Looking for clarity on the Malware Removal application.
What exactly does it scan? System files, NAS files, or both?
I'm asking because I have extensive end-point security where malware from a desktop to NAS is highly unlikely, and it would be redundant to use and needless extra work for the disks.
What does the Malware Remover Scan?
-
- Starting out
- Posts: 25
- Joined: Mon Aug 08, 2022 7:27 am
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: What does the Malware Remover Scan?
The NAS system, thats the only place where NAS relevant malware would be..do not rely on it though, for most people this scheduled scanner would be by far too late before any damage is done (malware has removed disabled MR or encrypted all your files)
-
- Starting out
- Posts: 25
- Joined: Mon Aug 08, 2022 7:27 am
Re: What does the Malware Remover Scan?
Thanks!
What's your recommendation for security?
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: What does the Malware Remover Scan?
To never ever ever expose your NAS to WAN
-
- Experience counts
- Posts: 1819
- Joined: Tue May 29, 2018 3:02 am
- Location: Ottawa, Ontario, Canada
Re: What does the Malware Remover Scan?
Only QNAP has the answer as to exactly what the Malware Remover app actually looks for. They have not been forthcoming with information. The consensus is that the scanner, which runs on a schedule, checks for a few known malware threats that have been seen in the past (I'm assuming things like qlocker and at least the first couple iterations of deadbolt, probably a few other things). If found, various affected files are moved into quarantine (so support can get them and retrieve or restore of necessary).
As mentioned, this runs on a schedule so may stop a malware attack 30 seconds after the attack starts, or it may not run until the attack has run for many hours.
As when it does run, there is minimal system impact so it doesn't "scan" in the sense that an anti-virus scanner checks for a signature within your files. It likely "looks" at a few very specific things such as your index.html file to see of it has been modified or other specific key indicators.
So to answer partly your question, it would check the system files and likely doesn't "look" at your data files at all.
Unless your system is essentially maxed out, the impact of MR should not be noticable.
The benefits are a matter of opinion. Personally I feel that for a less experienced user, that has no or poor backups, then stopping the malware at some point *may* make it so *some* data is salvageable. Howe er, early versions or MR made retrieving the ransom address difficult or impossible so it hurt some users. (Although theoretically this has been fixed or at least is better)
MR can't help with new malware or new iterations of existing malware and that is not really it's stated intent anyway. It also is NOT intended to "fix" any data that was encrypted, but does in theory restore the admin GUI access page.
Bottom line, of enabled, it *may* stop an attack earlier in the process. I look at that as a good thing for some users. The only drawback is the potentially hampering the ransom payment should that be required, although the hackers have "fixed" their code to make it easier.
Knowing this, it is up to the user to decide if it should be enabled as part of overall security, or not.
Malware scanners, antivirus scanners, etc are never substitutes for backups. But, keep in mind that "online" backups (USB disk for example that is connected and "on") can also be attacked by malware.
There is no substitute for a proper backup plan that includes protection against malware, viruses, fire, theft, user error, data deletion, hardware failure and many other things.
Network security is also paramount in your overall plan. The best plan includes locking down all entry methods (disable UPnP, disable DMZ, disable port forwarding) except for a (good, secure) VPN connection (inbound VPN such as OpenVPN running on your router - an outbound VPN from a paid provider such as NordVPN is a completely different thing and not what we are talking about here).
With a secured network and offline backups you can sleep easy!
As mentioned, this runs on a schedule so may stop a malware attack 30 seconds after the attack starts, or it may not run until the attack has run for many hours.
As when it does run, there is minimal system impact so it doesn't "scan" in the sense that an anti-virus scanner checks for a signature within your files. It likely "looks" at a few very specific things such as your index.html file to see of it has been modified or other specific key indicators.
So to answer partly your question, it would check the system files and likely doesn't "look" at your data files at all.
Unless your system is essentially maxed out, the impact of MR should not be noticable.
The benefits are a matter of opinion. Personally I feel that for a less experienced user, that has no or poor backups, then stopping the malware at some point *may* make it so *some* data is salvageable. Howe er, early versions or MR made retrieving the ransom address difficult or impossible so it hurt some users. (Although theoretically this has been fixed or at least is better)
MR can't help with new malware or new iterations of existing malware and that is not really it's stated intent anyway. It also is NOT intended to "fix" any data that was encrypted, but does in theory restore the admin GUI access page.
Bottom line, of enabled, it *may* stop an attack earlier in the process. I look at that as a good thing for some users. The only drawback is the potentially hampering the ransom payment should that be required, although the hackers have "fixed" their code to make it easier.
Knowing this, it is up to the user to decide if it should be enabled as part of overall security, or not.
Malware scanners, antivirus scanners, etc are never substitutes for backups. But, keep in mind that "online" backups (USB disk for example that is connected and "on") can also be attacked by malware.
There is no substitute for a proper backup plan that includes protection against malware, viruses, fire, theft, user error, data deletion, hardware failure and many other things.
Network security is also paramount in your overall plan. The best plan includes locking down all entry methods (disable UPnP, disable DMZ, disable port forwarding) except for a (good, secure) VPN connection (inbound VPN such as OpenVPN running on your router - an outbound VPN from a paid provider such as NordVPN is a completely different thing and not what we are talking about here).
With a secured network and offline backups you can sleep easy!
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
-
- Starting out
- Posts: 25
- Joined: Mon Aug 08, 2022 7:27 am
Re: What does the Malware Remover Scan?
Thanks for that excellent explanation; that clears up all my confusion. I have the network locked down, and OpenVPN set up.
What do you think about myqnapcloud? It looks like two logins and two 2-FAs to get into your files over an encrypted channel.
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: What does the Malware Remover Scan?
cloudlink is tunneling ..if you trust QNAP to not eavesdrop, you could be ok here
qnapcloud ddns is just using portforwards, and no complex passwords or 2fa will save you here (exploits circumvented all these)
qnapcloud ddns is just using portforwards, and no complex passwords or 2fa will save you here (exploits circumvented all these)
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: What does the Malware Remover Scan?
Myqnapcloud was often used as an attack vector as well! DONT USE myqnapcloud!!!
Myqnapcloudlink is a different access procedure, it seems to be much more secure than myqnapcloud. But all access is running via QNAP servers.
Because this company is known for their very well security controls (</irony>) you must decide yourself, if you trust in this solution - I do not!
2-FA and encrypted channels (SSL??) is smoke and mirrors and do not protect against any 0day exploit. The attacks in the last years have mostly using such exploits.
So 2-FA and SSL is useless.
Regards
Last edited by FSC830 on Tue Sep 27, 2022 3:16 pm, edited 1 time in total.
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
-
- Starting out
- Posts: 25
- Joined: Mon Aug 08, 2022 7:27 am