I have a USB-attached drive that I use to write Macrium Reflect disk images on a daily schdule, the idea is that these will be my last line of defense against any kind of malware. Clearly I want to ensure that only Macrium Reflect can write to this disk (to protect against ransomware) so I’ve added the entire drive (H:*) to both the Protected Files list and the Protected Data Folders list. I’ve added Macrium Reflect to my HIPS entries with an exception to allow it to write to H:*.
My understanding is that only Macrium Reflect should now be able to write to H: (and indeed it can) yet I can use file explorer to add and delete files and folders to the disk and I expected that to fail. What am I doing wrong or what am I not understanding?
You’ll need to add block rules for other applications in the same way you allowed it for Macrium Reflect (I’d recommend adding block rules to the rulesets as well and for the application “All Applications”
It stops unknown applications from modifying the protected files but by default trusted applications can still modify them.
One more question though, for the Windows Updater Applications rule it used a predefined rule ‘Installer or Updater’. It doesn’t appear to be possible to edit that ruleset to block access to my H: drive?