The Anti-virus Times

Friday, October 21, 2016

We’ve already written quite a bit about encryption ransomware programs (the “Encrypt everything” category's issues are devoted to them). One measure that must be taken to keep data from being corrupted by encryption ransomware is installing an anti-virus—a necessary measure, but an insufficient one. Only fake anti-viruses guarantee 100% protection against encryption ransomware (this topic was discussed in the issue “False fears lead to wrong actions”).

This issue won’t touch upon obvious protection measures like installing updates, using complex passwords, and the need to work with limited rights. Today, let’s discuss how you can use the features of your Windows operating system together with your anti-virus to protect your data from encryption threats.

1. Perform backups

   Data can be backed up in many ways. But simply copying your files to another disk or via the network is not recommended since encoders can encrypt network folders. Of course, you can store your data online using Google Drive, Dropbox, and Flickr, but you need to remember that this method does not guarantee that files encrypted by the Trojan will not be deleted by their older versions. Therefore, the selected backup system must support the ability to store file versions, as has been implemented, for example, in the Data Loss Prevention feature of Dr.Web Security Space.

   

   To configure Data Loss Prevention, click on the icon in the system menu, and then in the newly appeared window, click on and select "Tools". In the next window, select Data Loss Prevention and enable the option to automatically create copies.

   After this, specify the files and folders to be copied.

   

   To add files and folders, click on the icon , and specify the objects to be protected.

   Select “Copy files…” to specify the frequency of backups and the storage location.

2. Enable the Window’s “System protection” feature

   As a rule, this feature is disabled by default.

   

   When the Windows system protection is enabled, the copies of critical system files and settings are created—for example, before installing any drivers, as well as on a regular schedule.

   Important! You can also create a restore point manually.

   To enable “System protection”, right-click on the icon “My computer” and select “Properties”. Next, click on “Advanced options” for the system and go to the “System protection” tab.

   The same tab can be accessed by clicking on “Start” → “Control Panel” → “System” → “System protection”.

   Advanced users do this in the command prompt or in the “Run” window (WIN + R) by entering rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4

   If at least one local drive is enabled (“On”) in the list of logical drives, “System protection” is already activated and restore points are being created.

   If "System protection” is disabled, select one of the local drives and click on “Configure”. With this, you can select the section with the maximum amount of free space.

   In the newly appeared window, select “Restore system settings and previous files versions” and use the slider “Maximum use”; set the maximum amount of disk space that the system will use to create restore points.

   Important! When you create new restore points, the old ones will be deleted.

   Double click on “OK”.

   Beginning with Windows 7, you can view a list of programs and drivers affected by the rollback for each recovery point. It is obvious that after a system restore, such programs may not work correctly. Thus, you can know beforehand which programs you may need to reinstall after the restore.

   To create a restore point manually, enable “System protection”.

   Go back to the “System protection” tab and click on “Create”. In the newly appeared window, enter a name for the restore point and click on “Create”. Wait for the message that indicates the operation was successful, and then click on “Close”.

   To restore files from backups, you must:

   • in the menu “Start-Search”, enter “Restore” and click on “System Restore”;
   • in the menu “Start-Search or in the window “Run ” (WIN + R), enter rstrui and then click on “Enter”;
   • in the Control Panel—“Backup/Restore” click on “Restore system settings or computer”, and then click on “System Restore”;
   • Open “Control Panel”-“System”-“System protection” , and then click on “System Restore”;

   In addition, you can start “System Restore” from the Windows RE environment

   In any case, you will end up at the “System Restore” window and then must select a checkpoint. You can select any restore point, not just the last one.

   

   

   If your operating system is able to create a backup of the system image, you can also select it as a restore point. To see this point, select “Show more restore points”.

   Also, in this window you can see which programs will be affected when files are restored from the backup. To do this, click on “Search the affected programs”.

   

   To start the restore, click on “Finish”.

   Important! If you accidentally selected the wrong point or restoration has not brought the desired results, you can cancel the last system restore. This is possible because before the restoration, Windows 7 also creates the checkpoint. To cancel the restoration, select “Undo system restore”.

   

   The operating system has more features for protecting data other than the recovery points. For example, when you visit the properties of the hosts file—a favourite of cybercriminals, you can see the following:

   

   The ability to restore previous versions of files was first introduced in Windows Vista. However, since the features available in the previous versions were not removed, the file versions are consequently saved not only by using the volume shadow copy service, but also when you are using Windows backup. In the file’s properties, in the tab “Previous versions”, specify the location: “Restore point” or “Backup”.

   Read about how to use Windows features to save versions of your files in upcoming issues of the Anti-virus Times.