Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Do I Safely Back Up an Infected Drive?

Backing up is easy. It’s what happens next that matters.

Infected
(Image: canva.com)
Once your machine is infected, system backups are likely to include the infection, but are still important. I'll look at what steps to take.
My hard disk got infected with virus. I am planning to format it. So is there a way to back up all of the data without carrying the virus?

Nope.

There’s no practical way to back up the entire hard disk without also including the infection.

That doesn’t mean you shouldn’t; it just means you need to be careful. I have strong recommendations on how to proceed.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

3 options to back up an infected drive

  • Back up the entire drive, knowing it’s infected. You’ll be able to restore anything you need later.
  • Back up the entire drive and restore to a second drive — or just move the infected drive to be a second drive. Scan the second drive for malware and restore files as needed.
  • Back up only data from the drive. The risk is missing something important.

Backup tools are not anti-virus tools

To be able to back up an infected system while carefully excluding malware means that your backup software would have to be able to somehow identify what is and is not malware.

It can’t.

In fact, it shouldn’t.

Imagine a false positive causing some incredibly important file to not get backed up. That could cause serious problems later.

Anti-malware tools, not backup tools, are for identifying malware.

Option 1: Back up, and know it’s infected

My recommendation is you back up everything — infection and all — and make careful note the backup is, itself, infected.

So never, ever restore the entire backup.

As you can guess, restoring the entire backup would restore the malware, leaving you no better off.

The purpose of taking a full backup of an infected machine is to make absolutely certain you’ve backed up all of the other files on that machine.

You would then:

  • Reformat your hard disk, erasing everything on it, including the malware. (Optional; might be part of the next step.)
  • Reinstall the operating system from scratch (not from the backup).
  • Reinstall all your applications from scratch (not from the backup).
  • Carefully restore your data files, and only your data files, directly from the backup without restoring anything else — perhaps scanning them for malware as you do, just in case they’re carriers.

Having a full backup guarantees you’ve captured every file you could possibly need when it comes time to restore.

Option 2: Restore to a different drive and scan

Another alternative is to restore the full backup to a second drive — a drive from which you do not boot your computer.

You would first reformat and reinstall the operating system and applications to the primary drive, as above.

Then you would restore the infected image to a second drive, possibly even an external drive. Then — once again carefully — copy only your data files from the secondary drive.

I’d suggest running anti-malware scans on the secondary drive as soon as practical, simply to remove what malware can be found. This makes having it attached to your system slightly less dangerous.

Option 3: Back up only data

Rather than backing up your entire infected drive, you might simply copy or back up only your data.

The biggest reason I strongly advise against this is because you might miss something. You might not back up a file you later determine you need. Once the hard disk is formatted and the OS reinstalled, there’s no going back — anything you didn’t back up is gone.

On the other hand, if you have a full system backup, everything is in the backup. Yes, “everything” includes the malware, and that’s why you shouldn’t blindly restore the entire image. Pick and choose which files you want to recover instead.

Next Steps

If you don’t back up your computer, start now.

This entire article becomes moot if you could instead restore to last night’s uninfected system backup. How Do I Back Up My Computer? is a good place to start.

If you are infected and you have no backups, back up immediately — infection and all. Before giving up and reformatting, you might read How Do I Recover from a Bad Virus Infection?, which includes several steps to attempt to recover. Even though you might still (and probably should) end up reformatting and reinstalling, you might be able to first create a cleaner, less-infected backup image from which you could later recover your data.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

Podcast audio

Play

9 comments on “How Do I Safely Back Up an Infected Drive?”

  1. I would make two backups. A full one in case you miss something and a data only backup. Restore from the data backup and you are very unlikely to restore a virus. Only go to the full backup if you find out you missed something.

    Reply
  2. “This entire article becomes completely moot if you could instead simply restore to, say, last night’s uninfected system backup.”

    Unfortunately, “last night’s uninfected system backup” might actually be “last night’s ‘I didn’t know yet that it was already infected’ system backup”, so I’d say that you should still do a thorough scan after restoring it.

    Very true.

    Leo
    10-Nov-2011
    Reply
  3. You frequently say, “back-up data only”. Well, yes, I do know what data *I* have stored – WORD files, EXCEL files, BitMaps, e-mail, etc.. But what about the “hidden” data, such as cookies – and (I’m sure) LOTS of other files, log files, etc., etc.. (a) Should these be included in a back-up? And (b) what files are these and where are they ?

