Open ghost opened 3 years ago
As long as it works, I can't see no reason to do it in a different way.
So I've been thinking about this a little bit. At the moment we target the client to implement the functionality.
Looking at the design (https://docs.microsoft.com/en-us/windows/win32/vss/in-box-vss-writers) and also the implementation C:\WINDOWS\system32\vssvc.exe I wonder if we disable delete on the server side.
As long as it works, I can't see no reason to do it in a different way.
I think you are missing the point, if the entire system can be bypassed so easily ...
Ransomware seeking to avoid this protection can simply call the VSS API directly rather than invoking vssadmin, e.g. IVssBackupComponents::DeleteSnapshots.