Hi there,

All our corporate PCs are being backed up to an onsite Synology Diskstation. Although the share being written to is hidden, I'm still concerned about ransomware encrypting our PC backups.

My understanding of Macrium Image Guardian (MIG) is that it cannot, right now, protect any of the files on the Synology Diskstation.

Am I correct in that understanding?

Are there plans to somehow extend MIG to protect files on a hidden share on a Synology device?  Perhaps to create a MIG "app" that can be installed on the Diskstation itself?

Any insights or comments would be greatly appreciated.

Thank you,

Ralph Edington

You're correct.  Currently, MIG can only protect NTFS partitions that are local to the PC on which MIG is running.  Macrium has a short article about MIG and third-party NAS devices here if you're interested.  In terms of ransomware mitigation, keeping the share hidden is a good first step.  Another valuable step would be not having a persistent mapping to it on the PC.  And an even better third step would be using credentials that have read/write access to the share only within Reflect, and using credentials with read-only access when you need to access that share within Windows for other purposes -- since after all you shouldn't need to write to a NAS share containing your backups from outside Reflect very often, or perhaps never.  Ransomware is certainly getting sophisticated, but the chances of ransomware looking within Reflect for credentials to gain read/write access to a hidden share are rather slim.  But the best mitigation of all would be to periodically back up your NAS to another location, such as the cloud or a mostly-offline disk, which in addition to serving as the ultimate ransomware protection is also handy for other scenarios, like NAS failure.

Thank you for your reply.

I do in fact have guest access turned on for the Synology Diskstation. Your idea of turning that off, and instead, requiring credentials that are stored in the Reflect client, is a good one, although that will require significant reconfig of all my clients.

Thanks again!

--Ralph

You're welcome!   If you're still on V6 clients (since you posted in the V6 section of the forum), the easiest way is to create read/write credentials on the NAS, then create an admin account on each Reflect PC with the same username and password, then in Reflect, go to Edit Defaults > Schedule and configure scheduled tasks to run under that account.  Since that account's credentials will match an account on the NAS, the scheduled tasks will have write access.  Manually executed jobs on the other hand will require the logged-on user to have an authenticated session with read/write access already open to the NAS.  If you have (or upgrade to) V7 clients, it's easier.  Instead, you just go to Edit Defaults > Network and add an entry there with the path to your NAS and the read/write account you created, and then both scheduled and manually executed tasks will be able to use those credentials when Reflect tries to connect to that destination.

Lastly, if you don't already use it, if you have to manage a decent number of PCs, you may want to look at Macrium Site Manager (here) to simplify administration.  I don't know if it would help with deploying this particular change since I don't use it myself, but Site Manager itself is free if you already have Reflect licenses on the workstations (though it can't be used to manage Reflect Free installations), and using Site Manager also gives you the option to license additional PCs with MALs instead of full standalone licenses.  Reflect installations activated with a MAL must be managed by Site Manager, unlike the standalone licenses, but MALs are also less expensive, and if you have a lot of PCs, they're easier to manage than keeping track of which PC has which Reflect key in use.  But again, if you'd prefer to maintain flexibility, you can certainly buying/using standalone licenses and simply add Site Manager to your environment to manage them.

Hi,

I know this post is a little old but I just purchased v7 to find out that the image guardian only protects local discs and not network shares.  You can work around this however by setting up your Synology NAS to operate as an iSCSI target.  The windows OS then sees the volume as a local disk and Image Guardian can then be enabled on that drive :-)

Hope this helps

Very cool!  I didn't know that Synology NAS boxes could do that, although technically operating in iSCSI mode would make it a SAN at that point, not a NAS.  My (very limited) understanding of using iSCSI storage though is that the potential consequences of unexpected network disconnects are greater when you have block-level access to storage as you do with iSCSI, as opposed to a file-level connection to another file server as you do with a NAS, so I'm curious how viable an option iSCSI would be for people who primarily use WiFi.  But that's still a great tip!

Yes not so much an issue for myself as I use the NAS only to store the backup files and then have this NAS do a Shared Folder Sync to another Synology offsite to achieve an offsite backup solution.  It isn't actually used for file storage that users would access.

Even the entry level Synology's will do iSCSI targeting :-)