Image Guardian - Which volumes should be protected?


Author
Message
SilkyTP
SilkyTP
Junior Member
Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)
Group: Forum Members
Posts: 52, Visits: 171
A couple of days ago, I did a clean install of Windows 10 Pro. I first installed Hyper-V, then I installed MR 8. I have a VM of the old machine created with viBoot from an MR8 disk image. I used the Browse function to mount the old computer, then copied the files from My Documents on the mounted drive to the new machine's My Documents.

Within My Documents was a folder containing 4 File and Folder backups (MRBAK). I elected to copy them to a new external USB HDD using Robocopy, with the intention of deleting the files from the source after the copy operation completed. Three of the four backups copied without incident. The fourth was blocked by IG citing an unauthorized process.

Since I had set robocopy to retry on failure, I opened IG and removed protection from the destination drive. Robocopy then completed the operation. I later re-enabled IG on that drive.

I launched MR in the VM of the old machine to see what my old settings for IG were, but since I wasn't running enhanced mode (which I can't get working), there were no external devices attached on the VM - so I can't see what settings I had. Note: I have not yet ported the old settings to the new machine - I am contemplating whether or not I need to.

All of that brought me to question... Wait - which volumes should IG protect?

The screenshot below are the settings applied when I installed MR8 automatically. C: drive isn't protected, several USB HDD's are protected, but not all.


Should my boot drive be protected? Or is it only where there are MR images are located? If I start storing any MR images on the C drive, will IG automatically enable protection on that drive?

Finally, if the robocopy option in IG was checked (enabled) before I executed robocopy, why was one image file blocked by IG, but not the others? Is there anything I should look into?

I just want to make sure I understand enough to avoid issues in the future. With that in mind, any guidance would be appreciated.

EDIT: I just realized that this is in the MR7 forum, not the MR8. If I should do something to correct it, let me know.


Edited 17 June 2021 9:09 PM by SilkyTP
dbminter
dbminter
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2.8K, Visits: 26K
You can probably get by by not enabling Image Guardian on your C: Windows partition because you should avoid putting Reflect images there.  For instance, you can't save Windows partition backups to that drive because your source and target can't be the same.  You could save all your other images on the C: Windows partition, but then your subsequent Windows backups will get progressively larger because image files generally take up a lot of space.


Ideally, you should only have Windows and your installed apps on the C: Windows partition.  If you can, avoid using Documents whenever possible to keep the size of Windows down.  This will reduce image file size and backup time.  So, if you keep photos and video files out of Documents, that will greatly reduce the size of the Windows partition backup.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
In general, Image Guardian should be enabled on any volumes where you are storing Reflect backups.  If you store backups on your C partition, perhaps F&F backups of certain folders, then you may want to enable Image Guardian there.  If not, then it would serve no benefit.

Under Other Tasks > Image Guardian Settings, there's an option that reads "Automatically protect Reflect local backup drives".  If that is enabled, then any time you send a backup to a volume that does not currently have Image Guardian enabled but that CAN have Image Guardian enabled, then Image Guardian will be enabled on it.  If you want to be able to send backups directly from Reflect to a volume while keeping Image Guardian disabled on that volume, you should disable that option.  You would still be able to enable or disable Image Guardian on a per-volume basis manually under the Create Backups tab by selecting the volume of interest, clicking "Actions" under it, and toggling it as desired.

Image Guardian only allows Robocopy to modify or delete Reflect backup files if certain conditions are met.  Those conditions are detailed in the Image Guardian KB article here.

Hyper-V Enhanced Session Mode requires the guest to be running a Pro or better version of Windows 8 or newer, and I believe you also need a password on the account you're using because Enhanced Session Mode uses Remote Desktop Protocol and creates an RDP session, even though it doesn't actually require a network path between the host and the guest, and by default I think Windows prevents accounts that have blank passwords from logging in remotely.

Edited 17 June 2021 11:29 PM by jphughan
capair45
capair45
Expert
Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)Expert (995 reputation)
Group: Forum Members
Posts: 664, Visits: 8.4K
Here are some notes I have on MIG which may or may not be helpful (or repetitive):

MIG prevents unauthorized access (e.g. ransomware) to certain backup files created by Reflect. MIG is not designed to prevent the contents of your backups from being read, maliciously or otherwise.

