Ransomware Protection - File Screening

Availability for the Always-On Enterprise

Ransomware Protection - File Screening

Veeam Logoby gingerdazza » Tue May 16, 2017 3:43 pm

I just wondered if anyone had even attempted installing FSRM on their Veeam Repository server (if it's Windows) and enabling File Screening to only allow known Veeam file extensions in order to protect from ransomware?
gingerdazza
Expert
 
Posts: 112
Liked: 5 times
Joined: Tue Jul 23, 2013 9:14 am
Full Name: Dazza

Re: Ransomware Protection - File Screening

Veeam Logoby JamesMcG » Tue May 16, 2017 7:03 pm 1 person likes this post

I did this in a slight rush Friday afternoon to put my mind at ease over the weekend. I had planned to do so for a while, so I just got it done. So far so good, I used the following I found here on the forums. Wish I knew where so I could give credit to the OP!

"I setup File Server Resource Manager (FSRM) on my Veeam copy job top level folder. I followed a different route to other suggestions on this thread and instead of trying to prevent known ransomware extensions on the drive I blocked ALL files and made an exception just for Veeam files. In this way I don't have to continuously update with new file extensions as they become available.
Many ransomware attacks will encrypt the file and change the extension. Changing the extension in this scenario will fail as FSRM will block it.

If you interested in how I setup FSRM, this is what I did:

Block all files:
.

Exclude the following:
*.vbk
.vbm* (note the trailing *)
*.vib
*.vrb
heartbeat.bin (This may be unique to my environment only)

I am only doing this on Copy jobs but I suspect it will work fine on normal jobs too."
JamesMcG
Influencer
 
Posts: 11
Liked: 2 times
Joined: Wed Jul 11, 2012 3:39 pm
Full Name: James McGuinness

Re: Ransomware Protection - File Screening

Veeam Logoby gingerdazza » Tue May 16, 2017 7:33 pm

I was going to take the same route as you, block all with a whitelist, as opposed to attempt to block a blacklist.

Veeam Support - would this strategy not be a powerful piece addition to your recommendations for ransomware mitigation, complete with your official list of required file extensions?
gingerdazza
Expert
 
Posts: 112
Liked: 5 times
Joined: Tue Jul 23, 2013 9:14 am
Full Name: Dazza

Re: Ransomware Protection - File Screening

Veeam Logoby bg.ranken » Tue May 16, 2017 8:47 pm

Would this actually block the ransomware though? Wouldn't it encrypt the file and then try to rename it and just fail at only the renaming?

That being said, I believe your vbm should be *.vbm*

Also you should add *.bco (Veeam B&R configuration backup file) to the exclusions list.
bg.ranken
Enthusiast
 
Posts: 56
Liked: 10 times
Joined: Wed Feb 18, 2015 8:13 pm
Full Name: Randall Kender

Re: Ransomware Protection - File Screening

Veeam Logoby gingerdazza » Tue May 16, 2017 9:30 pm

According to McAfee the extension blocking seems to prevent the encryption: https://kc.mcafee.com/corporate/index?p ... id=KB89335
"VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures

NOTE: The VSE and ENS Access Protection rules will prevent creation of the .WNRY file. This rule prevents the encryption routine, which is where one will see encrypted files that contain a .WNCRYT, .WNCRY and/or .WCRY extension. By implementing the block against .WNRY, other blocks are not necessary for the encrypted file types."

At the end of the day it's about layers of protection. No one single defense strategy will suffice for WannaCry or any other future ransomware. I s'pose the question might be, why NOT use file screening?
gingerdazza
Expert
 
Posts: 112
Liked: 5 times
Joined: Tue Jul 23, 2013 9:14 am
Full Name: Dazza

Re: Ransomware Protection - File Screening

Veeam Logoby mickyv » Wed May 17, 2017 12:51 am

Great suggestion with this, recently did this to all our file servers but found out that only NTFS drives are supported, so cannot do this on our backup server drive.... Dang
mickyv
Novice
 
Posts: 9
Liked: never
Joined: Tue Apr 04, 2017 2:38 am
Location: Adelaide, Australia
Full Name: Michael V

Re: Ransomware Protection - File Screening

Veeam Logoby ChrisGundryCEGA » Wed May 17, 2017 8:57 am

I had the same idea and wanted to implement it on our backup servers, then realised that ReFS is not supported for file screening :(

MS suggestion is use AppLocker instead, but to me they are two different things and we don't want to use AppLocker for this purpose as it doesn't do what file screening does...
ChrisGundryCEGA
Enthusiast
 
Posts: 57
Liked: 4 times
Joined: Wed Aug 26, 2015 2:56 pm
Full Name: Chris Gundry

Re: Ransomware Protection - File Screening

Veeam Logoby gingerdazza » Wed May 17, 2017 1:27 pm

If you have enterprise AV such as McAfee's EPO, you can actually setup file blocking rules using AV too https://kc.mcafee.com/corporate/index?p ... cale=en_US
gingerdazza
Expert
 
Posts: 112
Liked: 5 times
Joined: Tue Jul 23, 2013 9:14 am
Full Name: Dazza

Re: Ransomware Protection - File Screening

Veeam Logoby gingerdazza » Wed May 17, 2017 1:30 pm 1 person likes this post

Veeam Support - what's your thoughts on this File Screening.