    Your question illustrated exactly why I much prefer image backups, which backup everything whether you need it or not. In a scenario like this you would then have the image backup – albeit itself infected – with every file that you could then recover individually if you discovered you needed them. When I talk about backup data only I do specifically mean the data you know about. That’s typically the most critical of all.

    Leo
    10-Nov-2011
    Reply
  4. The best solution, IMHO, is to store all your data in a separate partition apart from C:. That way your data is still there after rebuilding the system or restoring from an image.

    When I have system corruption I don’t bother trying to find the source. I simply restore a known good image of my system partition and I’m back in business in about 10 minutes. It’s that easy only because I have moved my user folder to the data partition, too, which isn’t quite so easy. Moving the user folder would not be necessary if you make daily incremental images.

    I’ve learned a lot from you, Leo. Thank you.

    Reply
  5. I have a completely different strategy, although I can’t remember when I had a virus on my machine.( I have firewalls and security strategies that work.)
    As soon as I have everything working correctly on my computer, I clone it and put the copy on the shelf. When something goes wrong, even most crashes, I move the problem disk to another slot, Install the cloned disc and boot from it. I can then move any files I need to the cloned drive. Often if the drive had crashed “Windows XP” will check the old disc for errors before booting, automatically fix problems and it will then boot correctly. Once I have the new drive working perfectly, well actually perfect is not a computer term, I clone it to the problem drive and put it back in the shelf.

    Reply
  6. I’d often find this situation while working for various IT support departments or companies. My strategy is to backup the users profile (most likely backing up the infection). Format and rebuild the machine, then restore only the parts of the user profile that the user actually sees. Desktop, My Docs, music, photos, videos, and Internet favorites. Any infection is most likely buried deep within the profile, therefore you’d be very unlucky to restore an infection. Once you’ve re-installed things like MS Office, you can dig around the old profile and recover .pst files and the like.

    Reply
  7. http://ask-leo.com/how_do_i_safely_backup_an_infected_drive.html

    Leo I have a suggestion for this person, that would work.

    Most viruses on computers need Internet connections. Here is what I would do for this person.

    Download Malware bytes and and do not do a update. Disconnect the computer from the Internet that way the payload can not talk back to the virus writer it isolates the system , then reboot the computer into safe mode without Internet connection and run malware bytes. It might take 2 times to get all the infected files recognized. I have cleaned a few computers that way. After the infection is cleaned reboot the computer and again disconnect it from the Internet and run a antivirus program like Microsoft security essentials. After cleaning the system I would do a total backup on a external drive..

    Mark in Houston

    Reply
  8. Might not hurt to say a little prayer either. Definitely put those data files on an external drive of some sort on a machine not connected to a LAN or any other machine. 2 weeks ago, for the first time in 14+ years I ran into a virus that left me with no option but to XOXOXOXO the entire HDD, reformat, repartition & reload the OS. This virus infected the MBR & I ran every single geek-approved A-V program & repaired the MBR half a dozen times. I’d re-boot & run it through all the A-V programs (I was using 6 or 7 of the highest recommended programs – 1st time they’ve failed me) until each scan showed me a clean computer. I’d re-boot & bam – here it came again. I know when the time vs money becomes absurd it’s time to give up. Really thought I had beat it when I began to hear sound coming from the speakers. Bits of a speech, an advertisement, some pop music, & after a period of silence a voice telling me I had won an i-pod & to click a key to claim my prize. Oh yeah! I’m jumping on that! NOT. The one who wrote the program has a brilliant mind – too bad he or she can’t do something constructive with it. There was a lesson learned though – the user will now save to the network AS INSTRUCTED where files are backed up nightly. Unfortunately, everything on the local drive was wiped out. I set this user up on a new PC & installed Win7 Pro & am going to test drive the built in disc imaging program & see if it’s as good as reviews indicate. Back in the day (Stoned Monkey days), a virus would made me laugh at the dumb message(s), I’d get it gone & happy sailing. They are getting scary sophiticated now. I personally believe the next terrorist attack will target the grid via a computer virus.

    Reply
  9. While there is always some level of risk, I would say if something is infected and things are out of whack but some important data is still there, then a Linux bootable live USB stick (say Linux Mint for example) would be a good option to backup any important data, especially stuff that’s not known to be infected with viruses like video/music etc, before wiping the drive and installing Windows from scratch.

    but to be extra safe, like you already mentioned, one could image the drive to a image file on another drive as a slight insurance plan.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.