password on GUI or Image Guardian setting


Author
Message
CalgaryAB
CalgaryAB
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)
Group: Forum Members
Posts: 1, Visits: 1
I am a reseller so have many clients with multiple environments.  If one should be hacked by a crypto-ransomware attacker, what can be done to prevent the attacker from opening the program and disabling Image Guardian (resulting access is immediate and doesn't need a reboot)?  Am I correct in thinking that password protecting the image files only prevents browsing and restoring from them, not deleting them (which Windows does after an encrypted new file is created)?
  Thanks in advance for time and assistance on this.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)
Group: Forum Members
Posts: 3.8K, Visits: 28K
You're correct that password-protecting the images only prevents unauthorized access to the CONTENTS of the backup.  It doesn't protect the file itself from deletion, corruption, etc.  As for the question around Image Guardian and malware, someone just asked me about this in a PM, so I'll share the thoughts that I shared with that person.  First off, launching the Reflect application interactively requires elevated privileges, and Windows UAC is specifically built to prevent processes from gaining and using elevated access without explicit user consent -- so that's your first (and best) safeguard.  If your malware were able to exploit some sort of privilege escalation vulnerability/bypass to get around UAC (or the user carelessly approved a UAC prompt even though they don't know where it came from), then Macrium would of course be the best source of info here, but I have to imagine that they have some additional safeguards around Image Guardian "command and control". For example, Macrium has told me that they've built Image Guardian to accept management commands only from Reflect itself, so malware couldn't just talk to Image Guardian directly.  And if I had to guess, I would bet that Macrium deliberately did NOT build an API into Reflect that would allow another application to silently ask Reflect to perform Image Guardian management commands, since why would they need that? In that case, in order for malware to manage Image Guardian, it would need to emulate a real user actually clicking through the graphical interface, which would mean your hypothetical malware would need to be able to interpret what's being displayed on-screen, move the cursor around, click things, etc. -- all likely in full view of a user who will be wondering why his mouse is moving autonomously.

All that said though, technically it was "game over" when your malware gained elevated privileges in the first place, because at that point although there are certainly techniques that can make things more difficult to achieve, and I believe Macrium is leveraging some, ultimately if something has elevated privileges it can do whatever it wants on the system; it's just a matter of difficulty.  Consequently, a password seem a weak security measure, and any security it provided would almost certainly be outweighed by the usability issues it would create for users who will inevitably forget their password, which means you need a password reset mechanism, and that in turn means that your security is only as good as that reset mechanism.

Finally, it's worth pointing out that even Image Guardian can't protect against everything when the threat model involves a malicious process that has elevated privileges.  For example, a process with elevated privileges would be able to format the entire destination disk, or even enable whole disk encryption on it (as some ransomware solutions now use), and Image Guardian wouldn't stop either of those because those operations are not file-level modification operations that Image Guardian is designed to protect against. So while Image Guardian is certainly a welcome feature, it can't protect against everything, so you should not expect it to. The best anti-ransomware solution of all is a disk rotation where you always have at least one backup disk that is physically disconnected so that if ransomware strikes, you're guaranteed to have a disk with intact backups still available -- although at that stage you absolutely shouldn't connect that disk to the PC while the infected OS is running of course, lest that one become infected as well.

Edited 6 July 2018 3:50 AM by jphughan
Nick
Nick
Macrium Representative
Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)
Group: Administrators
Posts: 1.7K, Visits: 9.1K
CalgaryAB - 6 July 2018 2:16 AM
I am a reseller so have many clients with multiple environments.  If one should be hacked by a crypto-ransomware attacker, what can be done to prevent the attacker from opening the program and disabling Image Guardian (resulting access is immediate and doesn't need a reboot)?  Am I correct in thinking that password protecting the image files only prevents browsing and restoring from them, not deleting them (which Windows does after an encrypted new file is created)?
  Thanks in advance for time and assistance on this.

Thanks for posting,

In addition to the excellent comments by @jphughan, for extra protection you could consider setting up a locked down share on a MIG protected, and isolated, file server. Other than physically removing backup drives, this solution offers the highest protection against all types of attacks. 

See Macrium Image Guardian protecting backups in a networked environment below:

https://knowledgebase.macrium.com/display/KNOW7/_MIG_Overview

Kind Regards

Nick - Macrium Support

Edited 6 July 2018 12:09 PM by Nick
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search