Save your files to OneDrive for expanded ransomware protection

[Bot]

If you want an additional layer of protection from ransomware, try saving your files in OneDrive. It’s part of the new experiences that arrived with the Windows 10 April 2018 Update.

Here’s how it works: If a ransomware threat is found on a device, Windows Defender will notify you of the threat, help you remove the ransomware from your device, and give you options to recover your OneDrive files to the state they were in before the attack occurred.


Save your files to OneDrive




For Office 365 Home subscribers, Office 365 Personal subscribers, and OneDrive for Business users, that includes OneDrive Files Restore, which can be used to restore your OneDrive to a previous point in time within the last 30 days. The date and time that Windows Defender detected the attack will be pre-selected in Files Restore, making the process simple and easy to use.

Learn more about the protections from online threats available to Office 365 Home and Office 365 Personal subscribers.

If you like this, check out more Windows 10 Tips.

The post Save your files to OneDrive for expanded ransomware protection appeared first on Windows Experience Blog.

Source

 

[Der.Reisende]

As long as the local folder isn't affected by ransomware and the cloud storage isn't synchronized to the local version (encrypted files replacing backupped originals).
I had that experience long time ago.
Better have a offline backup, too!
The more backups, the better!

Apart from that, I really like OneDrive!

 

[Andy Ful]

OneDrive is probably a good idea. But, the actual Microsoft implementation is very badly secured. I have the below concerns:

1. OneDrive executables are installed in folders which can be easily modified by the malware with medium rights. So, the attacker can silently kill/replace OneDrive executable (no UAC prompt) and automatically get the persistence, because OneDrive is started on logon via the RUN key in HKCU hive. This also makes whitelisting protection invalid, because one has to whitelist executables in the folders which can be easily modified.
2. OneDrive has no default Exploit protection. The user has to find & apply manually the required mitigations from Windows10 ExploitGuard Security Baseline, and no one knows how effective it can be.
3. If OneDrive has been exploited, then it is very probable that the exploit can destroy the files on disk and the backup files on the OneDrive storage location.
4. Microsoft did not push any article about protecting OneDrive.

So for now, using OneDrive looks like balancing on the wooden leg.

Edit.
It seems that Microsoft does not bother to make it safer, because it cannot run with admin rights.:notworthy:
Any RANSOMWARE will tremble, for sure.

 

[509322]

I have no doubt it will rollback the account to the exact point that the user doesn't want - the one with the greatest data loss.

Nope. No thank you. I use Dropbox. And I can honestly state that it does work if hit by ransomware. However, you have to resurrect each file manually.

 

[shmu26]

OneDrive is probably a good idea. But, the actual Microsoft implementation is very badly secured.

Indeed, OneDrive looks like low-hanging fruit. But even though it is installed on hundreds of millions of computers, I never saw a report about malware abusing it. So it must be a lot safer than it looks.

 

[upnorth]

it cannot run with admin rights.

Don't you mean without?

 

[shmu26]

Don't you mean without?

It normally runs without admin rights. It runs from user space, like a regular, non-elevated process.

 

[upnorth]

It normally runs without admin rights. It runs from user space, like a regular, non-elevated process.

Even on SUA or Guest?

 

[shmu26]

Even on SUA or Guest?

I run it unelevated on SUA.
It is designed so that all users, including SUA users, can do everything they need with their OneDrive account.

 

[upnorth]

I run it unelevated on SUA.
It is designed so that all users, including SUA users, can do everything they need with their OneDrive account.

Even with the business version or does also the standard version include OneDrive Files Restore?

 

[Andy Ful]

Don't you mean without?

No. When you try to run OneDrive.exe with administrative rights, it will fail with the notification to run it as standard user (medium rights). It is good because if exploited, the exploit is running also as standard user.

 

[upnorth]

No. When you try to run OneDrive.exe with administrative rights, it will fail with the notification to run it as standard user (medium rights). It is good because if exploited, the exploit is running also as standard user.

That means it does exist a administrator elevation option. Thanks for the clarification.

 

[shmu26]

Even with the business version or does also the standard version include OneDrive Files Restore?

only business has full support for file restore
But all Office 365 customers receive onedrive business, even the home and personal editions have onedrive for business

 

[Andy Ful]

Indeed, OneDrive looks like low-hanging fruit. But even though it is installed on hundreds of millions of computers, I never saw a report about malware abusing it. So it must be a lot safer than it looks.

You can kill OneDrive.exe via task manager and delete via CMD (not elevated). Any malware can hide by renaming & replacing OneDrive. There are some Exploit Guard rules, but they are not applied by default.
The attacker can get the similar things in many other ways, he does not have to abuse OneDrive.
This can change because now the OneDrive is used by Microsoft to roll back the ransomware changes.
If it will be popular, then we probably will see exploited OneDrive in the attacks on the storage locations.

 

[upnorth]

You can kill OneDrive.exe via task manager and delete via CMD (not elevated). Any malware can hide by renaming & replacing OneDrive. There are some Exploit Guard rules, but they are not applied by default.
The attacker can get the similar things in many other ways, he does not have to abuse OneDrive.
This can change because now the OneDrive is used by Microsoft to roll back the ransomware changes.
If it will be popular, then we probably will see exploited OneDrive in the attacks on the storage locations.

Only using the Online version should work against that kind of attacks or?

 

[Andy Ful]

Only using the Online version should work against that kind of attacks or?

Could you expand the above, please?

 

[upnorth]

Could you expand the above, please?

I know that one can log in to 365 and also OneDrive on the net alone. For example I only have the basic OneDrive version through Microsofts mail and it's not installed on the machine but I can still do any backups. But I'm unsure how this business version fully is installed and works as I never used the OneDrive " business " version or the desktop version.

If I don't have a onedrive.exe on my machine I can't imagine a attack against it would work?

 

[shmu26]

If you are not using the Desktop app of Onedrive, then your cloud storage is safe from ransomware.
Only when the desktop app is running and actively syncing, then you are vulnerable to ransomware.
With the free onedrive, versions are kept of MS Office docs, so you can manually retrieve earlier versions of affected files.
With the paid onedrive, you can ask MS to roll back your files to the date and time of your choice.

 

[shmu26]

I know that one can log in to 365 and also OneDrive on the net alone. For example I only have the basic OneDrive version through Microsofts mail and it's not installed on the machine but I can still do any backups. But I'm unsure how this business version fully is installed and works as I never used the OneDrive " business " version or the desktop version.

If I don't have a onedrive.exe on my machine I can't imagine a attack against it would work?

The business version of onedrive looks and behaves like the free version. But it gives you much more storage (1 TB per user), and I think that it keeps versions of all file types, and for a longer time. I don't remember the details, but you can google it.

And with the paid version, you can ask MS to roll back all your files to the date and time of your choice.

 

[upnorth]

Great explanation! Thanks.