Windows 10: Idea for ransomware protection of network drives

Discus and support Idea for ransomware protection of network drives in Windows 10 Network and Sharing to solve the problem; I like backing up to local drives--I back up to the cloud also, but I like knowing I can get my data back quickly, even if the internet is down, as... Discussion in 'Windows 10 Network and Sharing' started by mike1127, Jun 1, 2016.

  1. mike1127 Win User

    Idea for ransomware protection of network drives


    I like backing up to local drives--I back up to the cloud also, but I like knowing I can get my data back quickly, even if the internet is down, as long as it's a simple problem like a main hard drive failure. But in order to do automatic local backups that don't require constant attendance, I need to keep the drive always connected through USB or the network. And that means it is vulnerable to ransomware--if it can see my files it can encrypt the entire backup.

    So I have been wondering if there is some way to protect my backups even when the drive is connected. I am learning about Windows Firewall right now, and it occurred to me---could Firewall rules be used to block access to the network drive except for the backup program?

    EDIT: another idea is to create a User Account specifically for running the backup program. All other users or user groups would then be denied permission to modify the network drive. It would be very helpful if it were possible to deny the Administrators group such permission, because I think the ransomware may be running as an admin. But can an admin just change the permissions back? Would the ransomware authors have thought of that capability, or would the ransomware just skip the network drive if it doesn't immediately have write/modify permission? Not sure anyone has a hard answer to these questions.

    :)
     
    mike1127, Jun 1, 2016
    #1

  2. What's the best Windows 10 backup strategy for a home user that can recover from a ransomware attack?

    The best option is to create weekly offline backups using separate drives, so, in the event of a ransomware attack, you can simply boot from the backup and restore it.

    Here are some tips for protecting your system:

    How to Protect Your Computer From Ransomware - groovyPost

    https://www.groovypost.com/howto/protect-window...
     
    Andre Da Costa, Jun 1, 2016
    #2
  3. Windows Defender and MBR/Petya-like ransomware

    Hello.

    Thank you for your feedback.

    My curiosity here was not linked to detection by signatures.

    Let's assume there is a 0-day (completely new) Petya variant today that signatures

    cannot detect yet...

    If I add the system drive to the Protected Folders list (which should protect me

    from ransomware behaviors), will I be protected from MBR/GPT ransomware or not?

    In Other words, does Protected Folders feature prevent only "regular" ransomware (file encrypting)

    or also Boot time ones ("MBR/GPT" encrypting)?
     
    LaurFlorin, Jun 1, 2016
    #3
  4. jimbo45 Win User

    Idea for ransomware protection of network drives

    Hi there
    If it's a backup server the really easy way to do this is via a LINUX simple script - perhaps someone more experienced with Windows than me could replicate this on a Windows server.)

    You MOUNT the backup device (it can be permanently connected via USB - but left "Unmounted" by default.
    Run your backup -- this can be done presumably from a remote Windows machine or the local server via a scheduled job (Linux CRONTAB) or some type of scheduling system (Windows).
    After the backup has run unmount (UMOUNT) the device.


    Idea for ransomware protection of network drives [​IMG]


    While the device is UNMOUNTED the OS won't have any access to the device even though it's still physically connected to the machine -- not strictly speaking 100% true - but you need to have root privileges and even here any alteration to the file system will require a response from the console so effectively it's decently protected.

    There should be some commands in windows to attach / detach devices -- if you can do that then your problem is essentially solved.

    My stuff (Windows) is backed up to a NAS server running Linux where I use that type of script.

    Cheers
    jimbo
     
    jimbo45, Jun 1, 2016
    #4
  5. mike1127 Win User
    Thanks, good idea!

    One minor flaw is that the drive is still vulnerable during the period it is mounted. Once ransomware is on the computer, it will probably just keep running and looking for more files. If I don't catch it before the next time the network drive mounts, there's still a risk of loss. I wonder if Firewall rules can, possibly, prevent any unwanted access, at any time. I am not clear on how sophisticated the firewall rules get. It would have to filter out traffic that (1) originates from a program other than the backup program, and (2) is headed to or from the network drive. So the rules would have something to do with both the executable and the network destination.
     
    mike1127, Jun 1, 2016
    #5
  6. jimbo45 Win User
    Hi there

    While backup is running disconnect from the Internet.

    So your program / script should look something like this

    1) Disconnect from Internet
    2) Run scan for Ransomware -- if detected take remedial action otherwise continue.
    3) Mount remote HDD's / Attached HDD's - target for your Backup
    4) run the backup
    5) detach / unmount the HDD's.
    6)re-connect to Internet etc.
    7) optionally send notification - job finished.

    I'd suggest disconnecting from the internet (you can keep your LAN internally connected of course) first - otherwise you theoretically could catch some ransomware even while the backup is running. You need the Internet to be disconnected from the machine which has the SOURCE disks (the disks that are being backed up). I'd also disconnect internet from the server too (Destination for backups).

