Neo23x0
commented
3 years ago As long as it works, I can't see no reason to do it in a different way.
Open ghost opened 3 years ago
Neo23x0
commented
3 years ago As long as it works, I can't see no reason to do it in a different way.
olliencc
commented
3 years ago So I've been thinking about this a little bit. At the moment we target the client to implement the functionality.
Looking at the design (https://docs.microsoft.com/en-us/windows/win32/vss/in-box-vss-writers) and also the implementation C:\WINDOWS\system32\vssvc.exe I wonder if we disable delete on the server side.
RavenfireIT
commented
3 years ago As long as it works, I can't see no reason to do it in a different way.
I think you are missing the point, if the entire system can be bypassed so easily ...
Ransomware seeking to avoid this protection can simply call the VSS API directly rather than invoking vssadmin, e.g. IVssBackupComponents::DeleteSnapshots.