Feature request: Ransomware protector

[Poweruser]

If you really want to be safe, you need to setup an NAS/Fileserver which has write/append only but not overwrite/delete.
This has to be off domain, full updated and 0-day exploit/backdoor free ;-).

Now lets imagine Veeam would provide a service called: backup dumper/rotater.
I think this should be a small service, which runs on this nas/fileserver.
also on synology disk stations etc..

this service has a simple configuration telling him to delete all files older than n days or delete all older files until at least 15% (for example) disk space is free.
doing so will protect you.
you can do this by scripting or hope that veeam wants to satisfy customers.

so if a crypting trojan wants to crypt it cant crypt and you can always go back n days or % space.
anyway lets consider, that it must also make sure, that it does not count data which was written in a short period if % deletion is used. otherwise the malware could abuse this.
so a dayfilter is much better.

[Gostev]

What would stop the hacker from deleting the backup files using native OS capabilities for file management? You can't really block rm if you have root access.

[Poweruser]

the backup software will NEVER get root. nor will anyone else get root on this repository.
just write/append.

like a share where you can write too but not delete.
deletion is done by the service worker which runs independent on the repository.

[Gostev]

Sure, backup software will never get root, and may be not anyone else in your organization... but the hacker always will - if not by stealing the actual credentials, then via some escalation of privileges attack.

And how can you modify an operating system to restrict the ability to delete files? Even if you manage to do this somehow, things will break very quickly due to disk being overfilled with temporary files, logs etc. Besides, keep in mind that your "service worker" still needs the ability to delete files using the corresponding OS commands, otherwise it won't be able to delete backup files itself

[Poweruser]

Yes, you cant be 100% sure, but it would be very sure!
As safe as your e-mail server. Yes i can get access to it, but it would be very hard to get access to your mailbox.
but its easy for me to send you files into your mailbox which i can never ever delete again from your mailbox if you dont do it.

Its the same!

[Gostev]

Actually, there's zero problem accessing any mailbox once you got access to the email server. You just unmount the mailbox store and open it with one of many existing tools.

So I agree, it's the same as with your original idea, which likewise wouldn't provide any actual protection for backup files due to being easy to bypass completely.

[Poweruser]

if i setup a standalone host in my network which has a windows share where i can write new files only and not delete/append existing files.
it is impossible (if no backdoors, vulns or misconfigs, etc) to get inside and delete the data.
its like you drop your key into the safe at your car service station.
once dropped in you need to crack/hack the safe. consider its a good safe it is very hard to break.
so it can be considered as very safe for ransomware because ransomware is more stupid than a hacker and a hacker would have hard work to break this machine.

so my "special service" which could just be a simple shell script would check for files older than 14 days and delete them.
thats it.