Backing up is fine. It’s the restore that’s a problem.
Yes and no.
When people think their machine is infected, I typically tell them to back up that machine right away. Yes, you are backing up a possible infection, but that’s okay. You’re never going to restore that infection because you know it’s there.
So why back up?
Let’s walk through the scenario.
Become a Patron of Ask Leo! and go ad-free!
Backing up an infected machine
Yes, back up your infected machine to preserve your data. Just don’t restore the full system image. Clean up the infection and back up again. If malware persists, reinstalling Windows might be the only option. Note that regular backups can restore clean versions taken prior to the malware’s arrival.
Infection versus hacking
First, a clarification of terms. A malware infection is not the same as being hacked.
The article below deals with malware on your computer. That’s what anti-malware tools remove and why you might be concerned about backing up the infection to your external hard drive.
On the other hand, if your account or computer has been hacked, that means somebody other than you has access and is “doing things”. That may or may not rely on malware on your machine. Particularly if it’s just your online account that’s been hacked, it likely has nothing to do with your PC at all.
And yes, getting hacked can happen if you click the wrong link and log in to an imposter website.
Why back up an infected machine?
When you create an image backup, you’re preserving everything. Yes, the backup includes the malware, but it also has all of your data, your programs, everything. That means that no matter what havoc the malware (or your removal attempts) might wreak, you always have a backup of your machine and your data.
Think of it as an “It can’t get any worse than this” backup.
However, you must be careful not to restore the entire backup to your machine1. You’d use this backup only for restoring specific files and pieces of data that you know aren’t infected.
You can’t predict what files you will want later, which is why you should back up the entire machine with an image backup.
Related
How to Back Up Windows
Using free and included tools, here's how to back up Windows and all your data in eight easy steps.Get rid of the malware and back up again
It may or may not be simple to do, but you need to do this if you suspect someone has infected, hacked, or placed malware on your machine.
Ensure that your anti-malware tools are as current as possible, and then run a complete scan.
Then take another backup. Again, it’s a safety net. This says, “Okay, this is the machine after I did everything I could to clean up the malware.” That way, you have a snapshot of that point in time as well.
Scanning may not be enough
One of the grim realities of malware is that not all scanners catch all malware, and even if they do, not all scanners can get rid of all malware. This is one reason it’s so important to avoid malware in the first place.
If you still see signs of an infection after that complete scan, or you just don’t feel safe, there’s only one option.
Once your machine is infected with malware, it’s not your machine anymore. The only way to regain ownership is to erase it completely, reinstall Windows from scratch, reinstall your applications from scratch, and restore your data from your backup or elsewhere.
It’s painful, but it’s the only way to be as certain as you can be that the malware is gone.
Backing up an infection does not infect the backup drive
Backing up an infected machine does not cause the backup drive to become infected. It’s a carrier, nothing more.
This is similar to the difference between a setup program and the program it sets up. A setup program contains a program to install on your computer. It’s not until you run the setup file that the program is installed and ready to run.
When malware is backed up, its files are collected into the backup, but not in a way that allows the malware to run. Now, if you restore the complete backup, the malware may be able to do things, but as long as it’s just part of a backup sitting somewhere, it’s benign.
The backup remains useful because we can carefully restore individual files without restoring the malware. Restoring a File From an EaseUS Todo Image Backup shows one example, but most all image backup programs include similar functionality.
Related
My Email Is Hacked, How Do I Fix It?
If your email is hacked, there are several steps you need to take to get it back and prevent it from being hacked again.Back up before you’re infected
There’s another option that’s much easier than any of the above, but it assumes you’re backing up regularly — which you should be doing for this and so many other reasons.
Restore your machine to an image backup taken before the infection. That way, the malware isn’t there yet. Moving forward, you know not to open that email or click on those links.
Do this
Back up regularly, of course. But also keep an eye on your security overall to make sure you don’t get a malware infection to begin with. As you can see, the cost can be high. Prevention is much easier than the cure.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: There is a scenario where restoring an infected backup might make sense: if your attempts to remove the malware make your machine less stable or perhaps even completely unusable, you might consider restoring an infected backup so you can restart your cleanup efforts.
Hello Leo –
Since your data is the most valuable thing on your computer, I strongly recommend using a separate data backup program (in addition to using an image backup program) to ensure that you have the strongest possibility of recovering most, if not all of your data if a complete melt down occurs. You can always rebuild your computer (OS, programs) from scratch to eliminate any possibility of a virus remaining, do an image backup (for a known clean copy), then do a multipass virus scan on your data backup using multiple antimalware tools before recovering your data. That last part is necessary since you really may not know if a virus came from an OS or program infection, or an infected piece of data. I use FreeFileSync to do my separate data backups. Additional benefits to this approach and data backup tool: 1) Doing a data backup is much faster than doing an image backup, so a user will be encouraged to do data backups more frequently (I usually do them multiple times a day as I do my daily work); 2) FreeFileSync is incredibly versatile when it comes to backing up and archiving data – you can easily create data backup batch files, create multiple and historical copies of data, include or exclude specific data in a backup and more, depending on your paranoia level; 3) FreeFileSync transfers data in its native format – no compression issues to have to deal with; 4) excellent log files are provided in HTML format for every data backup so that you can see exactly what happened as a result of doing a data backup; 5) FreeFileSync is regularly updated, so it has a large and active user base; and 6) FreeFileSync is free (but a small, one-time donation is unobtrusively solicited, and it’s well worth it – full disclosure: I have absolutely no business or financial ties to the author of this excellent program)!
Sounds like a fine program, but honestly, this is exactly what I use tools like OneDrive, Dropbox, and others for. I get my data backed up as I change it, and get it stored off-site at the same time.
Can you elaborate on your reply to DennisJ Jan 6, 2025 about “tools like OneDrive, Dropbox, and others” for separate data backups please? I have an old backup image before problems began. Can I restore the system from that and then restore my current data files with your tool(s)?
The idea is that you would restore your entire system from your image backup(s), and then you can restore more current data files from the online tools. That help?