight off the baddies on other servers and workstations, safe in the knowledge that I can at least fall back on those backups should the need arise.

PS: I also have an additional backup run for critical boxes to another repository that is left in an air-gapped environment (unplugged, switched off) on a day-to-day scenario and only plugged in once a week while backups are run (during this run, the other repository is switched off) so that if all else fails I still have backups at most a week old. You know, because cleverer baddies.
ryan1212
Influencer
Posts: 16
Liked: 6 times
Joined: Feb 26, 2013 3:48 pm
Full Name: Ryan
Contact:

Re: Ransomware Protection - File Screening

Post by ryan1212 » 1 person likes this post

Something really simple that can be done-- disable SMB file sharing on your repositories and/or block the port in windows firewall. It is not needed for Veeam to write or restore data, and should block most ransomware. For the few times you might need to move backup files from one repo to another, just white list the IP temporarily, and then block it again.
cbc-tgschultz
Enthusiast
Posts: 65
Liked: 11 times
Joined: May 13, 2016 1:48 pm
Full Name: Tanner Schultz
Contact:

Re: Ransomware Protection - File Screening

Post by cbc-tgschultz »

Even if WCry does the rename step before the encryption step, that is unlikely to be true for all ransomware variants, and some might not do any renaming at all or continue to process other files even though the rename failed. Make sure you at least enable the email alerting in FSRM so you'll be able to take action as soon as the first attempt fails and hopefully you can prevent it from doing too much damage regardless.

FSRM allows a more aggressive option too. You can have it launch an arbitrary program with arguments when triggered, and you can use this to launch a powershell script that actively defends the server by shutting off share access for the offending user account. Here's an example script:

Code: Select all

#Automatically blocks a user from all shares
#used by File Screens to help prevent Ransomware attacks
# to undo:
# get-smbshare | unblock-smbshareaccess -AccountName <DOMAIN\user> -confirm:$false
get-smbshare | block-smbshareaccess -AccountName "$($Args[0])" -confirm:$false
get-smbsession -clientusername "$($Args[0])" | close-smbsession -confirm:$false
Pass it the argument "[Source Io Owner]" from FSRM.

Another option that doesn't involve FSRM or have a dependence on file extensions is to use a canary. What you do is create an office document with a name that makes it obvious to your users that they shouldn't touch it and that will appear at the top or early in the file listing (keep in mind that ransomware usually traverses directories depth-first). Enable object auditing on the server for success events. Give the canary an SACL to monitor for success events on create/modification/delete/takeownership/changepermissions. Create a scheduled task triggered by "Security" log event ID 4663 with "Microsoft-Windows-Security-Auditing" source, and an action that launches a powershell script with the arguments "$(SubjectDomainName)\$(SubjectUserName)" and "$(FileName)". The powershell script should check that the user is not a computer object (account name ends in "$") because the server will log itself as modifying the file before the user account does, and you may also wish to have it check the filename if you have other SACLs set up for other purposes. Have that script run the share blocking script above with a valid user, and it would also be a good idea to have it send an alert email using "Send-MailMessage".

Note that the share blocking will fail on administrative shares (C$,IPC$,etc).

There are a lot of ways to combat ransomware, and none of them are perfect, so I recommend implementing a whole bunch of them in layers.
Post Reply

Who is online

Users browsing this forum: ThomasIkoula and 171 guests