I'm not sure there's anything that can be done about this, but take it
as a warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring
their files from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed,
found it was TSM, and issued actual dsmc delete backup commands, which
they were allowed to do since PASSWORDACCESS GENERATE was in effect. So
this attack vector is not limited to TSM; it would work with any backup
program that the villian can figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
while our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================