MIG protecting a drive


Author
Message
pctutor
pctutor
New Member
New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)
Group: Forum Members
Posts: 17, Visits: 46
For a long time, I've been recommending that my clients using the MR Free version plug in their backup drive at night, so the image backup happens overnight, then they unplug the drive the next morning so that it's not connected during the day while they're using the computer.
Since some people cannot remember to connect the drive at night, they might go without a current backup for a while. Therefore, I am considering changing my recommendation to the paid version of MR, which would include MIG protection, and having them leave the drive connected all the time.

These people are average, "non-techy" residential computer users. Is there any scenario where their data could still be damaged or encrypted by ransomware? Such as ransomware encrypting the entire backup drive, rather than just the MR image files?
If there are other (non Macrium) files on that drive, such as pictures, is there an easy way to protect that from ransomware also?

Thanks -
capair45
capair45
Expert
Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)Expert (721 reputation)
Group: Forum Members
Posts: 464, Visits: 5.9K
MIG protects files with the following extensions: mrimg, mrbak, mrex, mrsql. These file types can be accessed by Reflect but will be blocked by all other applications which are considered untrusted. Reflect will post a message if unauthorized access is attempted.  Having said that, I believe I've read here in the forum that ransomeware "could" encrypt the drive itself (someone please correct me if I'm wrong).

I have several sets of backup disks which I rotate through on a schedule.  There is only one backup disk (also MIG protected) that is attached full time that could be encrypted.  Disk rotation offers more protection.

I'm sure others will be along to add to this.


Windows 10 Home (20H2)
Macrium Reflect 7.3.5321
Windows Defender
Malwarebytes Premium 4.2.3


pctutor
pctutor
New Member
New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)
Group: Forum Members
Posts: 17, Visits: 46
capair45 - 5 October 2020 1:12 PM
MIG protects files with the following extensions: mrimg, mrbak, mrex, mrsql. These file types can be accessed by Reflect but will be blocked by all other applications which are considered untrusted. Reflect will post a message if unauthorized access is attempted.  Having said that, I believe I've read here in the forum that ransomeware "could" encrypt the drive itself (someone please correct me if I'm wrong).

I have several sets of backup disks which I rotate through on a schedule.  There is only one backup disk (also MIG protected) that is attached full time that could be encrypted.  Disk rotation offers more protection.

I'm sure others will be along to add to this.

Thanks. If it is true that the backup drive itself could be encrypted by ransomware, that seems like a complete deal killer. The criminals are still achieving their purpose by blocking you from accessing your data unless you pay for their key.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)
Group: Forum Members
Posts: 7.9K, Visits: 55K
@pctutor Take a look at this thread, particularly my answer in it.  MIG isn't going to ensure you against all possible scenarios -- the best protection remains having a disk rotation where at least one disk is always physically offline -- but that's hardly a "deal killer".  It's still a great deal better than nothing at all.  And the limitations of Image Guardian might become a bit more "understandable" to you when you realize the most common threat model.

Image Guardian does not protect any non-Macrium files.  And that too has its advantages because it means it's feasible for Macrium to implement a whitelist approach rather than a blacklist approach as most AV does.  That in turn makes it vastly BETTER at protecting Reflect files than it would otherwise be -- but it also means that its scope has to be narrower.  Applying a whitelist approach to everyday files would be a bit impractical.  Take a look at my answer in this thread for more on that.

Edited 5 October 2020 2:03 PM by jphughan
pctutor
pctutor
New Member
New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)
Group: Forum Members
Posts: 17, Visits: 46
jphughan - 5 October 2020 2:00 PM
@pctutor Take a look at this thread, particularly my answer in it.  MIG isn't going to ensure you against all possible scenarios -- the best protection remains having a disk rotation where at least one disk is always physically offline -- but that's hardly a "deal killer".  It's still a great deal better than nothing at all.  And the limitations of Image Guardian might become a bit more "understandable" to you when you realize the most common threat model.

