What does the Malware Remover Scan?

[SpyderZ]

Looking for clarity on the Malware Removal application.

What exactly does it scan? System files, NAS files, or both?

I'm asking because I have extensive end-point security where malware from a desktop to NAS is highly unlikely, and it would be redundant to use and needless extra work for the disks.

[dolbyman]

The NAS system, thats the only place where NAS relevant malware would be..do not rely on it though, for most people this scheduled scanner would be by far too late before any damage is done (malware has removed disabled MR or encrypted all your files)

[SpyderZ]

The NAS system, thats the only place where NAS relevant malware would be..do not rely on it though, for most people this scheduled scanner would be by far too late before any damage is done (malware has removed disabled MR or encrypted all your files)

Thanks!

What's your recommendation for security?

[dolbyman]

To never ever ever expose your NAS to WAN

[dosborne]

Only QNAP has the answer as to exactly what the Malware Remover app actually looks for. They have not been forthcoming with information. The consensus is that the scanner, which runs on a schedule, checks for a few known malware threats that have been seen in the past (I'm assuming things like qlocker and at least the first couple iterations of deadbolt, probably a few other things). If found, various affected files are moved into quarantine (so support can get them and retrieve or restore of necessary).
As mentioned, this runs on a schedule so may stop a malware attack 30 seconds after the attack starts, or it may not run until the attack has run for many hours.

As when it does run, there is minimal system impact so it doesn't "scan" in the sense that an anti-virus scanner checks for a signature within your files. It likely "looks" at a few very specific things such as your index.html file to see of it has been modified or other specific key indicators.

So to answer partly your question, it would check the system files and likely doesn't "look" at your data files at all.

Unless your system is essentially maxed out, the impact of MR should not be noticable.

The benefits are a matter of opinion. Personally I feel that for a less experienced user, that has no or poor backups, then stopping the malware at some point *may* make it so *some* data is salvageable. Howe er, early versions or MR made retrieving the ransom address difficult or impossible so it hurt some users. (Although theoretically this has been fixed or at least is better)

MR can't help with new malware or new iterations of existing malware and that is not really it's stated intent anyway. It also is NOT intended to "fix" any data that was encrypted, but does in theory restore the admin GUI access page.

Bottom line, of enabled, it *may* stop an attack earlier in the process. I look at that as a good thing for some users. The only drawback is the potentially hampering the ransom payment should that be required, although the hackers have "fixed" their code to make it easier.

Knowing this, it is up to the user to decide if it should be enabled as part of overall security, or not.

Malware scanners, antivirus scanners, etc are never substitutes for backups. But, keep in mind that "online" backups (USB disk for example that is connected and "on") can also be attacked by malware.

There is no substitute for a proper backup plan that includes protection against malware, viruses, fire, theft, user error, data deletion, hardware failure and many other things.

Network security is also paramount in your overall plan. The best plan includes locking down all entry methods (disable UPnP, disable DMZ, disable port forwarding) except for a (good, secure) VPN connection (inbound VPN such as OpenVPN running on your router - an outbound VPN from a paid provider such as NordVPN is a completely different thing and not what we are talking about here).

With a secured network and offline backups you can sleep easy!

[SpyderZ]

With a secured network and offline backups you can sleep easy!

Thanks for that excellent explanation; that clears up all my confusion. I have the network locked down, and OpenVPN set up.

What do you think about myqnapcloud? It looks like two logins and two 2-FAs to get into your files over an encrypted channel.

[dolbyman]

cloudlink is tunneling ..if you trust QNAP to not eavesdrop, you could be ok here

qnapcloud ddns is just using portforwards, and no complex passwords or 2fa will save you here (exploits circumvented all these)

[FSC830]

Thanks for that excellent explanation; that clears up all my confusion. I have the network locked down, and OpenVPN set up.

What do you think about myqnapcloud? It looks like two logins and two 2-FAs to get into your files over an encrypted channel.

Myqnapcloud was often used as an attack vector as well! DONT USE myqnapcloud!!!
Myqnapcloudlink is a different access procedure, it seems to be much more secure than myqnapcloud. But all access is running via QNAP servers.
Because this company is known for their very well security controls (</irony>) you must decide yourself, if you trust in this solution - I do not!

2-FA and encrypted channels (SSL??) is smoke and mirrors and do not protect against any 0day exploit. The attacks in the last years have mostly using such exploits.
So 2-FA and SSL is useless.

Regards

[SpyderZ]

Myqnapcloud was often used an an attack vector as well! DONT USE myqnapcloud!!!

Thank you for this very valuable information as a new user. I will definitely make some adjustments.

Cheers!