SecureCopy and Ransomware question
Hello everyone,
I have a question regarding these ransomware malware going around. Let me tell you briefly about the setup
We have two identical file servers running Windows 2012 Storage Server. First one, let's call it FS1 is the primary file server which the users connect to via AD scripts. On the second one, FS2, I run two software programs, both of them for backup purposes, BackupExec 14 and Dell's SecureCopy. How it works
1. BackupExec agent is installed on FS1 and all files (around 4 milions) are backup to disk on FS2
2. Two main folders called USERS and GROUPS are sync from FS1 to FS2 at night using SecureCopy. All files flags (permissions, last date access, etc) are preserved
In case of complete failure of FS1, we simply edit the AD scripts to point to FS2 USERS and GROUPS shares. Although there will be some work lost since the last SecureCopy sync , that will give us time to restore or reinstall or fix FS1.
Now what's going to happen if a ranswomware gets on FS1 USERS and GROUPS shares despite the fact that we think we beefed up both servers with the latest and greatest anti-malware tools ? Most likely they will get encrypted and MIGHT affect (contaminate) the files on FS2 during either BackupExec process or SecureCopy sync . We want to prevent this and stop the infection at the source, which is FS1
We noticed that SecureCopy has a Special Handling option called "Allow copy of encrypted files as unencrypted if encryption fails" (See attached picture) So what is saying in the pop-up that ]SecureCopy attempts to encrypt a file on the target (FS2) using EFS when it copies a file which is encrypted on the source
So we assume that a file is encrypted with ransomware. If this SpecialHandling option is not enabled then SecureCopy
1. Attempts to encrypt the file at the target (FS2) when encrypted at the source .
2. File on source FS1 already encrypted by something else different from EFS so the encryption attempt at the target FS2 (EFS) will fail because the file encrypted by ransomware cannot be modified
3. The pop-up says "If SecureCopy is unable to encrypt the file on the target the copy will fail, unless this option is selected "
4. Following 1-3 above, I think that the copy process will fail and that is exactly what we want, not to spread the infection
Not sure if someone came across with this scenario but i would like your opinion regarding this logic (could be totally wrong..)
Cheers
SecureCopy.jpg
I have a question regarding these ransomware malware going around. Let me tell you briefly about the setup
We have two identical file servers running Windows 2012 Storage Server. First one, let's call it FS1 is the primary file server which the users connect to via AD scripts. On the second one, FS2, I run two software programs, both of them for backup purposes, BackupExec 14 and Dell's SecureCopy. How it works
1. BackupExec agent is installed on FS1 and all files (around 4 milions) are backup to disk on FS2
2. Two main folders called USERS and GROUPS are sync from FS1 to FS2 at night using SecureCopy. All files flags (permissions, last date access, etc) are preserved
In case of complete failure of FS1, we simply edit the AD scripts to point to FS2 USERS and GROUPS shares. Although there will be some work lost since the last SecureCopy sync , that will give us time to restore or reinstall or fix FS1.
Now what's going to happen if a ranswomware gets on FS1 USERS and GROUPS shares despite the fact that we think we beefed up both servers with the latest and greatest anti-malware tools ? Most likely they will get encrypted and MIGHT affect (contaminate) the files on FS2 during either BackupExec process or SecureCopy sync . We want to prevent this and stop the infection at the source, which is FS1
We noticed that SecureCopy has a Special Handling option called "Allow copy of encrypted files as unencrypted if encryption fails" (See attached picture) So what is saying in the pop-up that ]SecureCopy attempts to encrypt a file on the target (FS2) using EFS when it copies a file which is encrypted on the source
So we assume that a file is encrypted with ransomware. If this SpecialHandling option is not enabled then SecureCopy
1. Attempts to encrypt the file at the target (FS2) when encrypted at the source .
2. File on source FS1 already encrypted by something else different from EFS so the encryption attempt at the target FS2 (EFS) will fail because the file encrypted by ransomware cannot be modified
3. The pop-up says "If SecureCopy is unable to encrypt the file on the target the copy will fail, unless this option is selected "
4. Following 1-3 above, I think that the copy process will fail and that is exactly what we want, not to spread the infection
Not sure if someone came across with this scenario but i would like your opinion regarding this logic (could be totally wrong..)
Cheers
SecureCopy.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, do that, will be quickly done.
Bibecu, allow this side note to the other experts:
The points were shared - this is ok. But there's one who got much more than the others, while others got 125xgrade multiplier A (4),=500, he (Thomas) got 1000.
Simply by mentioning your own article, you get 500 bonus points. Say, do you consider this fair pointing? I am against the pointing system, altogether, but if ee wants to keep it, then they should do it right, you should not get bonus points just for mentioning your article. What do you all think?
Tzuckerscharf, nothing against you/your article, it's just the pointing system.
Bibecu, allow this side note to the other experts:
The points were shared - this is ok. But there's one who got much more than the others, while others got 125xgrade multiplier A (4),=500, he (Thomas) got 1000.
Simply by mentioning your own article, you get 500 bonus points. Say, do you consider this fair pointing? I am against the pointing system, altogether, but if ee wants to keep it, then they should do it right, you should not get bonus points just for mentioning your article. What do you all think?
Tzuckerscharf, nothing against you/your article, it's just the pointing system.
@McKnife
I understand your concerns and agree with your assessment. I have said previously and will gladly repeat, that my primary reason for writing articles is to be able to refer to them in answers. I don't really care about the points. I try to write fairly informative articles that can be used to solve various problems.
EE has more than a point system problem. I have been advocating for a better article writing system. Currently the only way to collaborate on an article is to post in a group and ask for suggestions or to send emails to specific members. Neither option is a solution. The first ransomware article I referred to above, had input from other users, but they had to be attributed in the article instead of getting joint authorship.
The points system needs an overhaul (even after the one they gave it), and the article system needs help as well. Not to mention the article writing tool is a dinosaur from the last century (you have to keep a copy of every article in both Word and PDF format before publishing because the tool invariably loses your article. This site should be using WordPress with PressForward and some other plugins, it would make everything so much easier.
I understand your concerns and agree with your assessment. I have said previously and will gladly repeat, that my primary reason for writing articles is to be able to refer to them in answers. I don't really care about the points. I try to write fairly informative articles that can be used to solve various problems.
EE has more than a point system problem. I have been advocating for a better article writing system. Currently the only way to collaborate on an article is to post in a group and ask for suggestions or to send emails to specific members. Neither option is a solution. The first ransomware article I referred to above, had input from other users, but they had to be attributed in the article instead of getting joint authorship.
The points system needs an overhaul (even after the one they gave it), and the article system needs help as well. Not to mention the article writing tool is a dinosaur from the last century (you have to keep a copy of every article in both Word and PDF format before publishing because the tool invariably loses your article. This site should be using WordPress with PressForward and some other plugins, it would make everything so much easier.
ASKER
Cheers