Macrium Image Guardian


Author
Message
INTERSPECTIVE
INTERSPECTIVE
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)
Group: Forum Members
Posts: 3, Visits: 10
Will the new Macrium Image Guardian protect the stored images from ransomware under this situation?:

Site Manager and Reflect are installed on a Windows 10 workstation system console. The backup images are stored on a Synology NAS volume formatted in Btrfs (not NTFS) raid 10. Or is the only protection provided for NTFS formatted drives? Thanks, Stephen


Nick
Nick
Macrium Representative
Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)Macrium Representative (2.9K reputation)
Group: Administrators
Posts: 1.7K, Visits: 9.1K
INTERSPECTIVE - 20 July 2018 2:00 PM
Will the new Macrium Image Guardian protect the stored images from ransomware under this situation?:

Site Manager and Reflect are installed on a Windows 10 workstation system console. The backup images are stored on a Synology NAS volume formatted in Btrfs (not NTFS) raid 10. Or is the only protection provided for NTFS formatted drives? Thanks, Stephen


Hi Stephen

Thanks for posting. Image Guardian only protects NTFS file systems on Windows hosts. Some more info here:

https://knowledgebase.macrium.com/display/KNOW7/Why+MIG+isnt+available+for+3rd+party+NAS+devices

For a 'locked down' network solution you need to deploy a Windows file share for backup storage with restricted access.

See 'Macrium Image Guardian protecting backups in a networked environment' here:

https://knowledgebase.macrium.com/display/KNOW7/_MIG_Overview

Kind Regards

Nick - Macrium Support

INTERSPECTIVE
INTERSPECTIVE
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)
Group: Forum Members
Posts: 3, Visits: 10
Nick, thanks and appreciate it. Stephen

ARL67
ARL67
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)
Group: Forum Members
Posts: 2, Visits: 5
I am a longtime IT-Guy and have been using Macrium at all my clients for many years.
It is a great product and I recommend it to anyone I know.

I have now had my 3rd PC ( Win 10 ) running v7 where Image Guardian did not protect the MRIMG for MRBAK files.
These PCs have a 2nd internal hard drive, formatted NTFS.
A few of the MRIMG / MRBAK files were spared but most get encrypted.
Fortunately I also backup to rotating USB hard drives ( or NAS ) ,  so I did not have a catastrophic loss.

How is MIG not working on occasion ?
These PCs are all Win 10.
The accounts on the PC are all local accounts, and have Admin privilege.
When testing, MIG will prevent the users from renaming or deleting and Macrium files, however some ransomeware appears tro be able to sneak through MIG protection.

thanks - Andy
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)
Group: Forum Members
Posts: 3.8K, Visits: 28K
Is it possible that at the time of the attack, MIG wasn't enabled for that specific partition, or had been disabled system-wide for a temporary need and someone forgot to turn it back on?  In terms of the former possibility, if you have "Automatically protect local backup drives" enabled, MIG will automatically enable protection for a local destination partition when a Reflect job writes a backup file to it, even if you had manually disabled MIG on that specific partition previously -- but of course if you'd disabled protection on that partition earlier, then it wouldn't be re-enabled until another job ran.  That option also causes any partitions that were MIG-protected when they were last used, even if that use occurred on another PC, to automatically receive MIG protection when they're mounted on that PC.  But again all of that assumes that MIG is enabled system-wide at the time in question.

Is there anything informative under Other Tasks > Macrium Image Guardian Settings > Events tab?  Make sure to check the "Information" checkbox and expand the date range, assuming the ransomware attack occurred within the range of available logs.

Edited 7 September 2018 8:24 PM by jphughan
Drac144
Drac144
Expert
Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)Expert (643 reputation)
Group: Forum Members
Posts: 409, Visits: 1.5K
While MIG is designed to protect Reflect files against a number of different scenarios, I would expect that Ransomware is at or very near the top of that list.  If that is the case, I would also expect that Macrium has tested MIG against as many know Ransomware versions as it could. Therefore, someone at Macrium should be able to say whether or not it is likely or possible for a breach as described by the OP to occur. 
ARL67
ARL67
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)
Group: Forum Members
Posts: 2, Visits: 5
MIG was never temporarily disabled in either of my 3 sites.
I usually have Windows' User Account Control set to the lowest slider ( 1 less than default ).
I have since set UAC to default -> slider at the first notch.
As mentioned, MIG did protect some of the backups, but allowed many to be encrypted on the local backup drives.
I will inspect the logs further should experience this again.

thanks - Andy
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)Macrium Evangelist (5.6K reputation)
Group: Forum Members
Posts: 3.8K, Visits: 28K
The UAC setting below the default prompts for elevation but not on the secure desktop.  Theoretically that means malware could click Yes on the elevation prompt on its own and thereby gain admin rights, which obviously isn't ideal, not an ideal that's definitely not an ideal solution, so moving it back to the default is a good idea if you can live with it. On some of my systems I have the UAC slider jacked all the way to the top and THEN I go into Local Security Policy to additionally specify that I have to actually type my password for elevation requests rather than just clicking a Yes button.  Apple poked fun at the intrusiveness of the first iteration of UAC in one of those "I'm a Mac, I'm a PC" ads before the current default mode became available, but I always thought that was completely unfair since Mac OS X's mode of operation has always involved prompting for elevation and requiring the password rather than clicking Yes/No.  But nobody said advertising was fair, of course.  At client sites that I manage, I enable UAC with at least the default protection level via Group Policy to make sure that even local admins can't disable it, because it's that crucial to basic system security.

Edited 8 September 2018 12:38 AM by jphughan
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search