Backing up is easy. It’s what happens next that matters.
That doesn’t mean you shouldn’t; it just means you need to be careful. I have strong recommendations on how to proceed.
Become a Patron of Ask Leo! and go ad-free!
3 options to back up an infected drive
- Back up the entire drive, knowing it’s infected. You’ll be able to restore anything you need later.
- Back up the entire drive and restore to a second drive — or just move the infected drive to be a second drive. Scan the second drive for malware and restore files as needed.
- Back up only data from the drive. The risk is missing something important.
Backup tools are not anti-virus tools
In fact, it shouldn’t.
Imagine a false positive causing some incredibly important file to not get backed up. That could cause serious problems later.
Anti-malware tools, not backup tools, are for identifying malware.
Option 1: Back up, and know it’s infected
My recommendation is you back up everything — infection and all — and make careful note the backup is, itself, infected.
So never, ever restore the entire backup.
As you can guess, restoring the entire backup would restore the malware, leaving you no better off.
The purpose of taking a full backup of an infected machine is to make absolutely certain you’ve backed up all of the other files on that machine.
You would then:
- Reformat your hard disk, erasing everything on it, including the malware. (Optional; might be part of the next step.)
- Reinstall the operating system from scratch (not from the backup).
- Reinstall all your applications from scratch (not from the backup).
- Carefully restore your data files, and only your data files, directly from the backup without restoring anything else — perhaps scanning them for malware as you do, just in case they’re carriers.
Having a full backup guarantees you’ve captured every file you could possibly need when it comes time to restore.
Option 2: Restore to a different drive and scan
Another alternative is to restore the full backup to a second drive — a drive from which you do not boot your computer.
You would first reformat and reinstall the operating system and applications to the primary drive, as above.
Then you would restore the infected image to a second drive, possibly even an external drive. Then — once again carefully — copy only your data files from the secondary drive.
I’d suggest running anti-malware scans on the secondary drive as soon as practical, simply to remove what malware can be found. This makes having it attached to your system slightly less dangerous.
Option 3: Back up only data
Rather than backing up your entire infected drive, you might simply copy or back up only your data.
The biggest reason I strongly advise against this is because you might miss something. You might not back up a file you later determine you need. Once the hard disk is formatted and the OS reinstalled, there’s no going back — anything you didn’t back up is gone.
On the other hand, if you have a full system backup, everything is in the backup. Yes, “everything” includes the malware, and that’s why you shouldn’t blindly restore the entire image. Pick and choose which files you want to recover instead.
If you don’t back up your computer, start now.
This entire article becomes moot if you could instead restore to last night’s uninfected system backup. How Do I Back Up My Computer? is a good place to start.
If you are infected and you have no backups, back up immediately — infection and all. Before giving up and reformatting, you might read How Do I Recover from a Bad Virus Infection?, which includes several steps to attempt to recover. Even though you might still (and probably should) end up reformatting and reinstalling, you might be able to first create a cleaner, less-infected backup image from which you could later recover your data.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!