Thanks. My purpose in investigating the limits of MIG isn't to make sure it covers all possible scenarios. I just wanted to see if it was a viable alternative to having my clients have to remember to plug in their backup drive at night, and unplug it in the morning before they start using the computer. Just seeing if we could take the "human fallibility" factor out of the equation, so that the backup would happen overnight even if they forgot to connect the drive, since it would always be connected. But if ransomware can still encrypt the entire drive, leaving it connected all the time is not a solution. I know they can rotate drives out but that's even more to remember than plugging it in at night.
In fact, from the criminal's standpoint, it would make more sense to have the ransomware encrypt the whole drive rather than choosing certain files stored on the drive. Leaving the drive connected still puts all the files on that drive at risk, so I can't recommend that for my clients. Thanks for the input.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)
Group: Forum Members
Posts: 7.9K, Visits: 55K
Encrypting the entire drive requires ransomware with admin privileges, which many ransomware scenarios will not include.  But if you're currently in the practice of having the backup destination disk only connected when it's actually needed for a backup, then neither Image Guardian nor any other software solution should be seen as a replacement for the level of security that offers.  Ultimately ANY software you might install is still software that is subject to modification by admin-level privileges, so if your attacker has admin-level privileges, then it's sort of game over anyway.  By comparison, if a disk is physically offline, then no sort of software can get to it.  Even if you don't have your current "connect the disk at night, disconnect it in the morning" routine for security reasons, it's delivering security benefits, and I would discourage you from backing down on that.

But one option to split the difference would be to have a weekly rotation.  That way they'd only need to remember to swap disks once per week, rather than connecting and disconnecting a disk every night and morning.  And in that case it's feasible to keep a disk connected all the time since you'll always have another disk that's completely offline.  Of course if something happened to the connected disk, then the newest backup on the offline disk might be up to a week old, but that's far better than nothing.  And Image Guardian would then be worth considering for protecting whichever disk is online at any given time in order to minimize the chances of even having to restore from a potentially week-old backup on an offline disk.  And distributing your backups across multiple disks also helps protect against other problem scenarios, like hardware failure, which today would result in the loss of ALL of your backups unless you're already replicating them elsewhere.

The bottom line is that this scenario gives you: a) reduced user effort, i.e. weekly rather than daily, b) better protection for your backups overall against both ransomware and other eventualities, due to always having an offline disk, and c) better protection for the online disk than you have today.  Not a bad deal given that the only requirements are buying one additional disk and a paid Reflect license.

Edited 5 October 2020 2:50 PM by jphughan
pctutor
pctutor
New Member
New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)
Group: Forum Members
Posts: 17, Visits: 46
jphughan - 5 October 2020 2:48 PM
Encrypting the entire drive requires ransomware with admin privileges, which many ransomware scenarios will not include.  But if you're currently in the practice of having the backup destination disk only connected when it's actually needed for a backup, then neither Image Guardian nor any other software solution should be seen as a replacement for the level of security that offers.  Ultimately ANY software you might install is still software that is subject to modification by admin-level privileges, so if your attacker has admin-level privileges, then it's sort of game over anyway.  By comparison, if a disk is physically offline, then no sort of software can get to it.  Even if you don't have your current "connect the disk at night, disconnect it in the morning" routine for security reasons, it's delivering security benefits, and I would discourage you from backing down on that.

But one option to split the difference would be to have a weekly rotation.  That way they'd only need to remember to swap disks once per week, rather than connecting and disconnecting a disk every night and morning.  And in that case it's feasible to keep a disk connected all the time since you'll always have another disk that's completely offline.  Of course if something happened to the connected disk, then the newest backup on the offline disk might be up to a week old, but that's far better than nothing.  And Image Guardian would then be worth considering for protecting whichever disk is online at any given time in order to minimize the chances of even having to restore from a potentially week-old backup on an offline disk.  And distributing your backups across multiple disks also helps protect against other problem scenarios, like hardware failure, which today would result in the loss of ALL of your backups unless you're already replicating them elsewhere.

The bottom line is that this scenario gives you: a) reduced user effort, i.e. weekly rather than daily, b) better protection for your backups overall against both ransomware and other eventualities, due to always having an offline disk, and c) better protection for the online disk than you have today.  Not a bad deal given that the only requirements are buying one additional disk and a paid Reflect license.

