Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Do I Safely Back Up an Infected Drive?

Backing up is easy. It’s what happens next that matters.

Infected
(Image: canva.com)
Once your machine is infected, system backups are likely to include the infection, but are still important. I'll look at what steps to take.
My hard disk got infected with virus. I am planning to format it. So is there a way to back up all of the data without carrying the virus?

Nope.

There’s no practical way to back up the entire hard disk without also including the infection.

That doesn’t mean you shouldn’t; it just means you need to be careful. I have strong recommendations on how to proceed.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

3 options to back up an infected drive

  • Back up the entire drive, knowing it’s infected. You’ll be able to restore anything you need later.
  • Back up the entire drive and restore to a second drive — or just move the infected drive to be a second drive. Scan the second drive for malware and restore files as needed.
  • Back up only data from the drive. The risk is missing something important.

Backup tools are not anti-virus tools

To be able to back up an infected system while carefully excluding malware means that your backup software would have to be able to somehow identify what is and is not malware.

It can’t.

In fact, it shouldn’t.

Imagine a false positive causing some incredibly important file to not get backed up. That could cause serious problems later.

Anti-malware tools, not backup tools, are for identifying malware.

Option 1: Back up, and know it’s infected

My recommendation is you back up everything — infection and all — and make careful note the backup is, itself, infected.

So never, ever restore the entire backup.

As you can guess, restoring the entire backup would restore the malware, leaving you no better off.

The purpose of taking a full backup of an infected machine is to make absolutely certain you’ve backed up all of the other files on that machine.

You would then:

  • Reformat your hard disk, erasing everything on it, including the malware. (Optional; might be part of the next step.)
  • Reinstall the operating system from scratch (not from the backup).
  • Reinstall all your applications from scratch (not from the backup).
  • Carefully restore your data files, and only your data files, directly from the backup without restoring anything else — perhaps scanning them for malware as you do, just in case they’re carriers.

Having a full backup guarantees you’ve captured every file you could possibly need when it comes time to restore.

Option 2: Restore to a different drive and scan

Another alternative is to restore the full backup to a second drive — a drive from which you do not boot your computer.

You would first reformat and reinstall the operating system and applications to the primary drive, as above.

Then you would restore the infected image to a second drive, possibly even an external drive. Then — once again carefully — copy only your data files from the secondary drive.

I’d suggest running anti-malware scans on the secondary drive as soon as practical, simply to remove what malware can be found. This makes having it attached to your system slightly less dangerous.

Option 3: Back up only data

Rather than backing up your entire infected drive, you might simply copy or back up only your data.

The biggest reason I strongly advise against this is because you might miss something. You might not back up a file you later determine you need. Once the hard disk is formatted and the OS reinstalled, there’s no going back — anything you didn’t back up is gone.

On the other hand, if you have a full system backup, everything is in the backup. Yes, “everything” includes the malware, and that’s why you shouldn’t blindly restore the entire image. Pick and choose which files you want to recover instead.

Next Steps

If you don’t back up your computer, start now.

This entire article becomes moot if you could instead restore to last night’s uninfected system backup. How Do I Back Up My Computer? is a good place to start.

If you are infected and you have no backups, back up immediately — infection and all. Before giving up and reformatting, you might read How Do I Recover from a Bad Virus Infection?, which includes several steps to attempt to recover. Even though you might still (and probably should) end up reformatting and reinstalling, you might be able to first create a cleaner, less-infected backup image from which you could later recover your data.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

Podcast audio

Play

19 comments on “How Do I Safely Back Up an Infected Drive?”

  1. I would make two backups. A full one in case you miss something and a data only backup. Restore from the data backup and you are very unlikely to restore a virus. Only go to the full backup if you find out you missed something.

    Reply
  2. “This entire article becomes completely moot if you could instead simply restore to, say, last night’s uninfected system backup.”

    Unfortunately, “last night’s uninfected system backup” might actually be “last night’s ‘I didn’t know yet that it was already infected’ system backup”, so I’d say that you should still do a thorough scan after restoring it.

    Very true.

