Sharing integrity used by the VEB

[tacioandrade]

Good night, I use Veeam Endpoint Backup to backup some desktops with Samba sharing, but I came up with a possible problem with ransomwares attacks.
When creating the backup job in VEB I always put a user created for backup only, but my question is whether during a backup job, while the share is accessed by Veeam, if the computer is infected with ransomware there is the possibility of all backup Be compromised?
For a file server I usually use Bacula or Syncovery because they pull the data, preventing a virus on the server from destroying the stored data, but since the Veeam Agent and Endpoint uses Samba or NFS, I was left with that doubt.

Sincerely, Tácio Andrade.

[Vitaliy S.]

Hi Tácio,

You can try to follow Dima's recommendation in this thread to address the cryptolocker issue > endpoint cryptolocker protection - veeam repository

Thanks!

[Dima P.]

Hi tacioandrade,

When creating the backup job in VEB I always put a user created for backup only, but my question is whether during a backup job, while the share is accessed by Veeam, if the computer is infected with ransomware there is the possibility of all backup Be compromised?

I have not heard about a ransomware smart enough to parse the configuration from applications, so if you can’t access the backup destination from machine via regular windows browser, you are good to go.

[tacioandrade]

My doubt is that I have seen some ransomwares that could spread through samba shares not mounted directly as a unit but rather scouring the network.

If the VEB accesses the share so that the entire system and not only the application can read and write, ransomware can completely corrupt the backup.

You can try to follow Dima's recommendation in this thread to address the cryptolocker issue > endpoint cryptolocker protection - veeam repository

Thank you very much I will read on this topic and hopefully I have some idea how to solve the problem from it.


Sincerely, Tácio Andrade.

[tacioandrade]

I just read the post and from what I was reading it was focused on VBR and not Samba sharing. But this has given me hope that my policy will be functional, at least for now.

I will try to mount a lab later to test directory access while the backup is being done and see if it is possible or not.

Sincerely, Tácio Andrade.

[tacioandrade]

Good afternoon, I tested with Veeam Endpoint Backup and Veeam Agent for Linux Beta and I have some information to share.

In VEB when backing up Veeam does not keep the share via samba share, at least not for the computer user, so much that during the running backup I tried in several ways to access the linux server running Samba and to no avail.

However in the Veeam Agent for Linux it is different, to run the service, either via NFS or via CIFS it mounts direct sharing in the operating system, which can be a problem.

At least Windows against the ransomwares I believe that the Veeam Endpoint Backup + linux Server or NAS with access to only 1 user is a good option.

[PTide]

Hi,

However in the Veeam Agent for Linux it is different, to run the service, either via NFS or via CIFS it mounts direct sharing in the operating system, which can be a problem.

The directory where Veeam Agent for Linux mounts shared folder has root set as an owner and write permissions are set for owner only so during the backup seesion no one except root is allowed to write into that directory.

Thanks

[tacioandrade]

True, I checked that too, but if an ransomware attacked the Linux server and was able to scale the permissions it could encrypt the files.

But from what I know of Linux there would be no other way to send the files via samba or NFS without mounting as a directory in the operating system.

I still believe in the security of the Veeam Agent, but on Linux I would think of creating 2 distinct jobs, each saving on a samba share with different username and password.


Sincerely, Tácio Andrade.

[PTide]

True, I checked that too, but if an ransomware attacked the Linux server and was able to scale the permissions it could encrypt the files.

Even with root permissions a ransomware needs to know share parameters (UNC and credentials) in order to mount the share. If you have some ideas of where it could possibly get it from please share them and we'll make sure to have the loophole covered.

Thanks

[tacioandrade]

Actually, my fear would not be to get it, because I know you guys do a great job on the information storage part, my fear is during the backup job, while the veeam works to access and encrypt the data.

I know I'm being a little manic for security, but I've had friends who've lost almost everything on ramsonware and so I'm in this way.