Feature Request: FTP destination to avoid Cryptolocker

[JamesBayley]

I am trying to implement a solution that protects me against Cryptolocker.

Although the most recent version of Veeam Endpoint Backup has the ability to eject usb devices this does not help when using an SMB backup target (a NAS in my case). I am concerned that a Cyptolocker infection would use the access I have granted to Veeam Endpoint Back to get to my repository and encrypt it all.

It seems to me that the best protection would be for Veeam EndPoint Backup to support FTP. As I understand it this would provide good protection against current Crytolocker infections. Other users have also noted how useful this would be for road warriors.

[Gostev]

Simply put, FTP support is currently impossible due to the forever incremental nature of our backup.

[JamesBayley]

Resolved - cannot implement by design
Closed.

[Shambler]

Using the Free edition, I want to be able to do an endpoint backup over the LAN to a local server, but I don't want to use window file sharing (SMB) - due to the severe vulnerabilities in SMB that have been discovered since WannaCry.

I want to completely disable SMB on the server, and lock down all ports on the server - but this means the free edition of Veeam won't work for me - could FTP support be added instead, please?

Are there other (free) methods of performing this backup over a network, that are suitable here?

[Vitaliy S.]

Please review this topic for further info regarding cryptolocker protection > endpoint cryptolocker protection - veeam repository

[Shambler]

The problem with the thread you link, is that the advice given for cryptolocker protection is wrong:
If SMB is enabled at all, that alone is a cryptolocker risk - you don't even need a valid user account to spread a cryptolocker on SMB, all you need is for the port to be open.

Veeam should not be relying on SMB functionality for backups at all, as we can not trust that SMB is secure, even in up to date Windows installs (recent events show it is riddled with security vulnerabilities).


Is there any non-SMB solution for the free version of Veeam? (it does not have to be FTP, that was just a suggestion)

[Vitaliy S.]

Understood. There are no other options apart from what you see: share, Veeam backup repository, Veeam Cloud provider (paid option), but thanks for the FR.

[chaycock]

Could he not use VBR 9.5 and back up to the repository. I believe the backing up to VBR uses a proprietary (non SMB) protocol, correct? He would have to apply for an NFR license for VBR I believe.

[Dima P.]

Is there any non-SMB solution for the free version of Veeam?

Theoretically, you can mount anything to the file system as a symlink and use it as a local backup destination in backup job. By the time job is completed you can run unmount script to hide the location from the OS.

[Shambler]

The problem though, is that having Windows file share on at all - in any way whatsoever - exposes the SMB port numbers, making the system vulnerable even if you hide the file shares after the backup is done.

In any case, it looks like it's not possible to make this work safely, in the free version of Veeam - which is a pity.