Best Method for Protecting Backup Drive from Malware

[AtlBo]

Got three systems here, all with plenty of backup on secondary drives, but I am still worried about encryption from ransomware and other malware issues. Does anyone have a solution for specifically protecting backup drives? I'm running W7 Pro 64.

Don't want to use BitLocker, by the way, to password protect the drives. Not sure that would block ransomware, anyway. Really what I am looking for is some kind of backup option that is sensitive to this problem. For example, if there were a backup program that made a drive completely invisible to anything but itself, that would work for me. The backup drives are just going to contain images, so I don't need to see the contents.

Personal files is another issue. Images contain them, so imaging every day is a pretty good option. However, it would be nice to be able to sync files to the same remote drive using the same backup program. Haven't run across that from an imaging program yet, though, and I haven't seen anything like what I have mentioned above...

 

[LabZero]

One solution is to go back to having a backup policy that includes offline storage and, therefore, human intervention. The NAS for example had used people who want to automate everything; Unfortunately this kind of automation has a dangerous downside.

Many NAS can automate the synchronization of some of the data on external storage connected via USB or with another NAS, other NAS have a switch that initiates synchronization by pressing a button.

The important thing is to have at least two offline backup sets, that run periodically (once a week, for example) on devices that normally remain turned off and disconnected from the network.

Who uses online backup services could be protected from direct access of malware to backups, but could risk update backup with encrypted versions of the files. Some online services provide some historical files, but may not be a good idea to rely only on this feature of the service.

For what I know, the data at risk are those accessible via Windows network drives mounted with various technologies, in practice the files you see from File Explorer. Ransomware are not able, for now, to encrypt network files accessible with different techniques, such as rsync or other protocols, but remains the problem similar to that described for backups on online services.

 

[hjlbx]

Got three systems here, all with plenty of backup on secondary drives, but I am still worried about encryption from ransomware and other malware issues. Does anyone have a solution for specifically protecting backup drives? I'm running W7 Pro 64.

Don't want to use BitLocker, by the way, to password protect the drives. Not sure that would block ransomware, anyway. Really what I am looking for is some kind of backup option that is sensitive to this problem. For example, if there were a backup program that made a drive completely invisible to anything but itself, that would work for me. The backup drives are just going to contain images, so I don't need to see the contents.

Personal files is another issue. Images contain them, so imaging every day is a pretty good option. However, it would be nice to be able to sync files to the same remote drive using the same backup program. Haven't run across that from an imaging program yet, though, and I haven't seen anything like what I have mentioned above...

Encryption will not protect against ransomware; ransomware will just re-encrypt the already encrypted files.

You need policy that denies access to drive entirely or folders by unknown apps - while at same time allowing safe applications read\write access.

Only "home" soft that I have used that has this feature is COMODO.

As far as policy-based back up soft, I know of none... but that doesn't mean one does not exist.

There is freeware Secure Folders, but I don't know if it has policy-based access functionality.

 

[hjlbx]

Ask @Online_Sword about Excubit Bouncer. It is policy software that might be able to achieve what you desire.

Freeware version might be all you need...

 

[AtlBo]

Thanks for the info Klipsh.

I was thinking specifically about something I would be willing to pay for, and maybe a local rule requiring human intervention would work for most people, even for me for now. However, I would like to automate backup of the 3 PCs if I can find a way to back up securely to permanently attached drives. I do understand your apt description of this as dangerous/risky.

Thinking about a program that could make this possible, my head begins to ache, when I think about how this type of program would/might have to start with the Windows kernel somehow. I guess this would not be true if the entire dialog for the actual existence of the connected backup drive were also somehow contained within the program...in such a way that Windows itself could not detect the drive whatsoever.

I am very limited in knowledge in networking and in use of the deeper elements of Windows. Unfortunately, I am also very limited in knowledge concerning the deeper capabilities available in Windows through command line and otherwise and available to programmers (especially programmers of security related programs). In this way, I am only guessing at what might be required for such a backup program to exist. However, I would happily pay $100 or more for it if it did exist. Just to have the ability to backup automatically would be worth it to me. Not sure how many others would say so or whether the idea is economically viable, even if it is possible...

 

[AtlBo]

I was typing as you posted hjlbx. I was thinking of looking at Comodo Backup, and maybe this is what I need to begin to move over to that. I have a fairly large number of backups, so I can see some work ahead.

I appreciate the info very much, and I will take a look at all the options you have mentioned...

 

[hjlbx]

Thanks for the info Klipsh.

I was thinking specifically about something I would be willing to pay for, and maybe a local rule requiring human intervention would work for most people, even for me for now. However, I would like to automate backup of the 3 PCs if I can find a way to back up securely to permanently attached drives. I do understand your apt description of this as dangerous/risky.

Thinking about a program that could make this possible, my head begins to ache, when I think about how this type of program would/might have to start with the Windows kernel somehow. I guess this would not be true if the entire dialog for the actual existence of the connected backup drive were also somehow contained within the program...in such a way that Windows itself could not detect the drive whatsoever.