MIG is installed by default with a licensed version of Reflect. It is not available in the free version. Once installed, it can be uninstalled or reinstalled through Settings and modifying the installation.

MIG is available on versions 7.1 and later and protects specific files on NTFS volumes.

MIG protects files with the following extensions: mrimg, mrbak, mrex, mrsql. These file types can be accessed by Reflect but all other processes attempting to modify existing backup files will be denied access (RoboCopy excluded). Reflect will post a message if unauthorized access is attempted.

MIG can be turned on or off temporarily from the Other Tasks menu. Additionally, it can be turned off by clicking on an NTSF volume in Reflects main window and accessing the Actions drop-down menu. When the PC is restarted, Image Guardian will be re-enabled on all backup drives. This prevents accidentally leaving your drives unprotected by manually turning protection off. Additionally MIG can be enabled/disabled on specific volumes by Other Tasks > MIG Settings > Volumes Tab.

A MIG protected volume can be identified by a circle with two blue arrows inside the circle. You can mouse-over this icon to see the current status of MIG.
Image Guardian only blocks file-level access. I it will not stop ransomware from encrypting or formatting the drive. However, those processes require admin-level privileges and most ransomware typically does not operate at that privilege level.

You can review MIG events by accessing the Events tab from Other Tasks > Macrium Image Guardian Settings.



Windows 10 Home (21H1)  Build 19043.1052
Macrium Reflect 8.0.5994
Windows Defender
Malwarebytes Premium 4.4.2


SilkyTP
SilkyTP
Junior Member
Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)
Group: Forum Members
Posts: 52, Visits: 171
jphughan - 17 June 2021 11:24 PM
In general, Image Guardian should be enabled on any volumes where you are storing Reflect backups.  If you store backups on your C partition, perhaps F&F backups of certain folders, then you may want to enable Image Guardian there.  If not, then it would serve no benefit.

Under Other Tasks > Image Guardian Settings, there's an option that reads "Automatically protect Reflect local backup drives".  If that is enabled, then any time you send a backup to a volume that does not currently have Image Guardian enabled but that CAN have Image Guardian enabled, then Image Guardian will be enabled on it.  If you want to be able to send backups directly from Reflect to a volume while keeping Image Guardian disabled on that volume, you should disable that option.  You would still be able to enable or disable Image Guardian on a per-volume basis manually under the Create Backups tab by selecting the volume of interest, clicking "Actions" under it, and toggling it as desired.

Image Guardian only allows Robocopy to modify or delete Reflect backup files if certain conditions are met.  Those conditions are detailed in the Image Guardian KB article here.

Hyper-V Enhanced Session Mode requires the guest to be running a Pro or better version of Windows 8 or newer, and I believe you also need a password on the account you're using because Enhanced Session Mode uses Remote Desktop Protocol and creates an RDP session, even though it doesn't actually require a network path between the host and the guest, and by default I think Windows prevents accounts that have blank passwords from logging in remotely.

Thanks for that - it is the information I wanted. Great job.

For the sake of clarity, I used to make F&F backups of a couple of precious folders that reside on an external USB HDD - it's a "seasoned" drive. At the time I was backing up those folders to my C: drive so that my daily backup on the machine would serve as a sort of backup in the event the drive died. Later, I decided to just move them from C: to another reliable location. That's where the issue arose.

In regards to robocopy, I used a /copyall switch with no deleting of the source - as I say, three other images were copied without incident. So I can't conclude that there was an issue with how robocopy was executed. That said, for the time being, I'll just be aware that it could happen, and pay meticulous attention to robocopy switches.

In summary, thank you, thank you, thank you, I can put this to bed for now.


jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
Happy to help! To be clear though, Image Guardian wouldn’t prevent Robocopy or anything else from copying brand new images onto a protected drive. But unless your scenario fits within the Robocopy rules, it will definitely prevent you from overwriting existing backups with newer versions of them, as can occur in strategies that involve Incremental consolidation or Synthetic Fulls. If that doesn’t account for your issue, then you’d need to share more details about what you’re doing.
Edited 18 June 2021 2:46 AM by jphughan
SilkyTP
SilkyTP
Junior Member
Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)
Group: Forum Members
Posts: 52, Visits: 171
jphughan - 18 June 2021 2:45 AM
Happy to help! To be clear though, Image Guardian wouldn’t prevent Robocopy or anything else from copying brand new images onto a protected drive. But unless your scenario fits within the Robocopy rules, it will definitely prevent you from overwriting existing backups with newer versions of them, as can occur in strategies that involve Incremental consolidation or Synthetic Fulls. If that doesn’t account for your issue, then you’d need to share more details about what you’re doing.

