Originally published at: https://tidbits.com/watchlist/retrospect-18-5-2/
Improves the Anomaly Detection ransomware feature. ($49 for Solo and $119 for Desktop new, free update, upgrade pricing available, 170 MB, macOS 10.8.5+)
Originally published at: https://tidbits.com/watchlist/retrospect-18-5-2/
TidBITS didn’t announce the Anomaly Detection feature when it was released in 18.5.1 on 15 February 2022; StorCentric subsidiary Retrospect “Inc.” seems to have made that release in a hurry. I’m still on Retrospect Mac 16.6, so I can’t test it. However Agen Schmitz left out any mention of “Script Hooks: Fixed issue where intervention file was not deleted (#9873)”. The “How to Stop a Backup” section of the Knowledge Base article “Extend Anomaly Detection for Ransomware with Script Hooks” says
The administrator can use the
AnomalyAlertscript hook to know when an anomaly has been detected and then use the
$interventionFilefile within the launch script to stop the backup. See Script Hooks Examples for sample scripts. ¶ With this simple process, the administrator can stop a backup as soon as an anomaly is detected, without preserving the suspect files.
We’re having a little trouble figuring out how much to say about Retrospect’s ransomware features. The problem is that they’re a great idea and seem very cool, but there is basically no threat to Mac users from ransomware at this point—it’s a Windows concern. I wrote about this in:
A problem with your “it’s a Windows concern”, Adam Engst, is that the June 2020 MacWorld article you linked to in your 15 November 2021 issue cites examples of Mac ransomware that are mostly at least 5 years old. The exception is ThiefQuest / EvilQuest, which is as much an espionage/sabotage tool as a ransomware tool. And I think potential Russian sabotage was what motivated Retrospect “Inc.” to hurriedly release 18.5.2 on 15 February 2022. To see what I mean by “hurriedly”, read my posts from 20 February through 28 March in “Retrospect 13: a choice for backup of multiple drives to offsite rotation or cloud”—a thread I’ve maintained since 2015 in the Ars Technica Mac forum (I can’t remove the version number from the thread title after my 2016—when Retrospect cloud backup was announced—revision).
A foundation of Retrospect is that its “backup server” Engine code has remained common to both its Mac and Windows variants since Fall 2009. Currently Retrospect’s Anomaly Detection feature looks—in the Engine’s Compare phase—for updates to files that change their extensions. That seems as though it’d be a Windows-only anomaly, but such changes’ purpose is to flag a file that’s been encrypted so the ransomware won’t encrypt it again—which would make decryption when the ransom has been paid impossible. However file-name prefixing is another possible method of flagging, but in any case IMHO a ransomware application that has been adapted for pure sabotage wouldn’t need to flag encrypted files.
A problem with your “$119 for Desktop”, Agen Schmitz, is that the Desktop Edition price is really $159—because “All editions above Solo include Annual Support and Maintenance (ASM)” per Retrospect Backup 18 Licensing Changes. That’s the least part of a general Retrospect Version 18 de-facto price increase, which appears to have been motivated by StorCentric’s Drobo subsidiary being temporarily unable to deliver its hardware product because of supply chain disruptions. Part of that de-facto price increase is the restriction of features in the Solo and Desktop Editions, intended to make customers upgrade to the $549 Single Server 5 Edition—or $799 Single Server 20 Edition to continue tape backup.
