Chapter 1: Product Information

1.1 Overview

BlockyforVeeam® is designed to protect data on Windows NTFS and ReFS volumes from unauthorized manipulation by viruses, ransomware, and other malicious software by continuously monitoring and controlling file operations in real-time on protected file system locations.

Any application can write new data to a protected file system. When a file is closed, no application (including the one that created it) is permitted to modify, rename, move, or overwrite it unless a trusted application initiates the request. The feature works on a "block everything by default“ approach. The integrity of a trusted, whitelisted application is ensured by a unique fingerprint calculated from several binary checksums and other hashes from dependent components. Unwanted modifications to a trusted application can also be detected and reported to the user. Unauthorized attempts are logged, and notifications can be sent to security administrators.

1.2 Key Features

Access Control:

Access control modes can be enabled on a complete NTFS or ReFS volume or independently on folders on the first directory level of such a volume.

Whitelist:

BlockyforVeeam® allows unrestricted file access to trusted whitelisted applications.

Monitoring:

If an untrusted, non-whitelisted application tries to modify a file on a protected folder or volume, write access is denied by default. However, if the Blocky GUI is running, the write access is set on hold first, and requests will be displayed on the Request Table, so you can choose to allow or deny access. BlockyforVeeam® writes all access requests and responses to the log file C:\ProgramData\GrauData\Blocky\AccessControl.log. The content is also displayed in the “Monitoring” window in the "Logging" tab. The current status is displayed in the “Monitoring” window in the “Status” tab. To check for notifications, select the tab “Notifications” from the “Monitoring” window.

Notification:

BlockyforVeeam® can send alert notifications to the Windows application event log, to email recipients, and to the Status Area of the BlockyforVeeam® GUI depending on certain rules.

GUI and Core:

In the case of a new installation, two components—the GUI and the Core—can be selected as to whether both or just one should be installed. The GUI is responsible for the graphical user interface and can configure a Core. The Core is the engine and is responsible for protection and whitelisting.

Local and central GUI:

The GUI can operate in two different modes. After the installation, the GUI is set to local mode. Only when a server is added does the GUI mode change into a central GUI. As long as the GUI is set to local mode, the GUI and Core share a common password. By switching to central GUI mode, a separate password must be assigned for the central GUI.

1.3 Restrictions

1. BlockyforVeeam® supports local disks, e.g. block storage only.

2. Running on Microsoft fail-over cluster or Active Directory Domain Controllers is not supported.

3. NTFS and ReFS file systems are supported.

4. Basic support for built-in deduplication on NTFS file systems. On ReFS, dedup is not supported. Use the block cloning feature instead.

5. System volumes can not be protected

6. Only simple volumes on MBR and GPT disks are supported. Dynamic disks (e.g. striped, mirrored, or RAID-5) are not supported.

7. Each protected volume must have a single drive letter assigned or be mounted in a folder of a parent volume (junctions) that is not under access control.

8. Restrictions apply for volumes mounted in folders of parent volumes. AccessControl for the folder-mounted volumes and their parent volumes are mutually exclusive.

9. Running the Blocky GUI requires certain security privileges which are granted by default to admin users. See the chapter Diagnostics for details.

10. The "Controlled folder access" feature from built-in Windows Defender or Microsoft Defender for endpoint is not supported. This feature must be turned off when installing and using BlockyforVeeam®.

11. Some Windows System Services may perform raw volume access on Blocky protected volumes, which may cause unauthorized access events. See Chapter 5 (Monitoring) for details.

1.4 Deduplication

BlockyforVeeam® has basic support for built-in deduplication on NTFS file systems. Deduplication on ReFS file systems is not supported. The Windows components fsdmhost.exe and svchost.exe perform blocky-deduplication. To allow deduplication on Blocky-protected volumes, you must add both binaries to the list of trusted applications. Please whitelist both components either manually or during automatic whitelisting. The Windows component svchost.exe is responsible for various internal tasks. Only the deduplication task is allowed when this component is added to the whitelist.