As it relates to "more details", as I said, the goal was to copy the four files in a folder on the C: drive to a folder on an external USB HDD. Once copied successfully, my intention was to delete them from the C: drive to free up some space and better organize backup images. The destination folder was empty prior to the copy operation.

To accomplish said goal, I used robocopy with the params in the second image below. That's when I encountered the error.

I have a hard time agreeing with your statement that:
Image Guardian wouldn’t prevent Robocopy or anything else from copying brand new images onto a protected drive


Here's the IG Event log:

And here's the robocopy log including the command parameters used:


Of note is the fact that three of the four image files copied successfully before an error was encountered. Once I received the popup from Image Guardian, I quickly disabled the protection on all drives, then robocopy retried and succeeded.

The way I interpret the data above, is that there was nothing wrong with the copy method (robocopy params) since the other files copied successfully. Further, the popup notification in Windows (I didn't do a screencap) was from Image Guardian.

So given all of that, what information might you be able to provide as a case against Image Guardian blocking a copy operation onto a protected drive, from a non-protected drive?

Edited 18 June 2021 7:57 PM by SilkyTP
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
Based on the log, it appears that the Full backup ending in 00-00 was copied first, then other files were copied, and THEN Robocopy came back to the destination copies afterward and tried to modify NTFS security info on them, starting with that Full.  At that point, Image Guardian correctly treated that as an attempted modification to an existing file.  So what I said was accurate: Image Guardian won't prevent you from copying new files to a destination.  But if you try to alter them after the file is initially written, it will prevent that.  Your Robocopy command included parameters that aren't covered by the Image Guardian KB article I gave you, and in general, you don't really need or want to copy NTFS permissions from files on one volume to files on another unless you have a specific reason for doing so, like having defined custom/non-inheriting NTFS permissions on the files in question.  If you didn't do that, then you could've omitted that portion of your command and you'd have been fine.

Edited 18 June 2021 8:17 PM by jphughan
SilkyTP
SilkyTP
Junior Member
Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)Junior Member (82 reputation)
Group: Forum Members
Posts: 52, Visits: 171
jphughan - 18 June 2021 8:16 PM
Based on the log, it appears that the Full backup ending in 00-00 was copied first, then other files were copied, and THEN Robocopy came back to the destination copies afterward and tried to modify NTFS security info on them, starting with that Full.  At that point, Image Guardian correctly treated that as an attempted modification to an existing file.  So what I said was accurate: Image Guardian won't prevent you from copying new files to a destination.  But if you try to alter them after the file is initially written, it will prevent that.  Your Robocopy command included parameters that aren't covered by the Image Guardian KB article I gave you, and in general, you don't really need or want to copy NTFS permissions from files on one volume to files on another unless you have a specific reason for doing so, like having defined custom/non-inheriting NTFS permissions on the files in question.  If you didn't do that, then you could've omitted that portion of your command and you'd have been fine.

Okay. That makes sense. I appreciate the thought you put into it and in replying.
Thanks a ton.

I have to say... I can't recommend a clean install of Windows 10 Pro routinely, but it's forced me to learn a whole lot more about various applications like Hyper-V and MR. When I first got my PC in 2019, I foolishly rushed to Acronis - that proved to be... unsuccessful. Then I went to MR and haven't looked back since. Love the thought put into the myriad of backup strategies possible with it.

Thanks again M8.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
Happy to help!  These days I pretty much only do clean installs on brand new systems.  Back in the XP days I was doing them every 8-12 months just to keep the system running reasonably well, but those days are long gone.  But one thing I do is keep a list of items to address right off the bat on a clean install, simply so I can work down a checklist to set things the way I want right away rather than forgetting them and discovering what I forgot over the next several days.  Enjoy your new setup!

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search