Windows 7: Can we keep internal HDD from being accessed by ransomwares with “disable” or “unmount”?

Posted on

QUESTION :

I’m trying to find an alternative way to protect my daily backup-disk from malware, while the HDD is still connecting to a SATA port on the motherboard.
(This is temporally. I can’t afford a portable HDD-Docking-Station or NAS for now. I also agree that physical isolation would be much safer.)
So I’m thinking if there’s a way to make the disk inaccessible when it’s not needed.

According to the information I got, we can “disable” a HDD with DevCon disable [hardware ID] or “unmount” a HDD with mountvol X: /p command. With this, we can come up with a scrip. If we pair it with Windows Task-Scheduler and backup software, the backup-disk should be safe except when doing the back-up.

However, it’s not affirmative to me that the operation of “disable” or “unmount” can keep HDD from simply accessing or writing. Is it really doable?

P.S. This isn’t my only backup copy, I just need to build another baskets for the eggs.

P.P.S. It’s a little bit difficult for me to describe the entire story in English. Please feel free to correct or question me if anything was missing or not clear.

ANSWER :

All methods of isolating a connected drive from malware by means of software are flawed in principle. The problem is they are just software. Malware is software. Anything that this software could do malware could reverse. Malware could enable access to the drive, do what it wished, and then disable it to avoid any suspicion of it’s activity.

Be aware that all forms of malware have become very sophisticated in recent years. Malware authors are very professional, highly motivated, and well funded. This is not just a hobby to them. Malware authors are experts in protection methods and the means of evading them.

I am not saying that malware currently has this capability, just that the potential is there. Or maybe it does already. If not you can be sure that somebody is researching it with hopes of including it in a future version of their software.

There is no such thing as absolute security. All security is relative. And good security consists of multiple layers. Any one layer may be evaded, if not not now possibly in the future. Software isolation of an external drive provides one layer of security. But it is one that can be overcome and should not be relied on.

A better way to isolate a drive when not in use is to physically disconnect it or remove power from it. Of course this isn’t 100% reliable either as malware could access it when connected. But it would reduce the window of opportunity to do so. This does require manual action and is less convenient. But security always has it’s price and that price is often paid in loss of convenience.

Leave a Reply

Your email address will not be published. Required fields are marked *