How an engineering data management system saves files from being destroyed by crypto viruses
Can Pilot-ICE save data from encryption viruses? To answer this question, we conducted an experimental infection with the notorious Wana Decrypt0r 2.0 virus of an isolated test system running Pilot-Server and the Pilot-ICE client. Other cryptoviruses act on a similar principle, only the method of infection differs. Consider the most extreme case when there is no backup.
Dmitry Poskrebyshev, head of engineering data management systems development, tells.
Pilot-ICE is a corporate system, but the ease of self-deployment (it takes no more than 10 minutes to the server, the administration module and the client ) plus the availability of a free mode allows it to be used to organize personal network storage of any files. We install Pilot-Server and connect a database containing documents that are potential targets for most cryptographers: DWG, DOCX, PDF, etc. We connect the Pilot-ICE client to the database from the user account. In Pilot-ICE, file management is performed on a special virtual disk Pilot-Storage, which controls all operations with the file system. For each file that appears on the disk, there is an object in the database. It stores information about the file, attributes, links, permissions. Disk data is cached in the user profile. The presence of a cache reduces the load on the server and ensures autonomous operation, in the absence of a connection.
')
File bodies are stored using NTFS Sparse Files (sparse files). As the contents of the file are read, it is streamed from the server, and the Sparse Files zeros are gradually replaced with data from the server. This allows you to instantly open huge project structures on Pilot-Storage, with large files, without loading them onto client systems. This saves user disk space and reduces the load on the network infrastructure. The technology is similar to Smart Files OneDrive and DropBox Smart Sync .
There are thousands of projects in the database, but the user mounts to Pilot-Storage only those that he needs for current work. Windows Explorer will display the structure of the mounted projects, and here the project files are available to crypto viruses.
We infect the Wana Decrypt0r server and client systems. We are waiting for the message of the virus that encryption is completed.
As a result, files of mounted projects were encrypted, to which the current user account has access to edit, the originals of files are deleted. The cryptovirus writes its exe-files to each folder of the documents it encrypts, Pilot-Storage synchronizes these files with the server, and thus the virus body enters the Pilot database.
Pilot system is designed so that no data is physically deleted, but only get the status “Deleted”, thus getting into the Pilot system basket, and the virus cannot bypass it. On the server for storing file bodies, each Pilot database has a file archive, but the file archive does not contain information about file types, so crypto viruses do not encrypt them, assuming that these files can be part of the OS. And disabling systems is not what cryptographers need.
We cure the server and client systems of the virus, if necessary, transfer the Pilot database from the infected to a clean system. We connect the Pilot-ICE client to the database from the administrator account. We go in the basket Pilot-Storage, the administrator sees the deleted files of all users of the system. Restoring them with the command "Restore to the original location."
Data restored.
It remains to remove the virus body from the database. Call the search window for all database files and execute queries of the form WanaDecryptor, @ Please_Read_Me @ .txt and WNCRY. Delete the files found, now they are in the Pilot system basket.
We go in the basket. We are connected from the administrator account, so we have the right to permanently remove traces of the virus. Now the base Pilot-ICE is given to its original state.
Those who want to use Pilot for team work with files, I also recommend paying attention to the light version of the client - 3D-Storage (can be found in the Pilot download center). The server part can be installed on Linux; immediately after installation, up to 5 simultaneous connections will be available.
Dmitry Poskrebyshev, head of PDM-systems development.
Dmitry Poskrebyshev, head of engineering data management systems development, tells.
Pilot-ICE is a corporate system, but the ease of self-deployment (it takes no more than 10 minutes to the server, the administration module and the client ) plus the availability of a free mode allows it to be used to organize personal network storage of any files. We install Pilot-Server and connect a database containing documents that are potential targets for most cryptographers: DWG, DOCX, PDF, etc. We connect the Pilot-ICE client to the database from the user account. In Pilot-ICE, file management is performed on a special virtual disk Pilot-Storage, which controls all operations with the file system. For each file that appears on the disk, there is an object in the database. It stores information about the file, attributes, links, permissions. Disk data is cached in the user profile. The presence of a cache reduces the load on the server and ensures autonomous operation, in the absence of a connection.
')
File bodies are stored using NTFS Sparse Files (sparse files). As the contents of the file are read, it is streamed from the server, and the Sparse Files zeros are gradually replaced with data from the server. This allows you to instantly open huge project structures on Pilot-Storage, with large files, without loading them onto client systems. This saves user disk space and reduces the load on the network infrastructure. The technology is similar to Smart Files OneDrive and DropBox Smart Sync .
There are thousands of projects in the database, but the user mounts to Pilot-Storage only those that he needs for current work. Windows Explorer will display the structure of the mounted projects, and here the project files are available to crypto viruses.
We infect the Wana Decrypt0r server and client systems. We are waiting for the message of the virus that encryption is completed.
As a result, files of mounted projects were encrypted, to which the current user account has access to edit, the originals of files are deleted. The cryptovirus writes its exe-files to each folder of the documents it encrypts, Pilot-Storage synchronizes these files with the server, and thus the virus body enters the Pilot database.
Pilot system is designed so that no data is physically deleted, but only get the status “Deleted”, thus getting into the Pilot system basket, and the virus cannot bypass it. On the server for storing file bodies, each Pilot database has a file archive, but the file archive does not contain information about file types, so crypto viruses do not encrypt them, assuming that these files can be part of the OS. And disabling systems is not what cryptographers need.
We cure the server and client systems of the virus, if necessary, transfer the Pilot database from the infected to a clean system. We connect the Pilot-ICE client to the database from the administrator account. We go in the basket Pilot-Storage, the administrator sees the deleted files of all users of the system. Restoring them with the command "Restore to the original location."
Data restored.
It remains to remove the virus body from the database. Call the search window for all database files and execute queries of the form WanaDecryptor, @ Please_Read_Me @ .txt and WNCRY. Delete the files found, now they are in the Pilot system basket.
We go in the basket. We are connected from the administrator account, so we have the right to permanently remove traces of the virus. Now the base Pilot-ICE is given to its original state.
Those who want to use Pilot for team work with files, I also recommend paying attention to the light version of the client - 3D-Storage (can be found in the Pilot download center). The server part can be installed on Linux; immediately after installation, up to 5 simultaneous connections will be available.
Dmitry Poskrebyshev, head of PDM-systems development.Source: https://habr.com/ru/post/328898/
All Articles