BleepingComputer.com Says Disable Shadow Volume Copies Now!

[Terry Ganzi]

Shadow Volume Copies have been a feature since Windows Vista that allows snapshots, or backups, of your files to be saved even when the files are currently in use. These snapshots will attempt to be created every day and allows you to restore documents to previous versions or even to restore them if they were deleted. This same technology is also used by the Windows' System Restore feature that allows you to roll back Windows to a previously working configuration in case there is a problem. Since Windows Vista, Microsoft has been bundling a utility called vssadmin.exe in Windows that allows an administrator to manage the Shadow Volume Copies that are on the computer. Unfortunately, with the rise of Crypto Ransomware, this tool has become more of a problem than a benefit and everyone should disable it.

Read more: Why Everyone Should disable VSSAdmin.exe Now!

 

[Ink]

TLDR; Rename vssadmin.exe to prevent the certain Crypto Ransomware from deleting your Shadow Volume Copies. Does not prevent Cryto Ransomware. Always keep backup of your data and system images.

 

[Vasudev]

Its not wise to rename vssadmin in fact if you're using W8.1 or greater there's option to reset or fetch corrupted windows store components from internet but in win 7, the feature is skipped entirely so we must rely on system restore. One possible way is to update virus defs atm, MS should address this problem ASAP.

 

[Tony Cole]

I'd thought @ Lawrence Abrams would not suggest such a thing if it would cause any errors, or warnings. He's one of the top experts on crypto ransomware.

 

[Enju]

Renaming Windows system files? Totally reasonable... or not. Why not just use AppLocker?

 

[jamescv7]

From the title above, seems its little bit exaggerated that makes user panic and follow the instruction immediately.

In such case a virus/malware as infected in PC, using system image or Reformat will be a choice; relying on system restore will generally affected immediately however with enough awareness some symptoms may not attack that momentarily so shadow volume copy must retain ON.

 

[Deleted member 178]

i always loved those "alert ! do this or you are done !" , the cryptoware shouldn't be executed in the first place... as always , too many "do this if you may run a malware" instead of "prevent the malware to run"

 

[Grinler]

Its not wise to rename vssadmin

Still unsure as to why you say it is unwise. Renaming vssadmin has no effect on system restore.

Renaming Windows system files? Totally reasonable... or not. Why not just use AppLocker?

Home doesn't support applocker.

From the title above, seems its little bit exaggerated that makes user panic and follow the instruction immediately.

i always loved those "alert ! do this or you are done !" , the cryptoware shouldn't be executed in the first place... as always , too many "do this if you may run a malware" instead of "prevent the malware to run"

Actually the title in this thread is not the same as what we have on BC. I posted, Why Everyone Should disable VSSAdmin.exe Now!, which is very different meaning.

I agree that the best protection is to not get infected in the first place. Unfortunately, those of us who are passionate about technology tend to know better. Those who are not, and are in the vast majority, are the ones who are more often being infected. Simply telling them to keep their programs updated doesn't help, because they do not do it. Even updated AV programs do not help with constantly morphing malware.

Therefore, you have to think about solutions with these limitations in mind. Are they the best? No, but they are better than nothing.

 

[jamescv7]

@Grinler: Yes little revision on the title but still there can be a calm expression in order to take the user attention without force.

Something like 'What you should know about Shadow Volume Copies and why disable for safety precaution", anyway for sure the author makes an intention to catch the readers eye immediately.

 

[Grinler]

@Grinler: Yes little revision on the title but still there can be a calm expression in order to take the user attention without force.

Something like 'What you should know about Shadow Volume Copies and why disable for safety precaution", anyway for sure the author makes an intention to catch the readers eye immediately.

I never said to disable shadow volume copies. The whole point of the article is to rename vssadmin, so shadow volume copies remain intact as a possible recovery method.

I would hazard to say that vssadmin.exe is used more by ransomware than by IT professionals. Renaming it is a safe precaution. Disabling shadow volume copies is not.

 

[hjlbx]

In Comodo, just change rating of vssadmin.exe from Trusted to Unrecognized; HIPS will alert always upon access or execution.

In NVT ERP, just add vssadmin.exe to Vulnerable Process List.

In AppGuard, just add vssadmin.exe to User Space (both System32 AND SysWOW64 file paths)... with AppGuard it is not very convenient.

How about this... disable Windows Volume Shadow Copy altogether... gotta know what you're doing if you choose this option.

 

[Azure]

In Comodo, just change rating of vssadmin.exe from Trusted to Unrecognized; HIPS will alert always upon access or execution.

In NVT ERP, just add vssadmin.exe to Vulnerable Process List.

In AppGuard, just add vssadmin.exe to User Space (both System32 AND SysWOW64 file paths)... with AppGuard it is not very convenient.

How about this... disable Windows Volume Shadow Copy altogether... gotta know what you're doing if you choose this option.

I was actually going to ask would adding vssadmin to vulnerable process on EXE Radar Pro be a better alternative than renaming it. And I see you already commented on it. Thanks.