Group: Forum Members
You're correct that password-protecting the images only prevents unauthorized access to the CONTENTS of the backup. It doesn't protect the file itself from deletion, corruption, etc. As for the question around Image Guardian and malware, someone just asked me about this in a PM, so I'll share the thoughts that I shared with that person. First off, launching the Reflect application interactively requires elevated privileges, and Windows UAC is specifically built to prevent processes from gaining and using elevated access without explicit user consent -- so that's your first (and best) safeguard. If your malware were able to exploit some sort of privilege escalation vulnerability/bypass to get around UAC (or the user carelessly approved a UAC prompt even though they don't know where it came from), then Macrium would of course be the best source of info here, but I have to imagine that they have some additional safeguards around Image Guardian "command and control". For example, Macrium has told me that they've built Image Guardian to accept management commands only from Reflect itself, so malware couldn't just talk to Image Guardian directly. And if I had to guess, I would bet that Macrium deliberately did NOT build an API into Reflect that would allow another application to silently ask Reflect to perform Image Guardian management commands, since why would they need that? In that case, in order for malware to manage Image Guardian, it would need to emulate a real user actually clicking through the graphical interface, which would mean your hypothetical malware would need to be able to interpret what's being displayed on-screen, move the cursor around, click things, etc. -- all likely in full view of a user who will be wondering why his mouse is moving autonomously.
All that said though, technically it was "game over" when your malware gained elevated privileges in the first place, because at that point although there are certainly techniques that can make things more difficult to achieve, and I believe Macrium is leveraging some, ultimately if something has elevated privileges it can do whatever it wants on the system; it's just a matter of difficulty. Consequently, a password seem a weak security measure, and any security it provided would almost certainly be outweighed by the usability issues it would create for users who will inevitably forget their password, which means you need a password reset mechanism, and that in turn means that your security is only as good as that reset mechanism.
Finally, it's worth pointing out that even Image Guardian can't protect against everything when the threat model involves a malicious process that has elevated privileges. For example, a process with elevated privileges would be able to format the entire destination disk, or even enable whole disk encryption on it (as some ransomware solutions now use), and Image Guardian wouldn't stop either of those because those operations are not file-level modification operations that Image Guardian is designed to protect against. So while Image Guardian is certainly a welcome feature, it can't protect against everything, so you should not expect it to. The best anti-ransomware solution of all is a disk rotation where you always have at least one backup disk that is physically disconnected so that if ransomware strikes, you're guaranteed to have a disk with intact backups still available -- although at that stage you absolutely shouldn't connect that disk to the PC while the infected OS is running of course, lest that one become infected as well.