The Anti-virus Times

Thursday, May 30, 2024

In our issues of the Anti-virus Times, we often talk about how diverse the world of malware and other computer threats is. In our opinion, the digital world is still at the stage of a “primitive society”, where everyone can test the security of your virtual windows and doors, steal or destroy your property, or try to get your keys and secrets through deceptive means. That is why we always recommend that users take a comprehensive approach to security – follow the rules of digital hygiene and use reliable anti-virus protection for all of your devices that need it.

Such protection is particularly needed for computers running Windows, and this is for many reasons—reasons that we have already written about in past issues. These include the ubiquitousness of the OS, the huge number of malicious programs written for it, the relative openness of a system (especially when working in an administrator account), and some others.

A system’s anti-virus protection should be comprehensive, sufficient, multi-level and, at the same time, flexible, in order to adapt to specific work conditions. In a comprehensive product, mandatory components, such as the scanner, file monitor, and preventive protection mechanisms, are combined with additional modules to ensure that users, first, can be confident in the security of their computers, and second, can customize the requisite features so that they operate as needed. We spoke earlier about one of these components — Parental Control.

And, in today's issue of the Anti-virus Times, we will discuss another feature of Dr.Web Security Space for Windows — Data Loss Prevention. This component makes it even more difficult for malicious programs and cybercriminals to tamper with user data. Let's see how it works.

The Data Loss Prevention feature lets users block the modification of any custom folders at the anti-virus kernel driver level. You can add an arbitrary folder to the list of protected ones, and all the files in it will remain read-only and copy-only, and these files will not be allowed to be modified and deleted by programs considered to be untrustworthy. By default, Dr.Web allows access to the files of a number of trusted programs, the list of which can be found here. At the same time, system processes are prohibited from accessing protected files since such processes can be used by malware to attack a system. One example is explorer.exe, which is responsible for Windows Explorer.

It is also important to note that system and root directories cannot be added to the list of protected directories, as this could definitely lead to disruptions in the OS's operation. Dr.Web automatically detects system folders and does not allow users to select them, so no one can accidentally harm the system this way.

As our readers have probably guessed, the Data Loss Prevention feature additionally protects files from encryption ransomware and other malicious programs even if they are run with administrator privileges or use legitimate or trusted processes at the operating system level. Malware will simply not be able to access the files, so it will not be able to encrypt or delete them. Below we will look at some live examples of using this component, but for now, let's configure this feature together and try to protect two folders: one where accessing files is completely prohibited, and the second where partial access is allowed for trusted programs.

Scenario №1 — accessing files is completely prohibited

This scenario is not the default, but we will start with it so that you can better understand how the component works. Straightaway we’ll note that Data Loss Prevention works only with those files and directories that are physically located on a computer's hard drive.

Create a test folder in any convenient place (for example, on your desktop) and copy several arbitrary files to it. Open Dr.Web's Security Center and go to the Devices and Personal Data section; then select the Data Loss Prevention component.

The component configuration window will open. Note that in order for changes to be made, Dr.Web Security Center needs to be run in administrator mode. To do this, click on the padlock icon and allow the anti-virus to make changes to the system.

Click the Add Folder to Protect button to open the Protected Folder configuration dialogue box. In the newly appeared window, click on Browse and select the previously created folder; then clear the checkbox next to Allow modification of the folder contents for applications trusted by Dr.Web. Click OK to add the specified folder to the list of protected folders.

In this mode, files in the folder will be protected against any changes, including the deletion, renaming, and changing of access permissions using Windows tools. However, this method imposes restrictions on working with files. Both system and user applications and processes will not have the rights needed to edit data. So, for example, if text documents are involved, you will not be able to edit them and save them to the same file while they are under protection. Restrictions will apply even if you are working in administrator mode. At the same time, you will be able to view the contents of files and copy them, save changes to new files, and freely copy new files to a protected folder, and they will immediately be protected.

It is worth mentioning one more feature that is available to you when this component is implemented. In the protected folder, you can create new items; these items can also be modified (and deleted) by the processes that created them until these processes are complete. Say, for example, that you created a text file in a protected folder. You can then rename or delete it using Windows tools because the system process that created this particular file and is responsible for deleting it is still working. But another application will not be able to delete or rename it.

Scenario №2 — rights are left to trusted applications

This is the default scenario. When you add a folder to the list of protected items, a block is set so that no program, except for those from the trusted list, can modify and/or delete the folder’s contents. This mode allows the user to work with files in trusted applications. At the same time, as mentioned above, system processes are not among those considered to be trusted — this precautionary measure prevents encryption ransomware and other malware from gaining access to files even when legitimate system processes are in use.

Create a second test folder in any convenient place and copy several arbitrary files to it. Follow the steps specified in the previous section, but when adding a protected folder, do not clear the Allow modification of the folder contents for applications trusted by Dr.Web check box.

Now try working with files in your usual programs. If they are on the trusted list, you will be able to use them to edit the contents of protected files. At the same time, the use of standard Windows tools to delete and rename files will still be prohibited.

Another useful Data Loss Prevention option is the ability to configure exclusions for programs. So, you can add a program that will be able to access the files in a protected folder. It should be remembered that adding exclusions reduces the protection level, so you should do this wisely and only if it is required for work.

In the edit window, you can set exclusions both when adding a new folder and for folders that are already protected. To do this, in the User exclusions section, click the “Add application” button and specify the path to the executable file of the program to which you want to grant access to protected files.

The number of applications with full access to the protected folder is specified in the main Data Loss Prevention window, in the User exclusions column.

Component usage examples

Data Loss Prevention can be useful when you want to restrict access to stored information — for example, backups or archives of finished documents that are on your computer's hard drive. So, this feature will come in handy if you want to make any information read-only and copy-only. In this case, the data will be protected not only from malicious programs but also from any accidental modification. Flexible options will also allow you to customize the component’s operation according to your needs. For example, you can prevent all programs, except one, from accessing the files in a specific folder. And, in another folder, you can allow access to all trusted applications.

In general, if some data doesn’t need to be accessed frequently for the purpose of making changes, it is worth considering using this function to help protect them. Especially if the computer is operating in an environment that is dangerous with regards to virus threats.

If the device is used as a full-fledged backup storage, directories with backups can also be placed under protection. However, in this case, you will either have to add the utility for creating copies to the exclusions so that it can perform an incremental backup and replace the protected files, or choose the copy mode in which the protected files will not be modified. A properly configured bundle of anti-virus features and backup utilities will reliably protect your data.

Despite the fact that the Data Loss Prevention component is primarily designed to protect data from the destructive actions of malware, it can also help in the event that attackers gain remote access to a system. You can protect Dr.Web’s settings with a password, so that those who do not know the password cannot possibly disable the component. Thus, an attacker will not be able to delete or change the protected data, even if they are acting with administrator rights.

Separately, it is worth mentioning how to protect data that are stored in the cloud and synchronized with a local computer. You can protect local copies of files from the cloud, that is, those that are already on your device. However, files that are directly in the cloud will not be protected. If the cloud storage client program is among the trusted Dr.Web applications, and access to such applications is allowed, changing or deleting files through such a program will also be allowed.