There's a very nice KB article about Image Guardian here
, but essentially Image Guardian looks for files with extensions corresponding to Macrium backup files (mrbak, mrimg, mrex, and mrsql). For files with those extensions that reside on volumes that Image Guardian is protecting, only Macrium applications such as Reflect and its standalone Consolidate.exe application are considered trusted and will therefore be able to modify or delete those files. (By default, Robocopy will also be allowed to do so, but only when certain conditions are met.) All other applications are categorically NOT trusted and therefore will be blocked from modifying or deleting files with those extensions on protected volumes. This includes the user attempting to modify, delete, or move backup files within Windows Explorer. (If you need to do that at some point, just temporarily disable Image Guardian, although deleting backups is better to do within Reflect anyway.) From a security standpoint, this approach is a far superior model compared to anti-virus, which tends to assume activity is trustworthy unless it has a reason to suspect otherwise. General purpose anti-virus pretty much HAS to operate that way, since otherwise it would generate too many false positives and become so burdensome that users would probably just turn it off -- but the downside of course is that malicious applications that aren't identified as malicious can sometimes get through. But since Image Guardian is ONLY focused on protecting Macrium backup files, and ONLY Macrium applications should be modifying or deleting them in the first place, it can "afford" to take the much less flexible but much harder line and safer approach that I've just described.
I will add that Image Guardian will be less helpful protecting against malware that has admin-level privileges, or gains them by exploiting a privilege escalation vulnerability. In that case, malware could format the entire volume where your backups are stored. Since that is a volume-level operation rather than a file-level operation, Image Guardian would not stop that. However:
- If malware has admin-level privileges, then it's sort of game over anyway.
- Ransomware tends NOT to operate with admin-level privileges because it doesn't NEED them to do its damage. That's the insidious thing about ransomware. It's "just" modifying files in non-privileged locations like your Documents folder and your external hard drives, which doesn't require admin privileges -- but that can of course still do a lot of practical damage in terms of destroying valuable data. But this means that Image Guardian can still protect against the typical scenario of non-privileged ransomware.
- Ransomware typically would not WANT to actually destroy your data by formatting your entire drive, since in that case there's nothing for the bad guys to hold for ransom in the hopes that you'll pay them.
Still, the best protection against a ransomware attack is to make sure that you always have some backups offline, i.e. on a drive that is physically disconnected from your PC. Ransomware can't attack data that isn't available for access in the first place.