MS Adds Ransomware Protection to OneDrive
-
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@brrabill said in MS Adds Ransomware Protection to OneDrive:
Well, most people upon reading that title would assume the OP meant the files themselves were protected from ransomware while on OneDrive.
That doesn't even mean anything. Why would people think something like that?
Because no one else thinks like MLNEWS? (I'll leave you out of it.
) -
@brrabill said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@brrabill said in MS Adds Ransomware Protection to OneDrive:
Well, most people upon reading that title would assume the OP meant the files themselves were protected from ransomware while on OneDrive.
That doesn't even mean anything. Why would people think something like that?
Because no one else thinks like MLNEWS? (I'll leave you out of it.
)But what DO they think?
-
If I said to you
"Cloud Storage Service XYZ now offers virus protection" ... what would you think that means?
-
@brrabill said in MS Adds Ransomware Protection to OneDrive:
If I said to you
"Cloud Storage Service XYZ now offers virus protection" ... what would you think that means?
That it has some technology that reduces the risk of getting a virus infection when using that platform.
-
@brrabill said in MS Adds Ransomware Protection to OneDrive:
If I said to you
"Cloud Storage Service XYZ now offers virus protection" ... what would you think that means?
I guess the bigger question is... what would you think that it means? I just think that it means what it says.
-
OK I see what's going on here.
@BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
While I suppose I can see where Bill is coming from - I didn't see it that way at all.
You can't prevent cryptolocking, short of preventing the malware that's causing it in the first place, which MS can't do when it comes to OneDrive because users don't execute things on OneDrive, they simply store files there. OneDrive has no clue if the file is encrypted or not when syncing. I mean sure MS could try to open every file as it's saved and see if it requires a password, or simply fails - but what about file types that MS doesn't know about? That idea of MS knowing encrypted/not encrypted seems crazy. -
Perhaps Bill would rather see a title like:
MS adds Ransomware Recovery to OneDrive.
I think that directly conveys that if you get ransomware, that you have a recovery option.
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
OK I see what's going on here.
@BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
- so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
That would be called prevention, not protection.
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
You can't prevent cryptolocking, short of preventing the malware that's causing it in the first place, which MS can't do when it comes to OneDrive because users don't execute things on OneDrive, they simply store files there.
Right, claiming to stop it from happening ever makes no sense. What would that even mean?
Like AV, it works to protect against bad things happening. Like AV, it can't prevent, it just protects.
-
I'd like to see...
MS adds versioning to Onedrive, and versioning can help if you get infected with malware
Of course, in a sexier title!
-
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
OK I see what's going on here.
@BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.
I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
You'll need to sell me on this belief. -
@brrabill said in MS Adds Ransomware Protection to OneDrive:
I'd like to see...
MS adds versioning to Onedrive, and versioning can help if you get infected with malware
Of course, in a sexier title!
But other than putting a full explanation of HOW something is achieved, what is the point of that?
Especially given that the article it linked to was about ransomware protection.
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
OK I see what's going on here.
@BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.
I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
You'll need to sell me on this belief.So what do you think the purpose of AV is?
Any not all AV uses virus specific data, so how does that apply?
-
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
OK I see what's going on here.
@BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.
I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
You'll need to sell me on this belief.So what do you think the purpose of AV is?
Any not all AV uses virus specific data, so how does that apply?
I think the purpose is to stop it at the edge. Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.
You don't need virus specific data - heuristics catch that crap too. It's one of the reason that some virus today have time delays built in. Sure you can watch what the virus does for 20 seconds, doesn't appear malicious, so you just let it in, then time bomb explodes.If the virus doesn't actually disable the virus - then when the AV becomes aware of it, AV can try to mitigate it.
I like Webroot's approach though - see's new file - watches it for a few seconds - OK you seem OK, but before allowing that new file touch/change files on the system, Webroot journals those files for recovery later (until the journal runs out of space).
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
OK I see what's going on here.
@BRRABill is looking at this as if this new protection is like antivirus on an endpoint - AV's job is to stop virus from getting in in the first place - so Bill is reading Scott's post to mean that MS is preventing cryptolocking the files at all.
That's not what AV does, though. Nor is it what "protection" implies. AV's job is NOT to stop virus from getting there in the first place, it's to limit its ability to hurt you once it is there.
I currently don't agree that AV is limit it's ability to hurt you. If the AV never understands a specific virus, it will limit anything with regard to that virus.
You'll need to sell me on this belief.So what do you think the purpose of AV is?
Any not all AV uses virus specific data, so how does that apply?
I think the purpose is to stop it at the edge.
That's not where AV stops it. So while that's a nice theory, it doesn't apply to AV, or to ransomware protection here.
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.
No, getting in is of zero concern. Being executed and allowed to run is when you have issues.
The whole "it can't get onto the network" fear is 100% FUD.
-
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.
No, getting in is of zero concern. Being executed and allowed to run is when you have issues.
The whole "it can't get onto the network" fear is 100% FUD.
OK I see what you're saying - it's FUD because if you download it, who cares - only when you execute it that it's a problem.
And by edge I meant the edge of the device, not the edge of the network.
-
@dashrender said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.
No, getting in is of zero concern. Being executed and allowed to run is when you have issues.
The whole "it can't get onto the network" fear is 100% FUD.
OK I see what you're saying - it's FUD because if you download it, who cares - only when you execute it that it's a problem.
And by edge I meant the edge of the device, not the edge of the network.
I see. But even there, most traditional AV don't behave like edge, they allow the malware to make it all the way to disk, and clean up either on scan or before executing.
-
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
@scottalanmiller said in MS Adds Ransomware Protection to OneDrive:
@dashrender said in MS Adds Ransomware Protection to OneDrive:
Once it's in - you can't trust the system anymore, the bug could get under the AV and AV will never be able to stop it.
No, getting in is of zero concern. Being executed and allowed to run is when you have issues.
The whole "it can't get onto the network" fear is 100% FUD.
OK I see what you're saying - it's FUD because if you download it, who cares - only when you execute it that it's a problem.
And by edge I meant the edge of the device, not the edge of the network.
I see. But even there, most traditional AV don't behave like edge, they allow the malware to make it all the way to disk, and clean up either on scan or before executing.
yeah, the scan once the file is complete seems to be the more normal way I see it go down - I I wonder if this is for end user experience?
Could the file be scanned reliably while in transit?UTMs claim to do this - the UTM downloads the file, and trickle's the content of the file to the end user until the whole file is downloaded and scanned by the UTM, then the UTM blasts it to the end device as fast as the local network will allow - at least that was my last experience with them.
So not sure why normal AV can't/doesn't do the same?
