How about something like air-gap technique? I have two internal SSDs connected to my PC dedicated for backups only but don't want to physically disconnect them so often. It's not practical and potentially harmful. In a small/home office I was thinking in a... driver-gap technique? I mean to disable the drive in Device Manager. This way both drives are still connected but their driver not loaded in memory and therefore, not available to Windows or any software or malware. Enable their driver and you have them available again to do your backup routine.
Lol u just revived a 7 and a half year old thread. mods won't be happy they will be steaming so hard like those old trains with steam chuuchuu Ok so, you don't have to disconnect them "so often", once a week is enough really, if you just carefully pull the sata cable from the ssd u will not do any damage if you're careful (nvme is another story). If the drive is connected to the pc then i don't think anything can prevent malware from writing to it, if the malware truly wanted to. If you can run a command to disable the device/driver, so can the malware to enable it. Tho some things do help, such as setting owner, permissions and integrity levels using https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls , of course the malware can always remove/overwrite those, but they need to be elevated for that if you have configured them properly, if you're running as standard user account, and there is NO admin account on the pc (like disabling the in-built admin account and using netplwiz to change the only admin account of the pc to a standard user acc but then you will lock yourself out unless you have a usb with win 10 iso that can run cmd and then run netplwiz to change it back to admin), then that will make it harder for the malware since it will only have standard user rights, ofc make sure to set your gpedit.msc settings like this this will make it much harder for the malware to elevate and then try to overwrite the permissions of your files, which it might still fail because of owner and integrity level (make sure to set it to High) there are more things u can do, which u can read here https://www.infopackets.com/news/10422/8-ways-protect-your-backups-ransomware those include using mountvol to unmount the drive, setting it to read-only with diskpart, what i already said with icacls, controlled folder access (which can be turned off), but of course the last tip number 8 is what i recommend, once a week attach ur drive in safe mode without startup programs, make a backup and detach ur drive, this is nearly 100% safe you can also delete the mountvol.exe, icacls.exe and diskpart.exe programs (or rename them and move them somewhere else) to prevent malware from using them, but ofc a really super advanced malware will bring its own and also if any system or legitimate process tries to use those programs it will fail other things to take note of are Alternate data streams and Raw disk access, of which i don't have much experience with so google (or duckduckgo) is your friend
Don't know if this would work for you, but I use a SSD drive for weekly drive images. It is employed as an external drive and with a SSD to USB cable connection. The transfer will obviously be more time consuming, but would not matter if initiated before one goes out.
i don't know i just like making fun of the mods when the opportunity arises (or making one myself), but generally in online forums it is seen as a bad thing, like in linustechtips if it's older than a few months or smth like that there's a message telling you that you should probably make a new thread, on reddit until recently there was auto-archiving of all topics older than 6 months so no1 can reply to them this is more convenient than plugging the sata cable to your ssd, but less safe imo, plus external ssds are like twice as expensive as normal internal ssds but they are literally the same drives just that one has a usb connection for casuals and the other one doesn't so you need to actually connect it to the psu and motherboard which is very easy it takes like 2 min if your case is in good condition
@cruelsister @Floyd 57 thank you for your replies. OK but have anyone of you have seen a ransomware strain doing exactly this?
this literally doesn't say anything about home users. for home users, by far and away the most common way to get malware is that you download a file (likely .exe), either the av doesn't detect it or you add it to exclusions, you run it and instead of being the adobe photoshop crack or that game's crack that u were hoping for, it's malware! Which is why i usually run untrusted cracks in sandboxie or vmware. I used to use shadowdefender as well but it has only had 1 update in the last 4 years, as such it can no longer be trusted for risky files since 4 years in tech space is eternity, i still use shadow defender occasionally to test installing new programs but not for risky potentially-malware stuff anymore
Re Photoshop or any Adobe product it`s unlikely to happen if you download from safe well-known places specialized in cracks for Adobe software, can't say the same for games though.
The system described in that article is exactly what I have been doing at work for 15 years. I also set up all backup servers to only be written to by a user account that nobody else has access to. If a user gets infected they will not have permission to write to them. Or encrypt them or delete from them.
Perhaps you can take NeuShield for a testdrive once again? I recently read that they won a couple awards. https://www.scmagazine.com/news/emerging-technology/best-emerging-technology-neusheild-data-sentinel
Why not, it's still working fine in recent Windows iterations. It covers and protects the whole partition it is shadowing and the MBR/boot/efi partitions. Why SD would not protect in the threat of new malware? Just because it is outdated? I don't think so. Malware able to bypass SD must be written to target SD, I assume. Again I don't think there is one, yet. I think an encrypting malware is not interested in incorporating such routines in its code. It's a waste to time for the ends it pursues and exposes itself to be detected. If someone has or has seen a encrypting malware doing this please let me know here... That said I think it is a good idea of mine to disable the drive via devmanager, on a small/home office of course. See, plugging and unplugging a usb cable or external drives wears out ports and connectors.
Because it would be trivial to bypass. If EDRs for billions of dollars from companies like Symantec and Microsoft get their kernel drivers bypassed and cannot protect files from being written to by malware, and billion dollar companies with anti cheats like VAC or EAC constantly get bypassed by cheaters, what makes u think a program that has been updated once in 4 years cannot be bypassed? From what i know it's not even open-source, so there will be vulnerabilities left and right It might not be interested, but are u gonna take a chance? Not really. If u plug it once a week, that's 52 plugs a year. That's little usage if u're careful.
1. Not a single bypass has happened to me. 2. I'm not a huge important company so no target for a extremely sophisticated APT or whatever. I'm not expert on this so I can't say if you're right or wrong. Yes I am. I say no to paranoia LOL I enable/disable the drive several times per day.
Updates of Shadow Defender only occur for new versions of Windows (if any). It doesn't need updates like antimalware programs. Furthermore it is a fairly popular program here at Wilders, no-one has ever reported SD being bypassed by anything, including my experience ever since it was first released. Any program can be affected if specifically targeted, but statistically is very unlikely to happen.
that literally means almost nothing by itself i don't know, i cannot tell you how likely it is to happen because i am not a cybersecurity researcher, i don't know c/c++ and i don't use windows api, my area of knowledge is not this, but that's just my intuition, perhaps someone like @cruelsister who does this for a living (it seems) can answer more in-depth on the specifics, but i can tell you that in tech, things change all the time, if they can bypass the kernel drivers of game anti-cheats like valve anti cheat easy anti cheat etc. and bypass the kernel drivers of EDRs made by trillion dollar companies (microsoft) who also made windows itself, then they can also bypass SD. That's not a question or a maybe, that's a given. And SD being closed source means NO ONE except the 1 guy who developed it has seen the code, meaning there's countless vulnerabilities waiting to be uncovered. But no1 cares because SD has probably a few hundred users tops, maybe a few thousand to be generous, if SD was more popular like those EDRs that millions of employees in enterprises are using, then it would be exposed very fast. Like, if 100 people here crowd sourced 10 dollars, and then we post a bounty hunter ad for $1000 to find a vulnerability in SD and exploit it, it would take no time at all. Remember that the biggest softwares in the world that so many knowledgeable people work on, have vulnerabilities found in them all the time, what's left for SD? It just makes u feel bad about SD when u think about it. Compared to it, at least sandboxie is open source and has more people working on it and constant updates, so it's a lot less vulnerable than SD and up-to-date, in a way
