4

Is there a way to prevent shadow copies to be deleted by non-admin-users? The only thing I found right now were group policies which hide the tab in Windows explorer from the user (so that he can't see the copies and therefore can't restore/view/delete(?) them in Explorer). Is this enough? Or can the user do this via script/on command line?

The reason I ask: Currently there's a lot of ransomware around and a shadow copy seems to be reasonable way to prevent data loss. But current ransomware also deletes shadow copies. So my idea: If the user doesn't have the rights to delete shadow copies the ransomware will not be able to delete the shadow copies. As this tip is missing in articles dealing with ransomware prevention this is perhaps a bad idea at all or simply not possible?

The question applies to Windows 7 Home Premium and Windows 7 Professional.

To make it clear: I have backups, firewall etc. so please consider this when answering/commenting.

munro
  • 43
  • 1
  • 4
  • `So my idea: If the user doesn't have the rights to delete shadow copies the ransomware will not be able to delete the shadow copies` - That's a dangerous assumption. Furthermore, that's a poor way of protecting your systems from malware. Better to provide proper protection (firewall, antivirus, least privilege, etc.). – joeqwerty Feb 19 '16 at 19:39
  • Of course I have backups etc. And this is one way to reduce privileges. – munro Feb 19 '16 at 19:40
  • Additionally, I wouldn't rely on Shadow Copies to prevent data loss. Implement a proper backup strategy for your important/critical data. Seeing Shadow Copies as a tool in combating malware doesn't strike me as approaching the problem from the proper angle with the proper tools. Of course, this is only my opinion. – joeqwerty Feb 19 '16 at 19:41

1 Answers1

4

Ransomware (at the time of this post) calls WinExec and launches "vssadmin.exe Delete Shadows /All /Quiet".

It also downgrades UAC before running this using the RtlQueryElevationFlags so that the UAC prompts don't occur.

Your question was: Is there a way to prevent shadow copies to be deleted by non-admin-users?

You can go this route: Why Everyone should disable vssadmin but be forewarned that in a corporate environment that wouldn't likely happen or get approved. But if you are a small shop or know the risks you can go that route.

To be honest though, like Joe alluded to, this isn't the way to prevent anything from really infecting you. You should look more into Applocker or the CryptoPrevent software if you want to help prevent Ransomware from coming in. However, nothing has been proven as foolproof and 100% effective...so having good backups is your best layer in a layered approach here.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Perfect! I'll mark this as answer. Two bonus questions (perhaps you can answer them two) after reading the article linked: 1. "As this program requires Administrative privileges to run, some ransomware will inject themselves into processes that are running as an Administrator": In my eyes this only works if the ransomware is able to do a privilege escalation which needs some sort of exploit, right? 2. The article also doesn't mention access rights/group policies -- so seems there are none? – munro Feb 19 '16 at 20:00
  • 1. Correct 2. you could use software restriction policies to disable access to vssadmin.exe I suppose. – TheCleaner Feb 22 '16 at 19:32