External HDD disconnect for security?

Discussion in 'backup, imaging & disk mgmt' started by OzBoz, May 23, 2017.

  1. OzBoz

    OzBoz Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    35
    Location:
    Queensland Australia
    Hi All,
    Not sure if this is the correct forum to ask this question, and apologies if it's not.

    I've recently started to use Macrium Reflect to save automatic backups to an external USB connected HDD. Do I need to keep the external drive disconnected, unless actually using it, in order to protect the backup file from virus/malware attacks? If so, this would be a major inconvenience for me, as my scheduled automatic backups occur after midnight, and I don't want to "babysit" the PC until that time. It sort of defeats the whole object of auto backups.

    Your thoughts would be most welcome

    Cheers
    Brian B
     
  2. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
    Keep the external drive connected. It's a trade-off between security and convenience.
     
  3. kaljukass

    kaljukass Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    244
    There is absolutely no difference - what has to happen will happen anyway. (Murphy's Law).
    You said that you make a copies automatically, it means you copy also the corrupted files and malware files, if any already exist. Why to do such a work? What's the point?
    It means, if Your files are damaged, also the copies will be immediately damaged.
     
  4. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,943
    Location:
    The Pond - USA
    Wow... a 2nd Brian from OZ (Brian_K is #1)...

    Brian, if you scheduled batch files instead (create them easily through Reflect) and added just a few batch instructions before and after the imaging process, you can at least leave them connected without having DRIVE Letters assigned, assign them in the batch file, do your imaging, then unassign the drive letters once again. RansomeWare would have to be looking for attached storage devices as well as lettered devices before it could do anything serious to those attached devices... a little mitigation just might help.
     
  5. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    12,113
    Location:
    NSW, Australia
    I like it!
     
  6. OzBoz

    OzBoz Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    35
    Location:
    Queensland Australia
    Thanks to all for the responses.

    @Robin A.
    I don't really see any convenience if the drive is captured by ransomware, which is my biggest concern.

    @kaljukass
    Obviously, I make sure my files are as clean as I can get them (real time protection and two on demand scanners) before I backup.

    @ TheRollbackFrog
    Your suggestion sounds very interesting, however I am almost computer illiterate when it comes to any kind of programming. Is there anywhere I can have a closer look at this and learn by copy?

    As I have said, my major concern is ransomware. I am reasonably confident that my AV software can handle any malware, either by blocking or by cleaning, with the exception of ransomware. I also have a commercial copy of Windows 10 on a USB and an emergency boot disk (Macrium) so I'm not completely stuck
     
  7. matra

    matra Registered Member

    Joined:
    Aug 3, 2013
    Posts:
    40
    Location:
    Germany
    I use this
    http://www.cleware-shop.de/USB-30-Connect

    PC-controlled switch for connecting and disconnecting USB 3.0 devices
    Connects and disconnects voltage, as plugged in manually - ideal for USB durability tests
    The USB 3.0 data is permanently connected
    Turns USB loads up to 1.3A
    Connection via 2 USB 3.0 A jacks
    A suitable connection cable (length: 1.0m) is included
    Passed USB power supply is electrically isolated from the USB cutter
    Program interface for easy integration into your own applications
    The control software ClewareControl for time-controlled switching, USBswitch with a graphical user interface and USBswitchCMD for switching via command call is available for download.
    Works without special drivers under Windows® x86 / x64 operating systems. (® Microsoft Windows is a registered trademark of Microsoft Corporation.)
    Also usable under different versions of Linux.
    Control from LabView® possible
    RoHS, CE & EN60950 compliant / IP30
    Operation only in indoor rooms
    Several switches on a PC can be controlled via the serial number
    For USB connection cable, see cable length option
    Switch: See switch option
    4 year warranty
    Made in Germany
     
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    I'm interested too, as far as I understand windows will always assign a drive letter to any external hdd\sdd\usb on connection.
     
  9. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    12,113
    Location:
    NSW, Australia
    You can remove the drive letter so the partition doesn't have a drive letter. Then either manually or via a batch file you can reassign and/or remove a drive letter. In effect, Windows only sees the partition data when you want it seen.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    @Brian
    @Froggie




    You are going to need to post an example as I don't think these folks have a clue on how to do this. Also I would suggest an example of how to put the batch files into a imaging command line.
     
  11. OzBoz

    OzBoz Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    35
    Location:
    Queensland Australia
    Thanks for that. Sounds like just what I need.
    Just to confirm, to remove drive letter, from the cmd prompt, >diskpart >select volume n >remove letter=R and to reassign >assign letter=R
     
  12. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,943
    Location:
    The Pond - USA
    The process is a few steps... let's look at the overview first.

    You already have Reflect DEFINITION files in place, and they have been added to the WTS (Windows Task Scheduler) accordingly. What I'm suggesting is leaving the DEFINITION in place but removing it from the WTS by removing the scheduled items from the DEFINITION itself. Once this is done, you have your same defined tasks but no automatic scheduling of them.

    At this point, you may use a feature built into the Reflect ToolBar to turn each of your definitions in use into BAT (batch) files. That BAT file may be simply edited to include the (2) necessary additional batch statements (one statement to automount prior to the imaging operation and one following the imaging operation to dismount).

