MS Adds Ransomware Protection to OneDrive



  • If I said to you

    "Cloud Storage Service XYZ now offers virus protection" ... what would you think that means?



  • @brrabill said in MS Adds Ransomware Protection to OneDrive:

    If I said to you

    "Cloud Storage Service XYZ now offers virus protection" ... what would you think that means?

    That it has some technology that reduces the risk of getting a virus infection when using that platform.



  • @brrabill said in MS Adds Ransomware Protection to OneDrive:

    If I said to you

    "Cloud Storage Service XYZ now offers virus protection" ... what would you think that means?

    I guess the bigger question is... what would you think that it means? I just think that it means what it says.



  • OK I see what's going on here.

    @BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    While I suppose I can see where Bill is coming from - I didn't see it that way at all.
    You can't prevent cryptolocking, short of preventing the malware that's causing it in the first place, which MS can't do when it comes to OneDrive because users don't execute things on OneDrive, they simply store files there. OneDrive has no clue if the file is encrypted or not when syncing. I mean sure MS could try to open every file as it's saved and see if it requires a password, or simply fails - but what about file types that MS doesn't know about? That idea of MS knowing encrypted/not encrypted seems crazy.



  • Perhaps Bill would rather see a title like:

    MS adds Ransomware Recovery to OneDrive.

    I think that directly conveys that if you get ransomware, that you have a recovery option.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    OK I see what's going on here.

    @BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    • so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    That would be called prevention, not protection.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    You can't prevent cryptolocking, short of preventing the malware that's causing it in the first place, which MS can't do when it comes to OneDrive because users don't execute things on OneDrive, they simply store files there.

    Right, claiming to stop it from happening ever makes no sense. What would that even mean?

    Like AV, it works to protect against bad things happening. Like AV, it can't prevent, it just protects.



  • I'd like to see...

    MS adds versioning to Onedrive, and versioning can help if you get infected with malware

    Of course, in a sexier title!



  • @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    OK I see what's going on here.

    @BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.

    I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
    You'll need to sell me on this belief.



  • @brrabill said in MS Adds Ransomware Protection to OneDrive:

    I'd like to see...

    MS adds versioning to Onedrive, and versioning can help if you get infected with malware

    Of course, in a sexier title!

    But other than putting a full explanation of HOW something is achieved, what is the point of that?

    Especially given that the article it linked to was about ransomware protection.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    OK I see what's going on here.

    @BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.

    I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
    You'll need to sell me on this belief.

    So what do you think the purpose of AV is?

    Any not all AV uses virus specific data, so how does that apply?



  • @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    OK I see what's going on here.

    @BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.

    I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
    You'll need to sell me on this belief.

    So what do you think the purpose of AV is?

    Any not all AV uses virus specific data, so how does that apply?

    I think the purpose is to stop it at the edge. Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.
    You don't need virus specific data - heuristics catch that crap too. It's one of the reason that some virus today have time delays built in. Sure you can watch what the virus does for 20 seconds, doesn't appear malicious, so you just let it in, then time bomb explodes.

    If the virus doesn't actually disable the virus - then when the AV becomes aware of it, AV can try to mitigate it.

    I like Webroot's approach though - see's new file - watches it for a few seconds - OK you seem OK, but before allowing that new file touch/change files on the system, Webroot journals those files for recovery later (until the journal runs out of space).



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    OK I see what's going on here.

    @BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.

    That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.

    I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
    You'll need to sell me on this belief.

    So what do you think the purpose of AV is?

    Any not all AV uses virus specific data, so how does that apply?

    I think the purpose is to stop it at the edge.

    That's not where AV stops it. So while that's a nice theory, it doesn't apply to AV, or to ransomware protection here.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.

    No, getting in is of zero concern. Being executed and allowed to run is when you have issues.

    The whole "it can't get onto the network" fear is 100% FUD.



  • @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.

    No, getting in is of zero concern. Being executed and allowed to run is when you have issues.

    The whole "it can't get onto the network" fear is 100% FUD.

    OK I see what you're saying - it's FUD because if you download it, who cares - only when you execute it that it's a problem.

    And by edge I meant the edge of the device, not the edge of the network.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.

    No, getting in is of zero concern. Being executed and allowed to run is when you have issues.

    The whole "it can't get onto the network" fear is 100% FUD.

    OK I see what you're saying - it's FUD because if you download it, who cares - only when you execute it that it's a problem.

    And by edge I meant the edge of the device, not the edge of the network.

    I see. But even there, most traditional AV don't behave like edge, they allow the malware to make it all the way to disk, and clean up either on scan or before executing.



  • @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:

    Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.

    No, getting in is of zero concern. Being executed and allowed to run is when you have issues.

    The whole "it can't get onto the network" fear is 100% FUD.

    OK I see what you're saying - it's FUD because if you download it, who cares - only when you execute it that it's a problem.

    And by edge I meant the edge of the device, not the edge of the network.

    I see. But even there, most traditional AV don't behave like edge, they allow the malware to make it all the way to disk, and clean up either on scan or before executing.

    yeah, the scan once the file is complete seems to be the more normal way I see it go down - I I wonder if this is for end user experience?
    Could the file be scanned reliably while in transit?