Thanks again - I do think my current recommended practice of "plug in at night, unplug in the morning" is pretty safe, but it depends on two things:
1. the user has to remember to do it
2. if the ransomware is smart enough to not take any action until the middle of the night, that's when the backup drive IS connected, and the files could get encrypted anyway. But that's unlikely, and we're planning for as many scenarios as reasonably possible anyway.
Also, speaking from my own experience, I've found that it's easier to remember to plug it in if I do it every night, rather than once a week. That way it's just part of the nightly routine and it's the same thing every time.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)
Group: Forum Members
Posts: 7.9K, Visits: 55K
There is absolutely "opportunistic" ransomware that will encrypt files on newly attached devices as they become available.  Yes, that might still cause your source data to be encrypted, but Image Guardian stands a good chance of being able to prevent the ransomware from doing that to your Reflect backups.  Stated differently, even if that night's backup will be useless because the ransomware will have already encrypted the source data, Image Guardian may well prevent the ransomware from encrypting your PREVIOUS backups that are already on that disk, which you would presumably want to have available to recover from in this scenario.

As for forgetfulness, I addressed this at a client where there are daily disk rotations by writing a simple PowerShell script that runs every weekday on the server and checks the attached disk.  If it's the wrong disk for that day or there's no disk at all, then the script sends an email to the person responsible for managing the disk rotation to advise them of the issue.  I set the script to run at 4:30 PM each weekday, shortly before that person leaves the office.  It's helped a great deal.

Edited 5 October 2020 4:09 PM by jphughan
pctutor
pctutor
New Member
New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)New Member (23 reputation)
Group: Forum Members
Posts: 17, Visits: 46
jphughan - 5 October 2020 4:00 PM
There is absolutely "opportunistic" ransomware that will encrypt files on newly attached devices as they become available.  Yes, that might still cause your source data to be encrypted, but Image Guardian stands a good chance of being able to prevent the ransomware from doing that to your Reflect backups.  Stated differently, even if that night's backup will be useless because the ransomware will have already encrypted the source data, Image Guardian may well prevent the ransomware from encrypting your PREVIOUS backups that already on that disk when that disk is attached that night.

As for forgetfulness, I addressed this at a client where there are daily disk rotations by writing a simple PowerShell script that runs every weekday on the server and checks the attached disk.  If it's the wrong disk for that day or there's no disk at all, then the script sends an email to the person responsible for managing the disk rotation telling them.  I set the script to run at 4:30 PM each weekday, shortly before that person leaves the office.  It's helped a great deal.

Considering the possibility of opportunistic ransomware, I do like the idea that MIG at least offers another layer of protection, even if it doesn't stop the entire drive from being encrypted. Definitely going to consider that. And if we do implement that, I would also enable email notifications from within MR to advise the client if there was a problem with the backup.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)Macrium Evangelist (11K reputation)
Group: Forum Members
Posts: 7.9K, Visits: 55K
pctutor - 5 October 2020 4:09 PM
Considering the possibility of opportunistic ransomware, I do like the idea that MIG at least offers another layer of protection, even if it doesn't stop the entire drive from being encrypted. Definitely going to consider that. And if we do implement that, I would also enable email notifications from within MR to advise the client if there was a problem with the backup.

That's my perspective.  MIG isn't a panacea, but it's a helpful additional layer of protection that isn't all that expensive even if you don't care about any other features you gain with paid Reflect.  (Although Rapid Delta Restore is a killer feature too.)  For email notifications within Reflect, be careful about only enabling email alerts for problems.  That's always the tempting setup to avoid "spam" caused by success emails, but the assumption that "lack of email means everything is working" is a dangerous one, because there are all sorts of scenarios where backups can be failing or not occurring at all WITHOUT you getting any emails about it.  Several users on this very forum have reported being caught out by this, in some cases going several WEEKS without getting any backups because they only had email alerts set up for problem conditions and on that basis stopped bothering to check the logs on a regular basis.  As a few examples of ways you can end up with no backups and no emails:
  • A variety of possible Windows Task Scheduler problems that can cause Reflect not to be launched in the first place.
  • Moving/deleting the backup definition XML file, in which case the job will fail because Reflect won't know what job you want it to run, but since the XML file is ALSO what specifies the email notification settings, Reflect won't know to send emails about this either.
  • Problems with actually sending the email itself, e.g. due to a provider-side change and/or some block they incorrectly implemented due to suspicious activity or something.  In this case, Reflect is trying to send alert emails but they're not getting through.
Of course success emails will generate a lot more emails overall, which is why I tend to set up a mailbox filter for the recipients that redirects success emails to a subfolder.  That keeps these emails out of their "main" email, and then I just tell them to occasionally check that folder to confirm that they're seeing positive confirmation of successful backups.  But that of course depends on whether your users would have the discipline to check that folder.

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search