Does Windows 10 File History protect against crypto malware

11

Is the saved data generated by Windows 10's file history feature isolated from users and administrators? I'm asking this after reading of the recent crypto attack against OSX machines where time machine backups were safe because the files are only accessible to a special user and even with access to the drive the malware wasn't able to encrypt time machine's data store.

I was wondering if Windows 10's feature provides similar protection. There is a similar question to this but the answers simply suggest different backup strategies and don't actually answer the question.

note: I realize that the most secure solution involves backing up to drives that are physically disconnected, there's no need to suggest that - I'm only looking for a specific answer to this question

George Kendros

Posted 2016-03-08T16:43:09.300

Reputation: 353

Is it backed up off machine somehow? Then, no. – Fiasco Labs – 2016-03-08T17:15:30.083

Answers

9

Not with the newer variants of the common ransomware schemes. One of the first things they'll do is trash the backup copies of files before encrypting the primary ones.

If your key is not available using the above methods, the only methods you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. More information about how to restore your files via Shadow Volume Copies can be found in this section below.

It appears the method used by the malware to disable the history feature (shadow copies, internally) isn't always successful, but it's hardly worth relying on.

Considering there is malware running with permissions to touch every file on your computer, you really can't trust any of your computer's defense mechanisms to stop the process once it's been activated. The only sure way to avoid these problems is to not execute the malware in the first place.

Mikey T.K.

Posted 2016-03-08T16:43:09.300

Reputation: 3 224

One of the insidious things about ransomware is that it can do significant damage, even without "running with permissions to touch every file on your computer". – Ben Voigt – 2016-03-08T19:31:54.307

It's not something I wan't to be relying on 100%. I will still have my backups on a physically disconnected drive. The problem is that these are less frequently done and will typically have older version of files (and will potentially be completely missing many files). I was looking for a companion backup system which runs an up to date backup on a connected device but contains some mitigation techniques to try and prevent malware from directly overwriting it's data store. Something like Time Machine on OS X (which proved to be safe in the recent attack). – George Kendros – 2016-03-08T21:20:32.120

1Hard if not impossible - the fact that you have a "connected device" means that the malware has the same access to it you do. The only good backups are offline. That said, a mitigation might be to use a device like an LTO tape drive (they're getting cheap nowadays) and then some dedicated backup software like Bareos or Networker. I'm aware of no malware that targets tape backups. They may exist though, so beware :) – Mikey T.K. – 2016-03-08T21:30:00.477

If I was going to go with dedicated devices, it would probably just be easier to run a box that can see/access all the files on my computer but which is completely invisible to my main computer. In terms of having the same access to a connected device as me, I think the benefit of Time Machine was that a user or even admin had no access. Only the backup agent did and apparently even when the malware elevated to admin, it wasn't able to touch this data. – George Kendros – 2016-03-08T21:45:25.553

Asked: 2016-03-08T16:43:09.300

Viewed: 2 776 times

Active: 2016-03-08T16:59:08.793