I am very limited in knowledge in networking and in use of the deeper elements of Windows. Unfortunately, I am also very limited in knowledge concerning the deeper capabilities available in Windows through command line and otherwise and available to programmers (especially programmers of security related programs). In this way, I am only guessing at what might be required for such a backup program to exist. However, I would happily pay $100 or more for it if it did exist. Just to have the ability to backup automatically would be worth it to me. Not sure how many others would say so or whether the idea is economically viable, even if it is possible...

Did you consider Cloud back-up solution ? There are advantages and disadvantages.

Any how, there are multiple solutions, but there are people on MT with much greater knowledge on this topic... so I leave thread now.

 

[hjlbx]

I was posting as you posted hjlbx. I was thinking of looking at Comodo Backup, and maybe this is what I need to begin to move over to that. I have a fairly large number of backups, so I can see some work ahead.

I appreciate the info very much, and I will take a look at all the options you have mentioned...

Not COMODO Backup.

COMODO Internet Security can be configured to deny access to folders\files to any unknown applications - while at same time allowing read\writes by trusted apps.

Cryptor can best be handled with virtualization and anti-executable. COMODO provides both to user to configure as they need\see fit.

 

[AtlBo]

I have considered cloud, but I have read the stories if you know what I mean. "My whole life was in that image and now it's gone!" I really appreciate finding out more about Comodo Backup. I was wondering what exactly it does differently than standard imagers...

Thanks again.

 

[hjlbx]

I have considered cloud, but I have read the stories if you know what I mean. "My whole life was in that image and now it's gone!" I really appreciate finding out more about Comodo Backup. I was wondering what exactly it does differently than standard imagers...

Thanks again.

Not Comodo Backup. There is nothing special about it.

I was referring to Comodo Internet Security. See my earlier post.

You will find solution, but it will take time and effort.

 

[AtlBo]

Not COMODO Backup.

COMODO Internet Security can be configured to deny access to folders\files to any unknown applications - while at same time allowing read\writes by trusted apps.

Cryptor can best be handled with virtualization and anti-executable. COMODO provides both to user to configure as they need\see fit.

OK, can this be achieved with Comodo Firewall, also? I can change from Private Firewall, but I'm not crazy about changing a-v away from 360 TS on all three PCs. I have seen that the HIPS(?) can be turned off in CIS so that it will run with an a-v, so maybe that's an option short term?

 

[LabZero]

Thanks for the info Klipsh.

I was thinking specifically about something I would be willing to pay for, and maybe a local rule requiring human intervention would work for most people, even for me for now. However, I would like to automate backup of the 3 PCs if I can find a way to back up securely to permanently attached drives. I do understand your apt description of this as dangerous/risky.

Thinking about a program that could make this possible, my head begins to ache, when I think about how this type of program would/might have to start with the Windows kernel somehow. I guess this would not be true if the entire dialog for the actual existence of the connected backup drive were also somehow contained within the program...in such a way that Windows itself could not detect the drive whatsoever.

I am very limited in knowledge in networking and in use of the deeper elements of Windows. Unfortunately, I am also very limited in knowledge concerning the deeper capabilities available in Windows through command line and otherwise and available to programmers (especially programmers of security related programs). In this way, I am only guessing at what might be required for such a backup program to exist. However, I would happily pay $100 or more for it if it did exist. Just to have the ability to backup automatically would be worth it to me. Not sure how many others would say so or whether the idea is economically viable, even if it is possible...

In my opinion, for what has been said above, the step to perform a safe backup is necessarily manual and cannot be automated.

You should have at least two backup copies on two different devices.

Pro's:

-simple and secure solution
-backups taken when the user decides which choose to copy the data in the most appropriate moments

Con's:

-not automated solutions, you must remember to make backups...
-If done too often, in case of ransomware attack you may copy the encrypted data and overwrite the data in the clear.

 

[hjlbx]

OK, can this be achieved with Comodo Firewall, also? I can change from Private Firewall, but I'm not crazy about changing a-v away from 360 TS on all three PCs. I have seen that the HIPS(?) can be turned off in CIS so that it will run with an a-v, so maybe that's an option short term?

Folder\File protection is provided by HIPS module; HIPS must be turned on in CFW for it to work.

If you know how to use Comodo it should be no problem.

If you do not know how to use Comodo it will be problem.

I do not know about Qihoo - CFW combo compatibility; it might or might not work.

Maybe you should send email to Excubits support about Bouncer. It might do everything you wish with a whole lot less hassle...

I would not jump into anything without fully exploring options - which will take time.

Major problem you have is that Qihoo will not contain cryptor; COMODO will contain cryptor.

 

[AtlBo]

Con's:

-not automated solutions, you must remember to make backups...
-If done too often, in case of ransomware attack you may copy the encrypted data and overwrite the data in the clear.

Very good point. At present I have a drive that is not connected that I am using to store backups. I can (make sure the PC is off) hook up the drive and boot to a restore disk and restore on any of the drives. It works fine, considering how few times I find myself in the position of actually requiring a restoration. However, if there were/was an option, I would spend for it.