I really think it's worth adding to your ransomware blog articles and setting out a clear list of required extensions.
gingerdazza
Expert
 
Posts: 112
Liked: 5 times
Joined: Tue Jul 23, 2013 9:14 am
Full Name: Dazza

Re: Ransomware Protection - File Screening

Veeam Logoby remko.de.koning » Wed May 17, 2017 8:36 pm 1 person likes this post

Last year I posted this post : veeam-backup-replication-f2/ransomware-prevention-t35854.html which got some very good feedback and improvements. As soon as we heard about the threat last Friday we added the Wannacry file extensions to get this extra layer of protection updated.

I like this idea even better... A good example of out-of-the-box thinking. Thanks!!!
remko.de.koning
Enthusiast
 
Posts: 73
Liked: 13 times
Joined: Wed May 21, 2014 12:15 pm
Full Name: Remko de Koning

Re: Ransomware Protection - File Screening

Veeam Logoby gingerdazza » Thu May 18, 2017 10:47 am

Thanks Remko. I'm glad you see the benefit of the block-all-with-exceptions strategy, as opposed to the block-only-known strategy.
gingerdazza
Expert
 
Posts: 112
Liked: 5 times
Joined: Tue Jul 23, 2013 9:14 am
Full Name: Dazza

Re: Ransomware Protection - File Screening

Veeam Logoby JamesMcG » Thu May 18, 2017 7:07 pm

bg.ranken wrote:Would this actually block the ransomware though? Wouldn't it encrypt the file and then try to rename it and just fail at only the renaming?

That being said, I believe your vbm should be *.vbm*

Also you should add *.bco (Veeam B&R configuration backup file) to the exclusions list.


Correct, *.vbm* and .bco should be there. In the end I gave in and added *.tmp as well since Windows kept attempting writes with it.
JamesMcG
Influencer
 
Posts: 11
Liked: 2 times
Joined: Wed Jul 11, 2012 3:39 pm
Full Name: James McGuinness

Re: Ransomware Protection - File Screening

Veeam Logoby evander » Fri May 19, 2017 8:58 am

JamesMcG wrote:I did this in a slight rush Friday afternoon to put my mind at ease over the weekend. I had planned to do so for a while, so I just got it done. So far so good, I used the following I found here on the forums. Wish I knew where so I could give credit to the OP!


You're welcome :D Glad it helped.
evander
Enthusiast
 
Posts: 62
Liked: 4 times
Joined: Thu Nov 17, 2011 7:55 am

Re: Ransomware Protection - File Screening

Veeam Logoby evander » Fri May 19, 2017 9:15 am

JamesMcG wrote:
Correct, *.vbm* and .bco should be there. In the end I gave in and added *.tmp as well since Windows kept attempting writes with it.


Hey James, I send my Veeam configurations backup to another server/repository which is why I didn't need the .bco extension, but yes if you do, then you do :)
Also, because my repository is a dedicated volume on a windows box (i.e "D" drive) it doesn't need to write any tmp files to that volume, or at least mine doesn't. Any tmp files will probably be written to the "C" drive instead.
evander
Enthusiast
 
Posts: 62
Liked: 4 times
Joined: Thu Nov 17, 2011 7:55 am

Re: Ransomware Protection - File Screening

Veeam Logoby evander » Fri May 19, 2017 9:37 am

To also add to this, I have setup an alert to email me immediately something attempts to write to that volume and fails, so not only does this tell me if I have got my config wrong but it will also hopefully alert me to any possible ransomware attacks which will hopefully give me time to yank the network from this box saving my backups while I frantically fight off the baddies on other servers and workstations, safe in the knowledge that I can at least fall back on those backups should the need arise.

PS: I also have an additional backup run for critical boxes to another repository that is left in an air-gapped environment (unplugged, switched off) on a day-to-day scenario and only plugged in once a week while backups are run (during this run, the other repository is switched off) so that if all else fails I still have backups at most a week old. You know, because cleverer baddies.
evander
Enthusiast
 
Posts: 62
Liked: 4 times
Joined: Thu Nov 17, 2011 7:55 am

Next

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot] and 1 guest