    Once the edit is made, that very same BAT file may be added manually to the WTS, at which time you may select how it is to run (similar to what's available in the Reflect Scheduler itself) as far as when it starts, when it runs, etc. At this point, you will have to manage those schedules, they won't be manageable under Reflect anymore. The definition of the operation continues to me managed under Reflect (what volumes, where to store, how to name, etc.) just not the scheduling.

    If you have a good feel for that, I'll continue with some examples... think about it a bit.
     
  13. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,943
    Location:
    The Pond - USA
    The best place to do this is through the "Mountvol" command using GUIDs.
     
  14. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,943
    Location:
    The Pond - USA
    CH, this will not happen if the dismount is performed correctly... reconnecting that drive will not cause an automount to occur.
     
    Last edited: May 24, 2017
  15. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Or you could use Pumpernickel (FIDES) to only let Reflect.exe write in your external USB.

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>U:*
    [BLACKLISTMODIFY]
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    *>U:*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    
    In my case, only SyncBackFree.exe can modify any data on my external drive U:/

    With 30 minutes of reading (https://www.wilderssecurity.com/threads/pumpernickel-fides.390545/) you can learn everything that you need to protect your drive.
     
    Last edited: May 24, 2017
  16. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,943
    Location:
    The Pond - USA
    Although I am an existing FIDES user, its use is not for the faint of heart (the "general" user) :) It requires a level of sophistication that many users have not yet gained, at least from the comments I have seen within this thread... IMHO.

    An example from above...
     
    Last edited: May 24, 2017
  17. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    One can protect a drive directory with ntfs permissions.
    Steps to take:
    1: Create an backup admin account, password protected, that you will use only with the imaging app (in your case macrium)
    2. On the drive give full access and ownership to that account and eliminate all other account access (= no SYSTEM/administrators/Autenticated Users/etc.)
    3. Run/execute the imaging app as the backup admin account to perform your backups/restores.

    edit
    One last step to take to make it completely secure is to run "gpedit.msc" and go to "Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/" and at the policy "Take Ownership of files and other objects" you should remove the "Administrators" group.

    Panagiotis
     
    Last edited: May 24, 2017
  18. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    12,113
    Location:
    NSW, Australia
    Plug in your external HD

    At an Admin Command prompt type...
    diskpart
    press Enter

    type...
    list vol
    press Enter

    Make a note of the Volume number of the partition on the external HD. For this example I'll use 8 but use your own number.

    Create a new folder (any name you like) and add these 6 files. 4 batch files and 2 text files.

    The batch files are...

    runthis.cmd
    Code:
    CD /d %~dp0
    call add.cmd
    call reflect.cmd
    call remove.cmd 

    add.cmd
    Code:
    CD /d %~dp0
    diskpart /s add.txt

    reflect.cmd
    This is your Macrium Reflect batch file.

    remove.cmd
    Code:
    CD /d %~dp0
    diskpart /s remove.txt
    The text files are...

    add.txt
    Code:
    select volume 8
    assign letter T

    remove.txt
    Code:
    select volume 8
    remove letter T
    Open Disk Management, right click the partition on your external HD, Change Drive Letter and Paths, Remove, Yes. Now the external HD partition no longer has a drive letter. If the HD is pulled out and reconnected it still won't have a partition drive letter. If you want a drive letter again, open Disk Management, right click the partition on your external HD, Change Drive Letter and Paths, Add.

    Now back to the situation with no partition drive letter on the external HD. If you right click runthis.cmd and click Run as Administrator or run runthis.cmd as a Scheduled Task your batch files will run. The external HD partition will get a drive letter (T: in this case), Macrium Reflect will do a backup and then the partition drive letter will be removed.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You guys are genius's but I am thinking pumpernickel isn't all THAT complicated.
     
  20. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Are some people born with a full understanding of computers and the plethora of its structure?...Or did you indeed find out by asking on occasion?...Seems to be a snobbery amongst some in their attitude on this forum!


    Humility is becoming a lost art, but it's not difficult to practice. It means that you realize that others have been involved in your success. Harvey Mackay
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well most of the little I know was by asking for sure. Oh yeah a lot came from the school of hard knocks called experience
     
  22. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    "Oh yeah a lot came from the school of hard knocks called experience":thumb:


    I think that is one of the best methods, I use frequent macrium backups more for fcuking things myself foremost, and less so from fear of ransomeware or anyware..For over six years no AV's or any security software has actually "saved" me..I've tried the no AV road but I just don't feel comfortable:ninja:....I use Malwarebytes V2 (until they stop support) and Zemana frequently for scanning and aside from a few false positives they haven't found anything unexpected. If there is a 100% security app I think backups is as close as we'll ever get.
     
  23. ssbtech

    ssbtech Registered Member

    Joined:
    Aug 19, 2013
    Posts:
    71
    Location:
    Canada
    My method is not to use a USB drive but rather a network drive (about the same price now) with password protection.
    Once Macrium is configured to save the username/password for that destination, the drive will remain password protected from within Windows, but Macrium can write the image to it.
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    You could also do your daily backups with the external HDD connected all the time and do a weekly backup to another external HDD which you keep disconnected.
     
  25. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,237
    Brian B, if your still here after the hi tech stuff,,,,,,,

    This is my method as well. Max loss of 1 weeks data is survivable. I also have AppGuard and HitMan Pro on my PC to protect against ransomeware. You might want to take a look at these 2 programs for a couple of extra layers of protection.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.