This content originally appeared on text/plain and was authored by ericlaw
In a prior installment we looked at Controlled Folder Access, a Windows feature designed to hamper ransomware attacks by preventing untrusted processes from modifying files in certain user folders. In today’s post, we look at the other feature on the Ransomware protection page of the Windows Security Center App — Ransomware data recovery.
User-Interface
The UI of the feature is simple and reflects the state of your cloud file provider (if any) which for most folks will be OneDrive. Depending on whether OneDrive is enabled, and what kind of account you have, you’ll see one of the following four sets of details:
What’s it do?
Conceptually, this whole feature is super-simple.
Ransomware works by encrypting your files with a secret key and holding that key for ransom. If you have a backup of your files, you can simply restore the files without paying the bad guys.
However, for backup to work well as a ransomware recovery method, you need
- to ensure that your backup processes don’t overwrite the legitimate files with the encrypted versions, and
- to easily recognize which files were modified by ransomware to replace them with their latest uncorrupted version.
The mechanism of this feature is quite simple: If Defender recognizes a ransomware attack is underway, it battles the ransomware (killing its processes, etc) and also notifies your cloud file provider of the timestamp of the detected infection. Internally, we’ve called this a shoulder tap, as if we tapped the backup software on the shoulder and said “Uh, hang on, this device is infected right now.“
This notice serves two purposes:
- To allow the file backup provider to pause backups until given an “all clear” (remediation complete) notification, and
- To allow the file backup provider to determine which files may have been corrupted from the start of the infection so that it can restore their backups.
Simple, right?
-Eric
Appendix: Extensibility
As far as I can tell, this feature represents semi-public interface that allows 3P security software and cloud backup software to integrate with the Windows Security Center. OnDataCorruptionMalwareFoundNotification and OnRemediationNotification. Unfortunately, the documentation isn’t public — I suspect it’s only available to members of the Microsoft Virus Initiative program for AV partners.
This content originally appeared on text/plain and was authored by ericlaw