Comprehensive data protection for all workloads
Post Reply
Poweruser
Expert
Posts: 189
Liked: 7 times
Joined: Jul 25, 2018 4:12 pm
Full Name: Poweruser
Contact:

Feature request: Ransomware protector

Post by Poweruser » Jul 30, 2018 11:59 am

If you really want to be safe, you need to setup an NAS/Fileserver which has write/append only but not overwrite/delete.
This has to be off domain, full updated and 0-day exploit/backdoor free ;-).

Now lets imagine Veeam would provide a service called: backup dumper/rotater.
I think this should be a small service, which runs on this nas/fileserver.
also on synology disk stations etc..

this service has a simple configuration telling him to delete all files older than n days or delete all older files until at least 15% (for example) disk space is free.
doing so will protect you.
you can do this by scripting or hope that veeam wants to satisfy customers.

so if a crypting trojan wants to crypt it cant crypt and you can always go back n days or % space.
anyway lets consider, that it must also make sure, that it does not count data which was written in a short period if % deletion is used. otherwise the malware could abuse this.
so a dayfilter is much better.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3458 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Ransomware protector

Post by Gostev » Jul 30, 2018 12:08 pm

What would stop the hacker from deleting the backup files using native OS capabilities for file management? You can't really block rm if you have root access.

Poweruser
Expert
Posts: 189
Liked: 7 times
Joined: Jul 25, 2018 4:12 pm
Full Name: Poweruser
Contact:

Re: Feature request: Ransomware protector

Post by Poweruser » Jul 31, 2018 12:35 am

the backup software will NEVER get root. nor will anyone else get root on this repository.
just write/append.

like a share where you can write too but not delete.
deletion is done by the service worker which runs independent on the repository.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3458 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Ransomware protector

Post by Gostev » Jul 31, 2018 11:47 am

Sure, backup software will never get root, and may be not anyone else in your organization... but the hacker always will - if not by stealing the actual credentials, then via some escalation of privileges attack.

And how can you modify an operating system to restrict the ability to delete files? Even if you manage to do this somehow, things will break very quickly due to disk being overfilled with temporary files, logs etc. Besides, keep in mind that your "service worker" still needs the ability to delete files using the corresponding OS commands, otherwise it won't be able to delete backup files itself :D

Poweruser
Expert
Posts: 189
Liked: 7 times
Joined: Jul 25, 2018 4:12 pm
Full Name: Poweruser
Contact:

Re: Feature request: Ransomware protector

Post by Poweruser » Jul 31, 2018 10:16 pm

Yes, you cant be 100% sure, but it would be very sure!
As safe as your e-mail server. Yes i can get access to it, but it would be very hard to get access to your mailbox.
but its easy for me to send you files into your mailbox which i can never ever delete again from your mailbox if you dont do it.

Its the same!

Gostev
SVP, Product Management
Posts: 24612
Liked: 3458 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Ransomware protector

Post by Gostev » Aug 01, 2018 12:23 am

Actually, there's zero problem accessing any mailbox once you got access to the email server. You just unmount the mailbox store and open it with one of many existing tools.

So I agree, it's the same as with your original idea, which likewise wouldn't provide any actual protection for backup files due to being easy to bypass completely.

Poweruser
Expert
Posts: 189
Liked: 7 times
Joined: Jul 25, 2018 4:12 pm
Full Name: Poweruser
Contact:

Re: Feature request: Ransomware protector

Post by Poweruser » Aug 01, 2018 10:14 pm

if i setup a standalone host in my network which has a windows share where i can write new files only and not delete/append existing files.
it is impossible (if no backdoors, vulns or misconfigs, etc) to get inside and delete the data.
its like you drop your key into the safe at your car service station.
once dropped in you need to crack/hack the safe. consider its a good safe it is very hard to break.
so it can be considered as very safe for ransomware because ransomware is more stupid than a hacker and a hacker would have hard work to break this machine.

so my "special service" which could just be a simple shell script would check for files older than 14 days and delete them.
thats it.

Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests