none
Is File History effective versus ransomware ?

    Question

  • HI,

    is File History effective versus ransomware ?

    I suspect not because if the user is infected, the disk (external or network location) is accessible from the malware too .. so it will encrypt the folder used for file history.

    Is there any way to tune ACL accordingly so "File History" folder is not accessible from the malware ?

    What do you think about it ?

    Thanks,

    Thursday, June 2, 2016 9:48 AM

Answers

  • Access file History required administrator privilege so if you run a program it will run as standard user when UAC is on. So if you run malware it might encrypt files but it couldn't encrypt or delete file history unless it use some sort of 0days.

    It is also recommended to use external hard disk to keep copy of files.

    Thursday, June 2, 2016 4:24 PM
  • Are you shure you are not confusing "File History" with "Image Backup"?

    The old image backup does indeed require administrator priviliges, and thus allows using a target directory where a user has no access rights.

    But in my tests with File History I can simply browse to the folder which is referenced as "TargetName" in "%LOCALAPPDATA%\Microsoft\Windows\FileHistory\Configuration\Config1.xml"  and delete random files.

    So in my understanding the more modern backup system does NOT protect you from cryptoware, while the older Windows 7 backup system does.

    Or perhaps there is something I need to configure differently on my NAS?

    Thursday, June 2, 2016 8:08 PM
  • Hi Fabri_Fabri,

    File history is a new feature released after Windows 8.1 to back and restore our files and folders.
    A File history will be crated to backup your files and folders, it is a normal folder like any folder else.
    It is does not provide protection against malware.

    To prevent your system infected by malware, we could keep security application running to pretect your system, such Microsoft Security Essentials.
    As what Cyber_Defend_Team said, you can also backup your data to an external hard drive or network location.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, June 3, 2016 8:49 AM
    Moderator

All replies

  • Access file History required administrator privilege so if you run a program it will run as standard user when UAC is on. So if you run malware it might encrypt files but it couldn't encrypt or delete file history unless it use some sort of 0days.

    It is also recommended to use external hard disk to keep copy of files.

    Thursday, June 2, 2016 4:24 PM
  • Are you shure you are not confusing "File History" with "Image Backup"?

    The old image backup does indeed require administrator priviliges, and thus allows using a target directory where a user has no access rights.

    But in my tests with File History I can simply browse to the folder which is referenced as "TargetName" in "%LOCALAPPDATA%\Microsoft\Windows\FileHistory\Configuration\Config1.xml"  and delete random files.

    So in my understanding the more modern backup system does NOT protect you from cryptoware, while the older Windows 7 backup system does.

    Or perhaps there is something I need to configure differently on my NAS?

    Thursday, June 2, 2016 8:08 PM
  • Hi Fabri_Fabri,

    File history is a new feature released after Windows 8.1 to back and restore our files and folders.
    A File history will be crated to backup your files and folders, it is a normal folder like any folder else.
    It is does not provide protection against malware.

    To prevent your system infected by malware, we could keep security application running to pretect your system, such Microsoft Security Essentials.
    As what Cyber_Defend_Team said, you can also backup your data to an external hard drive or network location.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, June 3, 2016 8:49 AM
    Moderator