How would Shadow Defender deal with this situation?

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Nov 25, 2015
136
208
#1
Assume I have 2 drives C and D.
Assume that my drive D is my backup drive and data drive. On drive D I have my folder called Backups and in that folder I have my Acronis Backups of C.

Now assume that I have shadow defender made to shadow C and D. I presume that all of the real-time backups that Acronis makes of C and places it into D will be deleted once I reboot the computer due to it being shadowed?

So in order to save the real-time backups I will have to exclude the Backups folder on drive D from being shadowed?

Now assume while shadowed and with Backups folder excluded assume that I get hit by a crypto malware. The malware is known to encrypt everything that's connected to the PC. So now the malware will also encrypt the Backups folder.

Now I reboot the PC and it all goes back to normal (because it was shadowed) except for the Backups folder which is now encrypted by the malware. Is that correct?

SO how do I use Shadow Defender and still keep my constant backups?
 
I

illumination

Guest
#2
Assume I have 2 drives C and D.
Assume that my drive D is my backup drive and data drive. On drive D I have my folder called Backups and in that folder I have my Acronis Backups of C.

Now assume that I have shadow defender made to shadow C and D. I presume that all of the real-time backups that Acronis makes of C and places it into D will be deleted once I reboot the computer due to it being shadowed?

So in order to save the real-time backups I will have to exclude the Backups folder on drive D from being shadowed?

Now assume while shadowed and with Backups folder excluded assume that I get hit by a crypto malware. The malware is known to encrypt everything that's connected to the PC. So now the malware will also encrypt the Backups folder.

Now I reboot the PC and it all goes back to normal (because it was shadowed) except for the Backups folder which is now encrypted by the malware. Is that correct?

SO how do I use Shadow Defender and still keep my constant backups?
Simple solution. Run Shadow Defender as a on demand instead of having it start with boot. This way you can run all updates and backups when you first fire up the machine then place it in shadow mode and go about your day.
 
H

hjlbx

Guest
#3
Assume I have 2 drives C and D.
Assume that my drive D is my backup drive and data drive. On drive D I have my folder called Backups and in that folder I have my Acronis Backups of C.

Now assume that I have shadow defender made to shadow C and D. I presume that all of the real-time backups that Acronis makes of C and places it into D will be deleted once I reboot the computer due to it being shadowed?

So in order to save the real-time backups I will have to exclude the Backups folder on drive D from being shadowed?

Now assume while shadowed and with Backups folder excluded assume that I get hit by a crypto malware. The malware is known to encrypt everything that's connected to the PC. So now the malware will also encrypt the Backups folder.

Now I reboot the PC and it all goes back to normal (because it was shadowed) except for the Backups folder which is now encrypted by the malware. Is that correct?

SO how do I use Shadow Defender and still keep my constant backups?
You cannot prevent it.

If you exclude backups - and any objects in that excluded path that are targeted by ransomware - then they will be encrypted.

Any excluded file paths are subject to malicious actions.

This is one of the inconveniences of booting into and staying in Shadow Mode all the time and trying to use local external backup drive.

* * * * *

One workaround is to use cloud backup - but you have to make sure that it keeps prior versions.

Another is to use Secure Folders or similar folder-restriction software and allow only Acronis to access\write to Disk D - but I am not completely sure if this would work.

I would ask @Umbra about this one.
 

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,490
30,781
Operating System
Windows 10
Installed Antivirus
Default-Deny
#4
Assume I have 2 drives C and D.
Assume that my drive D is my backup drive and data drive. On drive D I have my folder called Backups and in that folder I have my Acronis Backups of C.

Now assume that I have shadow defender made to shadow C and D. I presume that all of the real-time backups that Acronis makes of C and places it into D will be deleted once I reboot the computer due to it being shadowed?

So in order to save the real-time backups I will have to exclude the Backups folder on drive D from being shadowed?
Yes

Now assume while shadowed and with Backups folder excluded assume that I get hit by a crypto malware. The malware is known to encrypt everything that's connected to the PC. So now the malware will also encrypt the Backups folder.

Now I reboot the PC and it all goes back to normal (because it was shadowed) except for the Backups folder which is now encrypted by the malware. Is that correct?
Yes

SO how do I use Shadow Defender and still keep my constant backups?
You can't

Your only way , and the way i chose , for backuping daily stuff is using a cloud/external drive backup before ending SD session.

or you can use a folder-locking software that prevent writing to the backup folder. (like SecureFolder, etc...)
 
Last edited:

cruelsister

Level 33
Verified
Apr 13, 2013
2,254
13,607
#5
Originally ransomware didn't seek out files created by imaging software, but that changed with BandarChor about 2 years ago which added tib files to the encryption list (actually it only encrypted the first part of the file, as doing the whole thing would have taken too long, but that was enough to leave the file corrupted). The bad thing about Acronis is that it is so widely used that it is tops on the Blackhats list, unlike others- personally I haven't seen anything try to mess with mrimg files (Macrium).

But Umbra gave the best advice with the external backup method. Aside from protection against malware, it will also protect against a drive dying of natural causes.
 
Nov 25, 2015
136
208
#6
Originally ransomware didn't seek out files created by imaging software, but that changed with BandarChor about 2 years ago which added tib files to the encryption list (actually it only encrypted the first part of the file, as doing the whole thing would have taken too long, but that was enough to leave the file corrupted). The bad thing about Acronis is that it is so widely used that it is tops on the Blackhats list, unlike others- personally I haven't seen anything try to mess with mrimg files (Macrium).

But Umbra gave the best advice with the external backup method. Aside from protection against malware, it will also protect against a drive dying of natural causes.
I do have an external backup method but I don't backup to it as often as I do to my internal hard drive...mainly due to ease of use and transfer speed.
By internal HD creates a weekly image where the external might be every 6 months+ I also do a yearly cloud.

So I added the TrueImage backup folder to WinAntiRansom Safezone folder zone...I hope it works.
 
Likes: Der.Reisende
Feb 14, 2013
111
207
Operating System
Windows 10
Installed Antivirus
ESET
#7
I think the best thing for you to do is only backup your C:\ drive on demand instead of allowing Acronis to do scheduled backups for you. Just run backups yourself as often as you need, that way you can disable Shadow Mode only when needed. You want need to make any exclusions that way. This is the way I have been doing it for many years now. It has worked great for me, and I do all my C:\ image backups to an external drive. The only difference is I use Shadow Protect to do my image backups, well mostly, I do have Acronis on a few machines. I think this simple solution will work great for you if you only have to make backups for a few machines, and you have physical access to the machines.
 
Likes: Davidov
Oct 22, 2012
4,055
8,991
#8
I am running Todo Backup...C partition backed to D partition.
I am think of installing Shadow Defender And I will use it on-demand.

So -
1. I can disable backup schedule & use Shadow Defender, right?
2. I can shadowed only C partition And Todo backup will be saved on D partition if backup runs when Shadow Defender is running, right?