18

Imagine a laptop that's been infected by malware, and that the owner hasn't backed-up their files.* They have pictures, videos, and documents they'd like to preserve, so they're hesitant to immediately nuke it from orbit.

The objective is to back-up the files they wish to keep before wiping their machine, but how can they know that one of their files isn't infected? A common suggestion I've seen here is scanning said files after moving them to an external hard drive, for example, and then moving them back to the machine which has just been wiped. In this case, the concern is the malware evades detection and restoration reinfects their computer.

How can the user safely back-up files from an infected machine so that they avoid reinfection when transferring them to a clean machine?


*By "files," I mean documents, images, video, programming projects, etc.; not system files, like registry settings and scripts.

  • 1
    `and that the owner hasn't backed-up their files.` Well, sucks – user155462 Mar 26 '18 at 13:44
  • And you're forgetting some problems. Not just infected files, but also the risk of spreading to the backup device etc. – user155462 Mar 26 '18 at 13:45
  • @user155462 But even if the owner had backed up their files, would you know that the backups weren't infected? You can't be smug just because you have a backup disk. – Simon B Mar 26 '18 at 14:07
  • 2
    Nobody suggests nuking from orbit because it's fun. It's suggested because it's the only way to be sure. – Neil Smithline Mar 26 '18 at 14:45
  • The best I can suggest is to back up to extermal media. Wait as many days as you can. Get an *up-to-date* virus scanner, or preferably several, and scan the media. There's more chance if you leave it that at least one scanner will have been updated to spot the virus. – Simon B Mar 26 '18 at 15:09
  • @SimonB Nobody is smug here. But my compassion is limited nonetheless for people who have important data but no interest in protecting it. And yes, it "might" be in the backup already, so the backup "might" be not good - without backup, however, it's 100% that the backup is no good. – user155462 Mar 26 '18 at 15:27

6 Answers6

8

"How can they know that one of their files isn't infected"? You can't. Well you can if you get down into the bits of the file, but that's pretty tedious and expensive.

If you have an idea of the date the device got infected, files not altered before that date stand a higher chance of not being infected. That's not a guarantee, because changing a file's date isn't hard. So even that's not foolproof.

Really the only halfway decent option is to scan the file, copy it to an external drive, then scan it again and copy it back. Odds are that it's a generic and not a targeted infection. By waiting a couple days, to give AV vendors time to update their virus definitions, you stand a better chance of removing the infection when you move and scan the files. That's not 100%, though - unless you know the infection and that the AV in question resolves the infection, you could set yourself up for a reinfection.

The only safe alternative is to wipe everything and have the user buy an external hard drive. Then they should use it regularly to back their files up.

baldPrussian
  • 2,778
  • 2
  • 10
  • 14
  • I'm curious as to what you mean by "a generic and not a targeted infection." Is a generic infection a consequence of a user casually browsing the internet and catching something, whereas a targeted infection is when some adversary is "out to get you"? –  Mar 26 '18 at 22:16
  • 1
    That's exactly right. By "generic" I mean some piece of malware that's just written for the world at large. A targeted infection is directed directly at you to get at something specific. – baldPrussian Mar 26 '18 at 22:35
5

What do you mean by "files?"

If you mean system files, registry settings, binaries, and scripts, then the other answers are correct that there's essentially no way to be safe. Since this is a question about recovery from infection, then the standard advice -- do a clean OS install -- still applies.

However, if by files you mean the more common usage of data files like text and images, then you really don't have to worry about reinfection from a backup as long as you don't "execute" anything from your backup. An "infected" image file can't affect your system barring a serious bug in the software you use to view or edit it.

At the end of the day, I think most people will be happy if they can save their family photos and Word documents from an infected computer, and that can be done really without much danger. You can always "rebuild" your installed programs, settings, browser profiles, etc.

ArrowCase
  • 148
  • 4
  • I edited my post to specify what sorts of files I had in mind--data files. –  Mar 28 '18 at 18:36
  • 4
    An infected image file can't affect your system barring a serious bug in the software you use to view or edit it. Be warned, though, that these vulnerabilities do happen from time to time. – Emilio M Bumachar Mar 29 '18 at 15:58
  • Aren't word documents a bit of a tricky case due to macros? – Ted Brownlow Oct 11 '22 at 19:24
3

Make a backup any way you want. Assume that the backup is infected. In fact, always assume that ANY backup is infected. The trick is avoiding the infection from spreading back to your machine afterwards.

Make sure your machine will only boot from its own hard disk and not from any external disk or stick, CD drive, or network. This is a BIOS setting.