The implementation of one of those feature restrictions—the limitation of Solo and Desktop Edition “backup servers” to 2 and 4 concurrent script operations respectively per “Retrospect Backup: Compare Editions”—has resulted in a Version 18 bug that remains unfixed 9 months after customers reported it in Retrospect’s Mac Bug Reports sub-sub-forum. Retrospect Mac’s GUI is in a separate Console, which has long had an Allow __ Activity Threads preference setting that tells the Engine to limit concurrent script operations to a number that a customer’s “backup server”—often an old Mac—can handle. That preference setting used to be saved in the bowels of the running-so-long-as-machine-booted Engine, so that the Console—when it’s started and stopped like an ordinary application—would re-initialize it to its previously-set limit. Mac Version 18, in order to make sure that Solo and Desktop Edition customers don’t get more concurrent script operations than they’re paying for, re-initializes that preference based purely on the Edition license whenever the Console is started. Thus, whenever a customer with a license for more than the Desktop Edition starts his/her Console, the Engine reverts to running up to 14 concurrent script operations—likely more than his/her probably-old “backup server” Mac can handle without bogging down its CPU. As I edit this, 587 users have viewed the thread discussing this bug in Retrospect’s Mac Bug Reports sub-sub-forum—so I think the lack of a fix is a real problem.
P.S.: The maximum in the Retrospect Mac Console preferences is Allow 16 Activity Threads for Editions more expensive than Desktop. However this has always seemed to mean 14 generated component Activity Thread sub-Scripts—plus one for a possible parent Proactive Script and one for the overall “backup server”. I don’t know how many generated component Activity Thread sub-Scripts are allowed for the Desktop Edition in Retrospect Version 18.
I’ve updated the price for Retrospect Desktop to $159 to reflect the 1 year of ASM.
Retrospect, because its “backup server” can back up both Windows and macOS “client” machines, raises an even-more-basic issue for the TidBITS “basically no threat to Mac users from ransomware” attitude. Especially in these days of Work From Home, it’s not unusual for a Mac-centric organization—household or small business—to also have Windows machines on its LAN that need to be backed up.
The home I used to share with my now-deceased ex-wife was an early example of this. (Forgive some personal details; IMHO you wouldn’t believe this story without them.) My wife and I each had a Mac, and I used a third older Mac as the Retrospect “backup server” for both our machines. However my final job was as an applications programmer for the newly-acquired software subsidiary of a Teaneck NJ market research company. I directly reported to two bosses located in a suburb of Melbourne Australia, but their boss worked down the hall from me. At the end of 2001 I came down with shingles, and my bosses’ boss (who was Native American on his mother’s side and had some non-modern health beliefs) expressed fear—once I returned to my windowless Teaneck office after 3 days because I’d used up my 2001 vacation/sick leave—I’d give shingles (not merely chickenpox) to the other Teaneck employees when I got hot water from the break room for my tea. He ordered IT—who also reported to him—to build me a Windows 95 (our lowest-common-denominator work platform) “flat tower” with a slide-out HDD tray so that I could work from home, and to also give my office Windows 95 tower a slide-out HDD.
IMHO he primarily needed an over-the-Internet “guinea pig” for market researcher employees who’d henceforth bring Windows 95 laptops to the offices of their corporate clients, and connect to the server-stored client data at our Teaneck office. My bosses’ boss was therefore happy when I decided to work from home on Wednesdays, given that I’d frequently also do a bit of work from home on weekends. At vast personal expense I bought a chest-worn camera bag suitable for bus travel, so I could carry the slide-out HDD home on Tuesday and Friday nights and back to the office on Thursday and Monday mornings. I backed up the HDD at home using Retrospect early Thursday and Saturday mornings IIRC, because IT expressed annoyance with having to back it up—in addition to Teaneck’s central Windows server drives—as a supplement to my weekly two-way e-mail exchanges of code with Melbourne.
What I did during 2001–2004 is what should be routinely duplicated in millions of WFH households—many of them previously Mac-only. (As an alternative Retrospect Inc. introduced in 2018 a Remote Backup feature, evidently designed for far-flung organization employees who can’t be trusted to backup laptops containing data valuable to the organization—when they move laptops between IP addresses.) So TidBITS shouldn’t cavalierly ignore Retrospect’s capability of backing up Windows “client” machines using a Mac “backup server”. Some of the Windows “client” machines will inevitably catch ransomware.