Recently I was asked by a customer how they can easily setup rollback capabilities on the endpoints in their corporate network. They had seen the marketing hype by various security technology providers that their products included rollback capabilities they could utilize if/when one of their workstations or servers was infected by malware. Having gotten this question more than once I thought it would be a good subject to share with a broader audience.
The truth is you don’t need to buy anything to create this capability on most corporate networks. You already have it built into your Microsoft Operating System (OS). “Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service. A software VSS provider service is also included as part of Windows to be used by Windows applications. Shadow Copy technology requires either the Windows NTFS or ReFS filesystems in order to create and store shadow copies. Shadow Copies can be created on local and external (removable or network) volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.”[1]
In fact, VSS is what is actually being used by almost all of these hyped products. It can be easily enabled and pushed with an RMM tool or traditional Group Policy / GPO to all endpoints. VSS doesn’t cause as much resource drain on a computer as you might think. VSS is highly efficient by moving files to temporary locations in an incremental fashion. So, it only moves files that have changed since the last snapshot. This obviously saves significant amounts of time compared to taking a full system snapshot each time. VSS was introduced in Microsoft Windows XP®/Server 2003 and has been available in every version of Windows since.
With all this hype why aren’t most network administrators using it:
VSS is not enabled by default in the Windows OS and many administrators aren’t aware of its full capabilities
Mac and Linux do not use VSS, so you cannot currently support rollback functionality for macOS® or Linux-based systems with it
“vssadmin.exe Delete Shadows” command is part of almost every ransomware and many other malware attacks to the point it has even been identified in the MITRE ATT&CK Framework as Technique T1490 “Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery”[2]
If network or cloud data volume shares are used to store off endpoint shadow copies it can put stress on the network infrastructure
There are a number of known bugs which plague specific use cases of VSS
What do we recommend for our customers?
We do recommend utilizing VSS to create automated shadow copies of endpoints allowing easy rollback capabilities
After enabling shadow copying we recommend making vssadmin only accessible to administrators and then “strongly suggested that it be disabled by renaming it.”[3]
For servers and critical workstations, we also recommend secure encrypted offsite traditional backups. There are many solutions out there, but we have found veeam.com & carbonite.com are good commercial solutions and iperiusbackup.com offers a good no software cost solution
Most importantly make sure your endpoints have a quality EDR solutions (e.g. Endgame) to avoid any of the issues in the first place that require the rollback.
How do you setup VSS?
Microsoft Official Documentation - https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
Third-party Documentation - https://www.ubackup.com/windows-10/volume-shadow-copy-windows-10.html
Third-party YouTube Video - https://youtu.be/tvl1pk7BojM
[1] https://en.wikipedia.org/wiki/Shadow_Copy
[2] https://attack.mitre.org/techniques/T1490/
[3] https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadminexe-now/
Shadow Copy is a technology that can create backup copies or snapshots of files or volumes.