I recently ran into this with a CrashPlan user so it got me wondering - would it make sense for Duplicati to have an “alert” (email?) feature to let a user know when a drastic change has occurred in some functionality?
For example:
backup Source size changes xx% from last backup (oops, did I drop a video file in the wrong folder? Or worse delete something I didn’t mean to?)
file scanning (normalized for number of files / folders scanned) is taking xx% longer / shorter than it historically has (is a drive going bad?)
destination reads / uploads are taking xx% longer than historically tracked (network problem? destination needs to be reviewed?)
A very good reason for considering such a feature. However, there are some pitfalls. How should Duplicati behave if it suspects a ransomware attack? Ideally the backup will be suspended, so no encrypted files will be backed up wasting backend storage and avoids the ransomware tampering with the backup volumes.
But I have a few negative experiences with other backup software with similar functionality. In one case, after a ransomware attack we moved the encrypted files to a separate folder. A few days later we discovered that no backups were made after the attack, because the software found encrypted files, which is fair, but in this situation it was an unwanted side effect.
On another server, no ransomware attack took place, but the backup software halted, because it found a folder containing an amount of Zip files that were secured with a password.
I would just make it a warning. There could be good reasons for changing a bunch of files. Of course you can look at the compress-ability of the files as well, but it is a heuristic, so stopping backups seems dangerous.
If you have more than a single version, you should detect the change and still have older versions that are recoverable.
A very good reason for considering such a feature. However, there are some pitfalls. How should Duplicati behave if it suspects a ransomware attack? Ideally the backup will be suspended, so no encrypted files will be backed up wasting backend storage and avoids the ransomware tampering with the backup volumes.
Don’t suspend the backup, but do suspend the pruning out of older versions.
That seems like a safe default setting, but maybe a “drastic change action” parameter is needed so the more paranoid among us can set it you suspend backups while the less paranoid can set it to just alert but otherwise continue as normal.
I don’t know if source size and file count is saved historically or just as most recent. If it’s most recent only then we’ll somehow need to record somewhere that we’re in a “need user input” state.
And what should be done if another round of backups occurs before user input…send another email saying Duplicati is in a “drastic change” state? (Remember at the next backup after a drastic change there no longer is a drastic change.)
Just to be clear: I prefer the “warning-only” option. Even stop pruning old versions could be tricky.
If Duplicati stops the pruning operation in case of a false positive, backend storage may run out of space if the user misses the warning or doesn’t read the logs.