    I don't think a windows firewall will either help or hinder installation of Ransomware -- it could pose as a perfectly innocent program so how would you detect that it's not the genuine program say photoshop.exe and a rogue version also called photoshop.exe. Malware attacks can dynamically (i.e on the fly) change the name of a program temporarily so a bog standard firewall isn't the answer in this case. After doing its business the ransomware will quietly disappear so your say photoshop.exe program is just as it was before.

    A decent SCAN for ransomware while disconnected from the net is probably the best answer - run BEFORE starting backup. What some of the best scanning programs will do is have a map of your installed programs with release etc and compare against a catalog of the "official" versions of these programs --this can never be 100% effective but probably reasonably so. Usually the best defense against Ransomware is to surf safely and never open unknown attachments or emails from people you don't know.

    The real problem with HDD access is to ensure only programs with the correct privileges has them - and unfortunately Windows is a bit weak in that area as there are all sorts of nasties that people can do to get into "admin mode". In Linux gaining unauthorized Root (admin) access is not impossible but a whole lot tougher to do so you shouldn't have any significant problems if you use that type of server for your destination -- of course it's no point copying / backing up an encrypted by Ransomware HDD though.

    A decent firewall will protect against some sites and prevent unauthorised external users gaining access (or even unauthorised INTERNAL users gaining access to sites and programs you don't want them to access so it's good to have one of those - but things like ransomware and other types of malware and addware are very difficult if not impossible to block by just a firewall. A lot of these types of protections were developed a while ago when the OS'es and threats were very different to what we have now. IMO Computer security is still stick in 20th century -- we need something MUCH better today --what it is and how to do it I've no idea -- but remember a lot of problems are caused by SCAMS which software can't defend against so whatever system you employ you will need to always use common sense. Too many people just sling on some 3rd part AV software and think that's OK my machine is 100% protected --BIG MISTAKE.

    Cheers
    jimbo
     
    jimbo45, Apr 5, 2018
    #6
Thema:

Idea for ransomware protection of network drives

Loading...
  1. Idea for ransomware protection of network drives - Similar Threads - Idea ransomware protection

  2. NETWORK PROTECTION

    in AntiVirus, Firewalls and System Security
    NETWORK PROTECTION: doe's anyone know about ASPRO BOTNET I tried to put McAfee into my computer no joy so rang McAfee they wanted £250 to get rid of ASPRO BOTNET is it a con TOM https://answers.microsoft.com/en-us/protect/forum/all/network-protection/6dd9f794-1aa0-4904-9422-e68450c473b5
  3. Sub-folders in ransomware protection

    in AntiVirus, Firewalls and System Security
    Sub-folders in ransomware protection: I want to add a folder with sub-folders in it to be protected with Windows 10 ransomware protection. Is enough to add the root folder in ransomware protected folder options in order that all of its subfolders are also protected? Or do I have to add each sub-folder...
  4. Ransomware protection on networks

    in AntiVirus, Firewalls and System Security
    Ransomware protection on networks: I don't have a specific problem as much as a concern. There has been a lot of media attention to Ransomware lately, including infecting all systems on a network. We have several computers connected to a home network. All of the main systems run W10 (except for a couple of...
  5. Ransomware protection on networks

    in Windows 10 Support
    Ransomware protection on networks: I don't have a specific problem as much as a concern. There has been a lot of media attention to Ransomware lately, including infecting all systems on a network. We have several computers connected to a home network. All of the main systems run W10 (except for a couple of...
  6. Ransomware protection without Onedrive?

    in AntiVirus, Firewalls and System Security
    Ransomware protection without Onedrive?: What if you dont have a OneDrive attached? how does Ransomware protect and recreate files? https://answers.microsoft.com/en-us/protect/forum/all/ransomware-protection-without-onedrive/98eb7df4-ad53-4ebb-9846-f593344a82d0
  7. Bug in Ransomware Protected Folders?

    in AntiVirus, Firewalls and System Security
    Bug in Ransomware Protected Folders?: I have a list of 13 folders (from different drives) in the Ransomware "Protected Folders" feature. Although the feature can be disabled completely, while enabled I can only remove 2 of the "Protected Folders" on the list. I cannot remove/delete the others. I tried...
  8. Win 10 Ransomware protection blocks iTunes

    in AntiVirus, Firewalls and System Security
    Win 10 Ransomware protection blocks iTunes: Enabled Ransomware protection and now iTunes won't open. If I turn it off iTunes opens fine. I assume its because a default folder that iTunes uses (Music?) is part of the protected folders. I use the iTunes program, not the new app that MS recently added to their store. I...
  9. Ransomware Protection?

    in AntiVirus, Firewalls and System Security
    Ransomware Protection?: Been visiting a website that discusses ransomware and all of the nasty things that can happen, starting to make me paranoid. Data files are backed up and stored offline, but still...So, I am looking for a quality anti-ransomware software package. As I am new to this concept,...
  10. Ransomware Protection for Windows PC?

    in Windows 10 Support
    Ransomware Protection for Windows PC?: This is brand spanking new software and cautious that I am I will probably wait until the next version comes out before installing but I am curious if anyone else has come across this yet and decided to give it a go and install it....