Feature Request: Cryptolocker tell-tale

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Feature Request: Cryptolocker tell-tale

Veeam Logoby JamesBayley » Mon Apr 25, 2016 9:49 am

My goal is to protect my Veeam Backup repository on my Linux NAS from Cryptolocker.

My concern (addressed in another thread) is that opening a backup connection might allow the virus access to the repository.

This feature request is to not open a connection to the backup repository if an infection is suspected.

Suitable tell-tales include,

* Incremental backup changes by >50%
* 10 or more Microsoft Office documents reduce in size (assuming encryption reduces file size)
JamesBayley
Novice
 
Posts: 5
Liked: 1 time
Joined: Fri Apr 22, 2016 3:04 pm
Full Name: James Bayley

Re: Feature Request: Cryptolocker tell-tale

Veeam Logoby PTide » Mon Apr 25, 2016 12:01 pm

Hi,

This feature request is to not open a connection to the backup repository if an infection is suspected.
Sounds like a good idea, indeed. However the infection indicators that you've mentioned do not seem reliable yet:

* Incremental backup changes by >50%
Large Windows Update, or deduplication, or defragmentation would make you to manually approve each backup session even if there was no infection.

* 10 or more Microsoft Office documents reduce in size (assuming encryption reduces file size)
AFAIK the encrypted text will be larger than the original one in 99,9% of cases (assuming that the malware is really intended to get some ransom). We need to do some research to develop a reliable list of indicators in order to avoid false-positives.

Anyway thanks for heads up!
PTide
Veeam Software
 
Posts: 3019
Liked: 246 times
Joined: Tue May 19, 2015 1:46 pm


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: Yahoo [Bot] and 12 guests