As a second line of defense, never restart or turn the machine on with any media inserted. However, you will forget this some day, so the BIOS setting is important.

Never restore program files from backup, only data files. Programs should be restored from their original source. Install all security updates.

Once upon a time, this would have been enough since only programs get infected, data files does not. Unfortunately, times have changed and files that look like data files actually contains program code too.

If you open a document and it says something like "This document contains active macros. Allow them to run?", you say NO. The actual wording of the question will vary from program to program, but just say NO anyway.

Even after all this, you will still get hit again someday, so

Keep making backups!

Stig Hemmer
  • 2,413
  • 10
  • 14
  • 1
    How feasible/common is the bootable media attack? Since most people leave their machines running rather than turning off at the end of each day, it seems like Autoplay media is much more important to defend against. – NH. Mar 27 '18 at 15:32
  • 1
    *“files that look like data files actually contains program code too”* → irrelevant. Perfectly innocuous-looking, plain-data file formats are regularly used to run code by exploiting a vulnerability in whatever software reads/parses/interprets them. For all you know, even plain text files might trigger a bug in some utf8 decoding procedure in some software causing it to re-infect the new system. – spectras Mar 28 '18 at 21:49
2

What @baldprussian says is mostly right. (You cannot know if a file is infected; files might be encrypted so the scanner can't read them, the file may contain attacks against your scanner.)

You do need a trustworthy boot that lets your run your AV unmolested. You can do that by copying files and examining them on another PC, but you can also boot the computer from a bootable USB stick with AV. There's a list of ways to do that at https://www.lifewire.com/free-bootable-antivirus-tools-2625785. I'm personally fond of the FixMeStick, which is a commercial packaging of the USB drive, several of those AV systems, and updates.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
2

There is no risk free way to do this, but there are things you can do to minimize the risks. If you have no old, clean backup your only two options is to accept the risk or lose the data.

So, how to do this?

  • When you do the backup, boot from an external drive. That way, the infected OS on your hard drive will not load. While individual files may still be infected, at least it's less likely that the virus messes with the backup drive itself.
  • Don't blindly copy all files. Stay away from executables, unless absolutely necesarry. Also avoid file types that can contain dangerous macros (e.g. old Office files, or new ones with the extension ending with m).
  • When you have the backup, completely format your entire hard drive and install a freash OS with some updated antivirus.
  • Scan the drive with your AV. If no viruses are found, then great. If some files are infected, you have problems. You could just delete them, but who knows if there are more the AV did not discover. At the very least, I would reformat and reinstall the OS again before restoring the backup.
  • After you are done, format all devices that has been in contact with the infected machine (e.g. the USB drive the backup was on). Or even better, if you can spare the money, just throw them away.

I want to emphasize that no AV can give you a 100% clean bill of health. This procedure involves some risk, but it is a level of risk that might be worth it if it's your wedding photos or master thesis that's on the line.

This question contains some good guidance on how to deal with virus infections as well.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • Does the probability of malware detection increase as AVs are updated? Going off of baldPrussian's comment--"By waiting a couple days, to give AV vendors time to update their virus definitions, you stand a better chance of removing the infection when you move and scan the files."--perhaps infected files could be quarantined and scanned periodically. When an AV finally detects them, clean them up and restore them on one's machine. If there's no detection, then accept the risk, but the risk decreases with each AV update. Is this approach logical? –  Mar 28 '18 at 18:06
  • 1
    @orbuculum Not sure how fast AV vendors operates, so I don't know what would be a good approach there. – Anders Mar 28 '18 at 18:30
  • "Stay away from executables, unless absolutely necesarry." "Or even better, if you can spare the money, just throw them away." You're downplaying the risk of copying probably-infected *executable* files (I don't see how it would ever be necessary enough to risk probable reinfection), but warning that *formatting* the disk might not be enough (I doubt this would be an issue unless you're the subject of a targeted attack by some very powerful (government?) entity, in which case you'd need to be a lot more careful with the copying). – Solomon Ucko Jan 12 '20 at 02:36
0
  1. First of all backup all files including infected one's too,
  2. Test them on a safe environment.You can use virtual box to run,test,scan and analysis them with proper antivirus tool or anything else.
  3. Separate the safe files and try to uninfect the infected files .
Anders
  • 65,052
  • 24
  • 180
  • 218
  • 1
    Regarding step two, what actions should be taken in cases where malware propagates merely from plugging in a USB device like an external hard drive? –  Mar 28 '18 at 21:26