The problem of recording encrypted data adds another level to my thoughts about this. Ransomware would declare itself, and I could automatically remove the backup drive, so this is one defense, provided that the ransomware did not see or was unable to encrypt the backups. However, if there were silent encryption (purely destructive activity), then I possibly wouldn't know about the problem until it was too late. Well, I guess this would add another requirement for the type of backup program I would be looking for. It would have to detect somehow encrypted files or bulk deletion or alteration of files, somehow.

I didn't realize how difficult this topic is.

 

[AtlBo]

Really grateful for the input. I will look over all of the options. As things are, I feel secure in that I have the backups on a detached drive. Also, I have some spare drives, so I will look into creating a duplicate of the drive containing the backups...maybe get one of those USB RAID storage docks that I can easily keep detached and then move around as required.

Long term, yes, I will take my time and look into how CIS can help and also the other options...

 

[hjlbx]

Very good point. At present I have a drive that is not connected that I am using to store backups. I can (make sure the PC is off) hook up the drive and boot to a restore disk and restore on any of the drives. It works fine, considering how few times I find myself in the position of actually requiring a restoration. However, if there were/was an option, I would spend for it.

The problem of recording encrypted data adds another level to my thoughts about this. Ransomware would declare itself, and I could automatically remove the backup drive, so this is one defense, provided that the ransomware did not see or was unable to encrypt the backups. However, if there were silent encryption (purely destructive activity), then I possibly wouldn't know about the problem until it was too late. Well, I guess this would add another requirement for the type of backup program I would be looking for. It would have to detect somehow encrypted files or bulk deletion or alteration of files, somehow.

I didn't realize how difficult this topic is.

There are many "automated" (= scheduled) backup solutions - both to external drive and cloud. That is easy part.

There are number of different ways to handle your situation. The two most direct are:

• Add protection against cryptor itself so as to protect both systems and backups.
• Use policy-restricted access to backups.

Only soft I know of that can accomplish both at same time is COMODO.

It is suggestion only as there are multiple ways to solve the problem - and none without some form of hassle.

You need more knowledgeable back-up expert...

 

[AtlBo]

You need more knowledgeable back-up expert...

OK, thanks I will take your advice on all fronts and look deep into Comodo and the other options and see if I can get some input from Excubits, etc. (others) about how to best approach all this.

Oh, yes, I am using Paragon B&R, and it runs very well on a schedule. I was backing up daily and monthly when I only had one PC, but with three PCs I have gone to imaging once in awhile (every 3 months).

I would go back to daily on the main PC if I could be sure the data was protected. Maybe I could separate the backups of the main PC from the backups on the others. Backup to an internal drive on the main PC every day and then every so often on the others using the RAID device mentioned. I suppose I could even backup the internal backups on the main to the RAID device occasionally, also...

Protection against encryption does seem like a requirement for this no matter what, though. May have to switch to CIS to make it all work...

 

[upnorth]

Very interesting topic because what almost everybody mention is to Backup, Backup, Backup but what if the backups also gets infected.

Personal I'm no backup expert. I plain and simple use TrueCrypt and because I'm forced to manual start TrueCrypt and manual mount the specific drive and I'm also forced to enter a password and even manual power up the external HDD every single time I want to do a backup I belive it's safe to say the storage itself for my backups is pretty safe. IMO it works very well as an extra protection layer against ransomware etc.

The weakness of ransomware is that it's forced to show it's ugly face when it infected a system so personal I would never ever connect my backups until after it's killed.

 

[Moose]

You may want to look at Video Review - WinAntiRansom vs some Nasty Stuff

Post # 15 video.

 

[Infamous]

Personally, I recommend you do a few things: prevent unauthorized access to the drive and encrypt the files on the drive. The reason why it could be good for you to encrypt files on the drive would simply be because if the files are encrypted and for example an attacker gets hold of the documents on the drive, they would need to decrypt them to make use of the stolen documents. As well as this, in the scenario of a ransomware infection, it may not recognize it as a file to be caught to be encrypted (keep reading below and you may understand a bit more about what I mean).

If you prevent access to the drives, then in the case of a ransomware infection, the ransomware wouldn't be able to access the drive to access the files on the drive to encrypt them - unless it had high privileges and was capable of overpowering and getting rid of the access protection.

Previously when I had been studying ransomware, I noticed that a lot of ransomware malware tend to search for specific file types (based on the extension or the first few bytes in the file). On one of the backups, you could purposefully change the extension and modify the first few bytes to match the new extension to something unknown, meaning if ransomware managed to attack the second backup somehow, it might not bother encrypting any of the files inside since it wouldn't recognize it to be encrypted from the search pattern it had for the scanning of files on the drive.

Anyway, in the long run you cannot prepare yourself to stay protected from every threat - as long as you have other additional protection such as maybe an Antivirus/Internet Security solution on the run to help protect you, or maybe virtualization/anti-executable software, you'll be even safer in terms of malware protection.