    UTMs claim to do this - the UTM downloads the file, and trickle's the content of the file to the end user until the whole file is downloaded and scanned by the UTM, then the UTM blasts it to the end device as fast as the local network will allow - at least that was my last experience with them.

    So not sure why normal AV can't/doesn't do the same?



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:
    e?

    Could the file be scanned reliably while in transit?

    Not generally unless you do an intentional man in the middle thing like UTMs tend to do. But then you introduce a ton of latency because you have to scan traffic that is of no concern instead of only things that are risky.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    So not sure why normal AV can't/doesn't do the same?

    Because it's a horrible model, we don't want that on a UTM, don't want it on the end user device. A UTM is stuck and has to suck in this way. An end point doesn't have that limitation. So no reason to do it so poorly when it's not necessary.



  • @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:
    e?

    Could the file be scanned reliably while in transit?

    Not generally unless you do an intentional man in the middle thing like UTMs tend to do. But then you introduce a ton of latency because you have to scan traffic that is of no concern instead of only things that are risky.

    LOL - only things that are risky - there is a ton of risky transmissions in webpages... so I would see that as a possible benefit - but at the same time, I completely understand what you're saying.

    As for the latency - I'm sure there is some, but I really wonder how much is actually introduced - how long does it take to scan the file? Then you get LAN speeds of moving the file from the UTM to the device ( or in the case of AV on the device, you get bus speeds of moving the file from where ever AV puts it while downloading to your actual download location).



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    @dashrender said in MS Adds Ransomware Protection to OneDrive:
    e?

    Could the file be scanned reliably while in transit?

    Not generally unless you do an intentional man in the middle thing like UTMs tend to do. But then you introduce a ton of latency because you have to scan traffic that is of no concern instead of only things that are risky.

    LOL - only things that are risky - there is a ton of risky transmissions in webpages... so I would see that as a possible benefit - but at the same time, I completely understand what you're saying.

    Only in certain parts of them, though. Like none in the HTML or CSS portions.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    As for the latency - I'm sure there is some, but I really wonder how much is actually introduced - how long does it take to scan the file?

    Quite a lot, typically, as it tends to saturate not only the network, but the CPU. It's impact on large files is not the issue, but it's impact on normal traffic that has to wait for those things.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    Then you get LAN speeds of moving the file from the UTM to the device ( or in the case of AV on the device, you get bus speeds of moving the file from where ever AV puts it while downloading to your actual download location).

    Of course, but you always had that. It's the extra latency is the issue. That it hits the LAN after scanning is neither here nor there.



  • Thought experiment...

    Bob downloads a 100GB file through his UTM. The UTM now needs to load and scan 100GB of data before it can deliver this file over the LAN. Bob doesn't care about the latency this adds as the overall download is so long, the scanning lantency is trivial in relationship to the whole.

    Jane is trying to access a web application with many tiny packets that is very latency sensitive like audio traffic or a database connection. How will the scanning of Bob's file impact the scanning of the small packets for Jane?



  • @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    Thought experiment...

    Bob downloads a 100GB file through his UTM. The UTM now needs to load and scan 100GB of data before it can deliver this file over the LAN. Bob doesn't care about the latency this adds as the overall download is so long, the scanning lantency is trivial in relationship to the whole.

    Jane is trying to access a web application with many tiny packets that is very latency sensitive like audio traffic or a database connection. How will the scanning of Bob's file impact the scanning of the small packets for Jane?

    Well - that's what white listing is for.. but again, I see where you're going with that.



  • @dashrender said in MS Adds Ransomware Protection to OneDrive:

    @scottalanmiller said in MS Adds Ransomware Protection to OneDrive:

    Thought experiment...

    Bob downloads a 100GB file through his UTM. The UTM now needs to load and scan 100GB of data before it can deliver this file over the LAN. Bob doesn't care about the latency this adds as the overall download is so long, the scanning lantency is trivial in relationship to the whole.

    Jane is trying to access a web application with many tiny packets that is very latency sensitive like audio traffic or a database connection. How will the scanning of Bob's file impact the scanning of the small packets for Jane?

    Well - that's what white listing is for.. but again, I see where you're going with that.

    You mean whitelisting the smaller, more latency sensitive traffic? But if you have to whitelist things, what's the point of the scanning in the first place?



  • @brrabill said in MS Adds Ransomware Protection to OneDrive:

    Not what I was expecting.

    I see what you did there.

    It's directly from the article, and is how Microsoft is marketing it. Even so, it is ransomware protection:

    Microsoft is marketing the Files Restore feature as a good way to protect against ransomware attacks that lock files on a local PC, and often try to delete copies that are stored in synced folders – replicating those changes in the cloud. We’ve seen a number of these attacks recently, and victims have been forced to pay money to try and get their files back.

    If OneDrive detects mass deletion of cloud files, Microsoft will alert users through an email or mobile / desktop notification and a recovery process will let you quickly restore to a time before the ransomware attack. “It’s the first of its kind in the industry,” says Seth Patton, general manager of Office 365. “We believe OneDrive is the safest place to store your files.”



  • It's a great idea.

    Amazing they haven't had it up until now.

    Makes using OneDrive or ODfB so much easier if you can sync locally.