    Leo
    10-Nov-2011
    Reply
  3. You frequently say, “back-up data only”. Well, yes, I do know what data *I* have stored – WORD files, EXCEL files, BitMaps, e-mail, etc.. But what about the “hidden” data, such as cookies – and (I’m sure) LOTS of other files, log files, etc., etc.. (a) Should these be included in a back-up? And (b) what files are these and where are they ?

    Your question illustrated exactly why I much prefer image backups, which backup everything whether you need it or not. In a scenario like this you would then have the image backup – albeit itself infected – with every file that you could then recover individually if you discovered you needed them. When I talk about backup data only I do specifically mean the data you know about. That’s typically the most critical of all.

    Leo
    10-Nov-2011
    Reply
  4. The best solution, IMHO, is to store all your data in a separate partition apart from C:. That way your data is still there after rebuilding the system or restoring from an image.

    When I have system corruption I don’t bother trying to find the source. I simply restore a known good image of my system partition and I’m back in business in about 10 minutes. It’s that easy only because I have moved my user folder to the data partition, too, which isn’t quite so easy. Moving the user folder would not be necessary if you make daily incremental images.

    I’ve learned a lot from you, Leo. Thank you.

    Reply
  5. I have a completely different strategy, although I can’t remember when I had a virus on my machine.( I have firewalls and security strategies that work.)
    As soon as I have everything working correctly on my computer, I clone it and put the copy on the shelf. When something goes wrong, even most crashes, I move the problem disk to another slot, Install the cloned disc and boot from it. I can then move any files I need to the cloned drive. Often if the drive had crashed “Windows XP” will check the old disc for errors before booting, automatically fix problems and it will then boot correctly. Once I have the new drive working perfectly, well actually perfect is not a computer term, I clone it to the problem drive and put it back in the shelf.

    Reply
  6. I’d often find this situation while working for various IT support departments or companies. My strategy is to backup the users profile (most likely backing up the infection). Format and rebuild the machine, then restore only the parts of the user profile that the user actually sees. Desktop, My Docs, music, photos, videos, and Internet favorites. Any infection is most likely buried deep within the profile, therefore you’d be very unlucky to restore an infection. Once you’ve re-installed things like MS Office, you can dig around the old profile and recover .pst files and the like.

    Reply
  7. http://ask-leo.com/how_do_i_safely_backup_an_infected_drive.html

    Leo I have a suggestion for this person, that would work.

    Most viruses on computers need Internet connections. Here is what I would do for this person.

    Download Malware bytes and and do not do a update. Disconnect the computer from the Internet that way the payload can not talk back to the virus writer it isolates the system , then reboot the computer into safe mode without Internet connection and run malware bytes. It might take 2 times to get all the infected files recognized. I have cleaned a few computers that way. After the infection is cleaned reboot the computer and again disconnect it from the Internet and run a antivirus program like Microsoft security essentials. After cleaning the system I would do a total backup on a external drive..

    Mark in Houston

    Reply
  8. Might not hurt to say a little prayer either. Definitely put those data files on an external drive of some sort on a machine not connected to a LAN or any other machine. 2 weeks ago, for the first time in 14+ years I ran into a virus that left me with no option but to XOXOXOXO the entire HDD, reformat, repartition & reload the OS. This virus infected the MBR & I ran every single geek-approved A-V program & repaired the MBR half a dozen times. I’d re-boot & run it through all the A-V programs (I was using 6 or 7 of the highest recommended programs – 1st time they’ve failed me) until each scan showed me a clean computer. I’d re-boot & bam – here it came again. I know when the time vs money becomes absurd it’s time to give up. Really thought I had beat it when I began to hear sound coming from the speakers. Bits of a speech, an advertisement, some pop music, & after a period of silence a voice telling me I had won an i-pod & to click a key to claim my prize. Oh yeah! I’m jumping on that! NOT. The one who wrote the program has a brilliant mind – too bad he or she can’t do something constructive with it. There was a lesson learned though – the user will now save to the network AS INSTRUCTED where files are backed up nightly. Unfortunately, everything on the local drive was wiped out. I set this user up on a new PC & installed Win7 Pro & am going to test drive the built in disc imaging program & see if it’s as good as reviews indicate. Back in the day (Stoned Monkey days), a virus would made me laugh at the dumb message(s), I’d get it gone & happy sailing. They are getting scary sophiticated now. I personally believe the next terrorist attack will target the grid via a computer virus.

