Virtually all malware targets MS-Windows machines. Because there's a huge number of Windows desktop machines and most are used by people who don't understand the risks of clicking on links - especially ones in HTML-coded unsolicited emails. MS-Office macros remain a serious risk too.
Anti-malware software's effectiveness is severely limited by it being reactive. That is, needing to have information about a piece of malware in order to detect it. Making a minor change to malware is often enough to evade anti-malware.
One solid defence is to use non-Windows machines for important things, because of them being immune to Windows malware.
An enhancement of that is to use an Operating System that provides Mandatory Access Control - MAC. Linux gained MAC in 2000 in the form of SELinux, but MS-Windows still doesn't have anything even close.
For our own servers we use an Enterprise Linux variety which has SELinux enabled by default.
MDFS is based on an Enterprise Linux (EL) variety the same as, or equivalent to, what we use on our servers, with additional file-sharing-related defence mechanisms that we've created. Supplied as a Virtual Machine to be run by the EL-based Hypervisor that we supply.
For safety we don't allow low-level-administration access to an MDFS machine from a client's workstations. If we did then an intruder could breach it via invading a client machine that has such access. Low-level access has to be via a secure VPN and from non-Windows machines. There's 2 independent layers of authentication and strong encryption.
We install Hypervisor and MDFS remotely. If you already have suitable hardware we can install on that. Otherwise, for efficiency and green-ness, you'll need to obtain a suitable machine from your usual supplier. If buying a machine you can save significant money by specifying that it be supplied without an operating system. Consult us before buying.
Software support (including configuration changes) is provided remotely. Hardware support is provided by your local technical people or your supplier, with input from us when necessary.
Software support (non-warranty) can be charged per-event, or there can be a contract to provide up to a specified number of hours per month. A contract allows us to respond rapidly if there's a problem, whereas with per-event. we need to obtain authorisation from you before responding.
We're a 'Microsoft Shop' so why should we introduce a Linux server? And don't Linux machines just complicate things? : Introduce to protect your organisation's bottom line and reputation. Because EL+MAC provides a level of protection that MS-Windows can't get even close to. In addition to being safer, Linux-based systems are simpler and easier to administer, and they 'play nicely' with other systems. So they actually improve your IT landscape.
Why haven't you shown how the defeating works? : Because it's better if intruders have to try to work that out themselves.
Is it a perfect defence? : No defence can be perfect. An excellent defence simply makes the cost of attacking unacceptably high to an attacker.
What if intruders try to infect it with Linux malware? : It's a file sharer, so they can easily store a Linux malware file on it. But they still have the problem of getting the server to run it. For which MAC provides an impenetrable barrier, in addition to other obstacles.
How easy is it to transition to? : Very. One way is to operate it in addition to an existing file sharer and at a quiet time copy the user data files from the other sharer to it. Whereupon users simply connect to the new file sharer. A variation of that is to then rename or shut down the other, and change the new server's name to the other's original name.
What server hardware is needed? : That depends on factors including how much data needs to be stored and how big the access load is. But for business-resilience there needs to be redundancy in case of hardware problems. Since MDFS is supplied as a Virtual Machine (VM) the best approach is to set up a copy of it on another machine as a 'warm spare' that you can rapidly switch to in the event of hardware problems. Consult us before ordering.
Can Windows-based file sharers defeat ransomware in the same way? : No.
Ransomware also hits Windows workstations, so can you also protect them? : Unfortunately, no. But we do have a scheme whereby the workstation recovery time and effort can be greatly reduced. We also recommend that organisations set-up one or more Linux-based workstations, since they will remain operational.
©2021-2023 : IOPEN Technologies Ltd - NZ