Greetings,

I am going to ask what is probably an obvious question. Please accept my apologies in advance.

I have turned on Image Guardian to protect my backup files on an external hard drive. If I understand the process correctly, IG prevents tampering with Macrium files with  particular extensions. That makes excellent sense. Now say I have other files on the same drive as my backup files and malware deletes/encrypts/etc the non-Marcrium files. Will this impact the Macrium files? I presume that when Macrium senses its files are about to be tampered with, it blocks whatever program is attempting to tamper with the files, and the process is safe as Macrium runs elevated. 

Now even though Macrium prevents its backup files from being tampered with, what if ransomware encrypts the drive where Macrium is installed? Would the program then be able to prevent its backup files from being corrupted?

I must apologize for my ignorance. I would very much like to understand the +/- so I can do my best to protect the backup files. After all, if the backup files are healthy, I can restore a corrupt installation.

I suppose the ultimate would be to disconnect the external drive when no backups are in progress. This would be difficult as the backups take place overnight while I am sleeping. Is it possible to have Macrium dismount the drive after the last partition is backed up (I back them up individually); and then mount the drive before beginning the next backup? I understand the scripting in the program is quite powerful. I would be lying if I know how to go about it.

So that's it. No solution is perfect, but I would like to do as much as I can to protect my backups. Having said all this, Macrium is the best imaging program I have used; and I have used most of them.

Thanks in advance,
Graham

Hello Graham,

Welcome to the forum.  Just as a thing to watch out for going forward, you posted this in the Reflect V6 section of the forum, while Image Guardian didn't arrive until Reflect V7.

But to answer your question, your understanding is mostly correct.  Image Guardian blocks attempts by any non-Macrium applications to modify files with Macrium file extensions.  This includes deleting, moving (which is a copy+delete), renaming, and of course altering the data itself.  Image Guardian works on the "whitelist" security principle that Macrium applications are trusted, and everything else is categorically not trusted (except Robocopy, which can be trusted under certain conditions).  This is the more secure and opposite security principle to most anti-malware solutions, which use a blacklist approach, meaning that they assume that applications and activities are trustworthy unless their definition files or heuristic analysis give them reason to suspect otherwise.  General purpose anti-malware applications operate that way because they pretty much have to in order to avoid interfering with legitimate activity so much that the user disables them entirely.  But Image Guardian can afford to take the opposite approach because a) it's only focused on protecting Macrium files rather than the entire system, and b) only Macrium applications should be modifying Macrium files anyway.  The only exception to the latter is that users will of course sometimes want to move, delete, or rename their Reflect backup files.  Image Guardian will block those operations too.  Some of those functions (like deleting backups) are better performed from within Reflect than Windows Explorer anyway because Reflect takes measures to prevent you from accidentally breaking a backup set or leaving "orphaned" backups, while for other cases you'll just need to temporarily disable Image Guardian if you want to do certain things, but that's not very difficult.

To the question about encrypting the entire drive, Image Guardian only blocks file-level access.  So it will not stop partition-level or disk-level activities, such as a ransomware application encrypting the entire drive using whole disk encryption.  It also would not stop malware (or a user) from simply formatting the drive.  However, those types of operations require admin-level privileges, and most ransomware does not operate at that privilege level.  The insidious thing about ransomware is that it can do a ton of damage even WITHOUT needing admin-level privileges, because it's "just" modifying files in places like your Desktop and Documents folder, and maybe your external hard drive -- places that don't require admin privileges to modify files.  For malware to gain admin-level privileges, it either needs you to give it admin privileges, such as by approving a UAC prompt even though you didn't know what triggered it (bad idea!), or by running as an admin user all the time without UAC enabled (even worse idea!), or by the malware knowing about and exploiting a "privilege escalation" vulnerability in Windows itself, which would basically be a bug in Windows that allowed a non-admin application to somehow gain admin privileges.  Those types of vulnerabilities are found from time to time, which is why it's important to stay current on Windows updates.

So Image Guardian cannot protect against all threats.  But it does protect against the most common form of ransomware.

To your point about ultimate protection being to have the disk disconnected when not in use, it's true that disconnecting the disk as soon as the backup is complete isn't always practical.  And that's why this ultimate protection is often achieved by having multiple destination disks that you use in rotation, switching them at some interval such as every week or even every day.  That way you can make sure that at least one disk that contains backups is physically offline at all times (even if it's not always the disk that contains the LATEST backup), which in turn means that if you suffer a malware outbreak, there's no way for malware to destroy all of your backups, since some of them simply aren't available to be accessed at all.  The other benefit to a rotation strategy is that by spreading your backups across multiple locations, you protect yourself from other risks such as external hard drive failure.  If your backups are all on one drive and that one dies, you've just lost all of your backups.  And yet another benefit is that you then have the option of taking that offline disk off-site as well, to protect against threats like burglary and natural disaster.  I support a client that uses a has a rotation of 9 destination disks changed on a daily basis, so I can talk more about how to implement this if that's something that interests you.  It's not as complicated to implement as you might think.

Yes, you can use a script to unmount a partition after a backup has been completed, but that's not real protection because the disk is still available to Windows, i.e. it can still be mounted again with the reverse command.  Some malware might not bother to scan for disks that have been unmounted or have had their drive letter removed, but at best that's security by obscurity.

Hopefully this helps you understand what Image Guardian does and doesn't do and plan accordingly.

Thanks for the education jp.

I do run as admin all the time. However, I have UAC activated, anti-malware is always on, I have a robust router and if UAC asked me to allow a process wanted to run, that I didn't initiate; I would be extremely suspicious.

Thanks again for your help.