Feature Request: FTP destination to avoid Cryptolocker

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby JamesBayley » Fri Apr 22, 2016 3:17 pm

I am trying to implement a solution that protects me against Cryptolocker.

Although the most recent version of Veeam Endpoint Backup has the ability to eject usb devices this does not help when using an SMB backup target (a NAS in my case). I am concerned that a Cyptolocker infection would use the access I have granted to Veeam Endpoint Back to get to my repository and encrypt it all.

It seems to me that the best protection would be for Veeam EndPoint Backup to support FTP. As I understand it this would provide good protection against current Crytolocker infections. Other users have also noted how useful this would be for road warriors.
JamesBayley
Novice
 
Posts: 5
Liked: 1 time
Joined: Fri Apr 22, 2016 3:04 pm
Full Name: James Bayley

Re: Feature Request: FTP destination to avoid Crytolocker

Veeam Logoby Gostev » Fri Apr 22, 2016 8:25 pm

Simply put, FTP support is currently impossible due to the forever incremental nature of our backup.
Gostev
Veeam Software
 
Posts: 21253
Liked: 2317 times
Joined: Sun Jan 01, 2006 1:01 am
Full Name: Anton Gostev

Re: Feature Request: FTP destination to avoid Crytolocker

Veeam Logoby JamesBayley » Mon Apr 25, 2016 9:24 am

Resolved - cannot implement by design
Closed.
JamesBayley
Novice
 
Posts: 5
Liked: 1 time
Joined: Fri Apr 22, 2016 3:04 pm
Full Name: James Bayley

[MERGED] Feature Request: Backup over FTP or similar

Veeam Logoby Shambler » Mon Jun 19, 2017 1:47 pm

Using the Free edition, I want to be able to do an endpoint backup over the LAN to a local server, but I don't want to use window file sharing (SMB) - due to the severe vulnerabilities in SMB that have been discovered since WannaCry.

I want to completely disable SMB on the server, and lock down all ports on the server - but this means the free edition of Veeam won't work for me - could FTP support be added instead, please?

Are there other (free) methods of performing this backup over a network, that are suitable here?
Shambler
Novice
 
Posts: 3
Liked: never
Joined: Mon Jun 19, 2017 12:00 pm

Re: Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby Vitaliy S. » Mon Jun 19, 2017 2:12 pm

Please review this topic for further info regarding cryptolocker protection > endpoint cryptolocker protection - veeam repository
Vitaliy S.
Veeam Software
 
Posts: 19395
Liked: 1089 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby Shambler » Mon Jun 19, 2017 2:33 pm

The problem with the thread you link, is that the advice given for cryptolocker protection is wrong:
If SMB is enabled at all, that alone is a cryptolocker risk - you don't even need a valid user account to spread a cryptolocker on SMB, all you need is for the port to be open.

Veeam should not be relying on SMB functionality for backups at all, as we can not trust that SMB is secure, even in up to date Windows installs (recent events show it is riddled with security vulnerabilities).


Is there any non-SMB solution for the free version of Veeam? (it does not have to be FTP, that was just a suggestion)
Shambler
Novice
 
Posts: 3
Liked: never
Joined: Mon Jun 19, 2017 12:00 pm

Re: Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby Vitaliy S. » Mon Jun 19, 2017 3:49 pm

Understood. There are no other options apart from what you see: share, Veeam backup repository, Veeam Cloud provider (paid option), but thanks for the FR.
Vitaliy S.
Veeam Software
 
Posts: 19395
Liked: 1089 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby chaycock » Mon Jun 19, 2017 5:08 pm

Could he not use VBR 9.5 and back up to the repository. I believe the backing up to VBR uses a proprietary (non SMB) protocol, correct? He would have to apply for an NFR license for VBR I believe.
chaycock
Enthusiast
 
Posts: 51
Liked: 7 times
Joined: Fri Jul 15, 2016 4:51 pm
Full Name: Carlton Haycock

Re: Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby Dima P. » Wed Jun 21, 2017 9:36 pm

Is there any non-SMB solution for the free version of Veeam?

Theoretically, you can mount anything to the file system as a symlink and use it as a local backup destination in backup job. By the time job is completed you can run unmount script to hide the location from the OS.
Dima P.
Veeam Software
 
Posts: 5953
Liked: 421 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Feature Request: FTP destination to avoid Cryptolocker

Veeam Logoby Shambler » Sun Jun 25, 2017 10:10 pm

The problem though, is that having Windows file share on at all - in any way whatsoever - exposes the SMB port numbers, making the system vulnerable even if you hide the file shares after the backup is done.

In any case, it looks like it's not possible to make this work safely, in the free version of Veeam - which is a pity.
Shambler
Novice
 
Posts: 3
Liked: never
Joined: Mon Jun 19, 2017 12:00 pm


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: No registered users and 8 guests