Skip to end of metadata
Go to start of metadata


Introduction

Site Manager 8 includes Macrium Image Guardian (MIG), which provides ransomware protection for backup files that are stored on the Site Manager server.

Macrium Image Guardian works by preventing unauthorized delete or write operations from being performed on backup image files by any process that does not have a valid Macrium code signature.

Image Guardian has been used by Macrium Reflect to provide malware protection since version 7.1. 

Learn more about Macrium Image Guardian in Macrium Reflect here.

Installation

When you install Site Manager for the first time, the installation wizard will show you an option to install Image Guardian:



Once it has been installed, the computer may need to be rebooted before the Macrium Image Guardian driver is loaded and Macrium Image Guardian can provide protection. Installing MIG via the Site Manager installer will only protect backup image files hosted on that same server. A standalone MIG installer can be downloaded to protect backup image files hosted on separate servers to Site Manager. The installers can be found under the 'System' page within the 'Settings' section:

Upgrades

When upgrading in the Site Manager user interface, the Macrium Image Guardian status will be preserved. If it was previously installed, it will be installed and upgraded with the Site Manager server. If it wasn't, however, it will not be installed. 

To change whether Macrium Image Guardian is installed after Site Manager installation, use the 'Modify' option on the 'Programs' (or 'Apps and Features' in Windows 10) control panel.

As with first-time installation, you might need to reboot your computer before the Macrium Image Guardian driver is properly installed and usable.

Upgrading the Image Guardian Driver

If Macrium Image Guardian is installed and an upgrade to the Macrium Image Guardian driver is installed, the Site Manager installer will set this update to happen on the next reboot and the system will continue using the older driver until reboot. This is done to ensure that Macrium Image Guardian protection is not lost during an upgrade. 

If this happens, the Image Guardian configuration tool will warn that a reboot is pending and refuse to allow reconfiguration of Macrium Image Guardian settings until this has been performed

Configuration

Once Macrium Image Guardian has been installed, you can configure it by running the Macrium Image Guardian configuration app. A desktop icon and start menu entry will be created by the Site Manager install.

This is located in:

C:\Program Files\Macrium\Common\MIGPopup.exe

Running this program will display the following interface:

This is where you can enable and disable Macrium Image Guardian. You can also disable it temporarily for fixed time periods to allow you to perform server maintenance.

To enable Macrium Image Guardian on particular volumes, first Macrium Image Guardian must be turned on in the 'Settings' tab, and then the volume selected in the 'Volumes' tab:


This tab shows a list of all local disk partitions and their Image Guardian status. Once Image Guardian has been turned on globally in the 'Settings' tab, the appropriate volumes selected in the 'Volumes' tab, pressing 'OK' or 'Apply' will save the configuration. After this has been done, the 'Volumes' tab will show protected volumes with a Macrium Image Guardian icon:

Protecting Site Manager Repositories

To protect a Site Manager repository, you should identify the volume with the repository share and enable Macrium Image Guardian on this volume. For example, if Site Manager has a repository on \\sitemanagerserver\repository which corresponds to C:\repos\repository, the C:\ volume should be protected. Once this is done only Macrium Reflect, Site Manager, or the Site Manager Agent will be able to modify or delete image files. This means the files cannot be reached and encrypted by ransomware.

Any process that cannot be cryptographically authenticated as a Macrium process will be denied access to delete or write to backup image files:


View and Control MIG Status through Site Manager

The status of Macrium Image Guardian is visible in Site Manager within the 'Repositories' page for the repository types that support it.

Site Manager can control the status of Macrium Image Guardian for Network Share and Amazon AWS Storage Gateway repositories if they're hosted by the Site Manager server. In these scenarios, an additional toggle icon is available to enable or disable the product. 

Limitations

Any share protected by Macrium Image Guardian must be accessed by SMB version 2 or greater so that the client can securely send identity information to the MIG driver. Platforms that are unable to use SMB2 due to age (Windows XP) or configuration will be unable to protect backups saved to a MIG-protected repository.

Advanced Usage Scenarios

Protecting a Repository hosted on a NAS or other external system

Macrium Image Guardian can be used to protect volumes on any locally attached disk or storage system, but often repository data resides in a NAS, which can’t be directly protected by Site Manager. 

To provide protection in these cases, the Site Manager server can be used as an intermediary between the NAS and Agents by attaching the NAS disk via iSCSI.

Many NAS devices and storage systems allow storage to be exposed via iSCSI, for example on a Synology NAS, iSCSI Manager can be used:

Once the iSCSI target has been created on the NAS, it can be connected to the Site Manager server by using the Windows iSCSI initiator:

Once the initiator has connected to the iSCSI target, the target LUN can be mounted in the 'Volumes and Devices' tab. In the simple case here, using the 'Auto-Configure' option is suitable.

We recommend using CHAP or other authentication to the iSCSI backend to ensure that no malware, ransomware, or other malicious software can gain access to the iSCSI target directly.

Once the target is connected, it will appear as any other disk in Windows and can be initialized, partitioned, formatted, and have a drive letter (or mount point) assigned in the Windows Disk Management tool:

With this done, an appropriate folder can be created and shared on the iSCSI target. This share can then be used to create a Site Manager repository.

Performance Notes

In this configuration, all backup traffic will be channelled through the Site Manager server instead of going direct from Site Manager Agent to NAS. 

If the Site Manager server has poor network connectivity to either the Agent computer or the NAS, backups may be slower than a direct connection.







  • No labels