Introduction
Site Manager 7.3 introduces Macrium Image Guardian, which provides ransomware protection for backup files that are installed on the Site Manager server.
Macrium Image Guardian works by preventing unauthorized delete or write operations being performed on backup image files by any process that does not have a valid Macrium code signature.
Image Guardian has been used by Macrium Reflect to provide malware protection since version 7.1.
Learn more about Macrium Image Guardian in Macrium Reflect here
Installation
When you install Site Manager for the first time, the installation wizard will show you an option to install Image Guardian:
Once it has been installed, the computer may need to be rebooted before the Image Guardian driver is loaded and Image Guardian can provide protection.
Upgrades
When upgrading in the Site Manager user interface, the Image Guardian status will be preserved. If it was previously installed, it will be installed and upgraded with the Site Manager server. If it wasn't, however, it will not be installed.
If you are upgrading from an older version of Site Manager (7.2 or earlier), Image Guardian will not be installed when you upgrade. You will need to first upgrade to a version 7.3 Site Manager, and then use the Modify option on the Programs (or Apps and Features in Windows 10) control panel
As with first time installation, you might need to reboot your computer before the Image Guardian driver is properly installed and usable.
Upgrading the Image Guardian Driver
If Image Guardian is installed and an upgrade to the Image Guardian driver is installed, the Site Manager installer will set this update to happen on next reboot and the system will continue using the older driver until reboot. This is done to ensure that Image Guardian protection is not lost on upgrade.
If this happens, the Image Guardian configuration tool will warn that a reboot is pending and refuse to allow reconfiguration of Image Guardian settings until this has been performed
Configuration
Once Image Guardian has been installed, you can configure it by running the Image Guardian configuration app. This is located in:
C:\Program Files\Macrium\Common\MIGPopup.exe
Running this program will display the following interface
This is where you can enable and disable Macrium Image Guardian. You can also disable it temporarily for fixed time periods to allow you to perform server maintenance.
To enable Image Guardian on particular volumes, first Image Guardian must be turned on in the Settings tab, and then the volume selected in the Volumes tab
This tab shows a list of all local disk partitions and their Image Guardian status. Once Image Guardian has been turned on globally in the Settings tab, the appropriate volumes selected in the Volumes tab, pressing OK or Apply will save the configuration. After this has been done, the Volumes tab will show protected volumes with an Image Guardian icon:
Protecting Site Manager Repositories
To protect a Site Manager repository, you should identify the volume with the repository share and enable Image Guardian on this volume. For example, if Site Manager has a repository on \\sitemanagerserver\repository which corresponds to c:\repos\repository, the C:\ volume should be protected. Once this is done only Macrium Reflect, Site Manager or the Site Manager Agent will be able to modify or delete image files. This means the files cannot be reached and encrypted by ransomware.
Any process which cannot be cryptographically authenticated as a Macrium process will be denied access to delete or write to backup image files:
Advanced Usage Scenarios
Protecting a Repository hosted on a NAS or other external system
Macrium Image Guardian can be used to protect volumes on any locally attached disk or storage system, but often repository data resides in a NAS, which can’t be directly protected by Site Manager.
To provide protection in these cases, the Site Manager server can be used as an intermediary between the NAS and Agents by attaching the NAS disk via iSCSI.
Many NAS devices and storage systems allow storage to be exposed via iSCSI, for example on a Synology NAS, iSCSI Manager can be used:
Once the iSCSI target has been created on the NAS, it can be connected to the Site Manager server by using the Windows iSCSI initiator:
Once the initiator has connected to the iSCSI target, the target LUN can be mounted in the Volumes and Devices tab. In the simple case here, using the Auto-Configure option is suitable.
We recommend using CHAP or other authentication to the iSCSI backend to ensure that no malware, ransomware or other malicious software can gain access to the iSCSI target directly.
Once the target is connected, it will appear as any other disk in Windows and can be initialized, partitioned, formatted and have a drive letter (or mount point) assigned in the Windows Disk Management tool
With this done, an appropriate folder can be created and shared on the iSCSI target. This share can then be used to create a Site Manager repository
Performance Notes
In this configuration, all backup traffic will be channeled through the Site Manager server instead of going direct from Site Manager Agent to NAS.
If the Site Manager server has poor network connectivity to either the Agent computer or the NAS, backups may be slower than a direct connection.