Mapping and unmapping network drives

Use this forum for help with AISBackup
Post Reply
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Mapping and unmapping network drives

Post by Hughg »

I'm getting concerned about protecting backups on external USB drives or network drives from a possible Cryptolocker (or equivalent) attack. The only way that I can see of doing this is, when a backup is completed, to disconnect the USB drives from the system, or (if they're network drives), removing their mapping from the source computer. But both would have to be done manually, meaning that they are open to attack until this is done. And, of course, if you forget to connect them or map them manually before the backup, it won't happen.

Is there a way of getting AISBackup to connect/disconnect USB drives, and map/unmap network drives as part of its routine?
Barry
Site Admin
Posts: 1529
Joined: Tue Aug 20, 2002 3:16 pm

Making a backup safe from Malware

Post by Barry »

I too am concerned about Crypto Locker and I am repairing a PC with this infection for a customer of mine right now. By pure chance the backup drive got disconnected on his PC towards the end of January and I was able to restore the data from this backup, otherwise it would not have been possible – and I have heard that even if you pay the extortion fee you may not get the unlock key.

My customer did re-connect the backup drive after infection and subsequent backups contained the encrypted files, fortunately AISBackup’s ‘sessions’ enabled me to select a previous backup to restore from. To other readers of this post; a multi-session backup job is far superior to a copy job as you have the opportunity to select different dated restore points. His antivirus software had already removed the malware before he reconnected the backup drive (however this was a lucky coincidence).

To date Crypto Locker is encrypting files on a known file types (including zip) to this end I am going to change default AISBackup file extension, but this cannot be guaranteed to make the backup safe if it is still online and accessible via shares. AISBackup already allows the backup file extension to be changed for new backup jobs by using the Tools / Program Settings and Options / Advanced / Default Backup File extension option.

AISBackup mapping drives and un-mapping drives will not work either (actually it already does this – see next paragraph) because the drive will still have to be shared, and Crypto Locker may have the ability to use shares as well as mapped drives. Also if the destination is a network drive the sharing would have to be done on that PC – maybe I could do this via a service – if indeed Microsoft allows a service to share a drive as that too could be considered a security risk? The question mark is to invite feedback.

I would like to remind users of AISBackup that AISBackup does map password protected shares and un-map them after the backup, but you may have other mapped drives to the same Server / PC that allows access to the backup partition as well (via the share name). It is unfortunate that Microsoft does not allow different passwords for different shares and you cannot have more than one password protected session to the same PC at the same time, for example using a different Username / Password just for backups. The password is stored in encrypted format within AISBackup.

As far as I know FTP should be secure as long as the destination is always to a password protected drive that is not accessible via a share. Linux based NAS are getting faster.

I think I am fairly safe by backing up to a network drive and then on the networked backup PC having another backup job copying this to an external drive that is not shared, using a copy job and not a backup job in this case. It is also a good idea to switch between two external drives periodically and take one offsite (Recommended). As long as there is no possibility of malware accessing the registry on the remote PC (do not allow access to the Windows operating system folders under any circumstances) then it should not be possible for the remote PC to become infected (Except by opening the bogus HMRC / IRS / Delivery company e-mail attachments on the backup PC).

It may also be worth removing the default ‘hide file extensions of known file types’ so that you can see the file attachment is really named ‘badfile.jpg.exe’ and not what you would normally see ‘badfile.jpg’ (which looks like a safe image file).

If anybody else would like to add some suggestions for ensuring the backups are safe from malware while not requiring manual intervention to get running I would appreciate some feedback.

If I have made some errors in my assumptions please correct me.

Barry
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Post by Hughg »

Thanks, Barry. I'll have to think about many of the points you raise. In the short term, would it be possible to allow the choice of a file extension longer than three characters, to lessen the chance that the combination you select is included by a later version of CryptoLocker? As you say, it's not something that can be relied on, but it might help a bit.
Barry
Site Admin
Posts: 1529
Joined: Tue Aug 20, 2002 3:16 pm

File extension longer than 3 characters

Post by Barry »

I thought it did longer extensions, I'll update AISBackup.

This was an early feature to change extension - I must have had my DOS / Windows 3.1 hat on.

I will look at renaming existing backup files too.

Barry
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Post by Hughg »

Thanks, Barry. Wow -- has AISBackup been around that long? That's very impressive.

Hugh
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Post by Hughg »

Hi Barry

I tried changing the extension from .zip to another three-letter version, and then ran the backup. AISBackup told me that the destination folder already had files in it. I chose the option to continue, so it did, but the new backup files were still .zip files. I guess I should have moved to a new destination folder, but do you have any idea why it didn't start creating files with the new extension?

Hugh
Barry
Site Admin
Posts: 1529
Joined: Tue Aug 20, 2002 3:16 pm

Changing extension

Post by Barry »

The extension may only be changed for new backup jobs.

AISBackup would have to be changed to enable the extension to be changed for existing backup jobs as the existing files would have to be renamed and the backup 'control' file changed.

I'll look at doing this for disk based backup jobs,, i.e. not FTP and not optical discs and not 'cloud'.

Barry
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Post by Hughg »

Thanks, Barry. If you're able to do this (which I think is a great idea), will the extension changing be likely to work for network drives, do you think?

Hugh
Barry
Site Admin
Posts: 1529
Joined: Tue Aug 20, 2002 3:16 pm

Rename backup files

Post by Barry »

Yes this will work with network drives.

Maybe F T P

Meanwhile it is a good idea to change the extension for new backup jobs in any case. I was thinking of AIB as this does not appear to be used by any other application.

Barry
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Post by Hughg »

Not sure about suggesting a standard extension. The crooks producing CryptoLocker-type malware are pretty adept at adding extensions to their lists. However, it might not be a bad idea to start with the default of .aib, and suggest that the user might like to adopt their own, with more than three letters, to help avoid the bad guys.
Barry
Site Admin
Posts: 1529
Joined: Tue Aug 20, 2002 3:16 pm

AISBackup Build 444

Post by Barry »

Build 444 includes a new option to change the backup file extension on disk and network backups.

This is available as a pre-release at the moment and if all works okay will be transferred as the next release of AISBackup.

Barry
Hughg
Posts: 94
Joined: Sat Feb 01, 2003 11:25 pm

Post by Hughg »

Thanks, Barry. This will be good to have.
Post Reply