    Reply
  9. While there is always some level of risk, I would say if something is infected and things are out of whack but some important data is still there, then a Linux bootable live USB stick (say Linux Mint for example) would be a good option to backup any important data, especially stuff that’s not known to be infected with viruses like video/music etc, before wiping the drive and installing Windows from scratch.

    but to be extra safe, like you already mentioned, one could image the drive to a image file on another drive as a slight insurance plan.

    Reply
  10. The methods described don’t account for how malware works. For malware to do damage it has to be some sort of executable (exe, dll, com, vbs, reg, etc.) that gets executed. Scanners often depend on the running behavior of malware to find and stop it. We know that malware can hide anywhere on your computer, including the Registry or within files that appear to be OS files. We also know that there is no perfect malware scanner. Just because you get a negative result, especially with just one scanner, doesn’t necessarily mean your system is clean. Malware designers don’t just name their files as “bad_software” to allow either you or a malware scanner to easily find it. So, for the victim who did a backup and is hoping to “carefully” avoid restoring the malware files … well, good luck with that. One of Leo’s arguments for making a full image backup is to make sure you don’t forget files that are scattered throughout your system. If someone makes a full image backup because he/she doesn’t know where their own personal files are located then there is near zero chance of finding malware files within a full system backup.

    A couple of people in these posts, about 10 years ago, suggested an approach that I use: Put all your personal files on a different drive or, at least, a under a different folder. Have a separate back up of your personal files only. If things go very bad, you wipe the system and restore you personal files. Of course, you should still scan your personal files for malware before restoring, but that’s a much easier and better defined task. Besides, you can have 100 backups of your personal files and they will take up much less space than one full image backup of your entire system.

    Reply
    • The advantage of a full system image is that it backs up files you don’t know you need until it’s too late, for example your email files and other personal data stored by programs in hidden locations. They are still hidden in your backup but when you realize which data you are missing, you can do a Web search to find the location. And of course, a system image backup with incrementals taken regularly can allow you to restore your system to the state it was in before the malware. I’d still perform a system image backup before restoring from that image to preserve any files created between that last good backup and now. The system image backup takes up a lot of space, but USD hard drives are relatively inexpensive and the headaches saved are usually worth it.

      Reply
      • For the record: I’m NOT saying don’t do full image backups. I do full image backups. But do both types of backups. They don’t have to be mutually exclusive.

        Reply
        • They are not only not mutually exclusive, they compliment each other very well and I’d consider it necessary to use both system image backups with daily incrementals together with a cloud backup like OneDrive, Dropbox, or Carbonite.

          Reply
  11. Thank you for this much-needed information. As I now have a Chromebook, no guarantee but I’ve experienced no malware with it, I use my Windows XP machine rarely. Figuring out Windows complications has been such a frustration I was thrilled when the Chrome OS came along. But, I have no kind of anti-virus on my XP machine. And I don’t deal with automatic backup systems such as you often recommend. Whenever I have something to be saved, I just copy it to an external hard drive in which all of my personal files are stored exactly as on the computer. If I should get a virus I would wipe my XP machine and reinstall either XP or potentially, but unlikely the latest MS OS. Unlikely as using a laptop on the couch is so much more comfortable than sitting at a desktop. My only concern is getting some kind of virus that could affect my external drive but I am soon going to put what I now have there on a USB. I’m torn about even keeping my desktop, but probably will for certain specific purposes. Again thank you for the article.

    Reply
    • I do want to add this for those persons who, like myself, have had no formal computer training and must enter a very steep learning curve when it comes to dealing with Windows machines. The best protection you have with a Windows machine is reinstallation media AND knowing how to use it. When I inadvertently damaged my Windows software beyond fixing, although I had a backup partition, I didn’t even know that. Although I also had a Dell backup DVD, when it came to reinstalling the OS, it was not intuitive and I had to have Support who essentially did it so fast I couldn’t even make notes on how, as well as him deleting my backup partition. So if you’re out of warranty, you haven’t backed up your backup partition, you have an OEM reinstall disk, and you have no one else reliable enough to help, you could be facing a Support charge to get help on reinstalling.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.