Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should I Back Up If My Machine Is Infected?

Backing up is fine. It's the restore that's a problem.

If you believe you're machine is infected, you will want to protect and preserve your data right away. Then, make sure exactly what happened.
An infected laptop.
(Image: canva.com)
Question: I try to be careful about opening my email, but there’s a hacker out there who has the names in my address book. He or she sends out emails that look like they come from people I know. Their email address doesn’t show up, so I can see the address is not correct, but some made up address. The title is something like “Look here” and the message is “Hello, excellent website!” with a name of the website. I opened it thinking that the email was from my son. I got two of these kinds of emails and one after the other before I got suspicious and realized that I’d been hacked. So far, nothing bad has happened. Now I’m afraid to do a backup because it might mean the importation of the virus into my external backup drive. Is my thinking about this correct?

Yes and no.

When people think their machine is infected, I typically tell people to backup that machine right away. Yes, you are backing up a possible infection, but that’s actually okay. You’re never going to restore that infection,because you know that it’s there.

So why backup?

Let's walk through the scenario.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Backing up an infected machine

Yes, back up your infected machine to preserve your data. Just don't restore the full system. Clean up the infection and back up again. If malware persists, reinstalling Windows might be the only option. Note that regular backups can restore clean versions taken prior to the malware's arrival.

Why back up an infected machine

When you create an image back up, you're preserving everything that you can. Yes, the backup includes the malware, but it also has all of your data, your programs, everything. That means that no matter what havoc the malware - or removal attempts - might wreak, you always have a backup of your machine and your data.

Think of it as an "it can't get any worse than this" point in time.

However, you must be careful not to restore the entire backup to your machine1. You'd use this backup only for restoring specific files and pieces of data that you know aren't infected.

You can’t necessarily predict what files you’re going to want later, which is why you should back up the entire machine with an image backup.

Get rid of the malware and back up again

Getting rid of malware sounds like it’s simple. It may or may not be, but you need to do this if you suspect someone infected, hacked, or placed malware on your machine.

Make certain that your anti-malware tools are as up to date as possible, and run a complete scan.

Then take another backup. Again, it’s a safety net. This says, “Okay, this is the machine after I did everything that I could to clean up the malware.” That way, you know that you’ve got a snapshot of that point in time as well.

Scanning may not be enough

One of the grim realities of malware is that not all scanners catch all malware, and even if they do, not all scanners can get rid of all malware. This is one reason it's so important to avoid malware in the first place.

If, after scanning above, you still see signs of an infection, or you're just don't feel safe, there's really only one option.

Once your machine is infected with malware it's not your machine any more. The only way to "regain ownership", is to erase it completely, reinstall Windows from scratch, reinstall your applications from scratch, and restore your data from your backup or elsewhere.

It's painful, but it's the only way to be as certain as you can be that the malware is gone.

Back up before you're infected

There's another option that's much easier than any of the above.

Restore your machine to an image backup taken immediately before the infection occurred. That way, the malware isn’t there yet. Moving forward, you know not to open that email or  click on those links.

But this does assume you're backing up regularly. Which you should be doing for this and for so many other reasons.

Backing up an infection does not infect the backup drive

Backing up an infected machine does not cause the backup drive to, itself, become infected. It's a carrier, nothing more.

Perhaps the best way to think of this is similar to the difference between a setup program, and the program that it sets up.

A setup program contains a program you might want installed on your machine. But it's not until you run the setup that the program is actually installed and ready to run.

When malware is backed up its files are collected into the backup, but it's not in any way that actually allows the malware to run. Now, if you restore the complete backup the malware may be able to do things, but as long as it's just part of a backup sitting somewhere it's benign.

The backup remains useful because we can always carefully restore individual files, without restoring the malware.

Infection versus hacking

A malware infection is not the same as being hacked.

Malware on your machine is what I’ve been talking about. That's what anti-malware tools remove and why you might be concerned about backing up the infection to your external hard drive.

On the other hand, if your account or computer has been hacked, that means somebody other than you has access and is "doing things". That may or may not rely on malware on your machine. Particularly if it's just your online account that's been hacked, it likely has nothing to do with your PC at all.

And. yes, getting hacked is one of the things that can happen if you click the wrong link and log in to an imposter website.

Do this

Back up regularly, of course. But also, keep an eye on your security overall to make sure you don't get a malware infection to begin with. As you can see, the cost can be high. Prevention is much easier than the cure.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Footnotes & References

1: Actually there is a scenario where restoring an infected backup might make sense: if your attempts to remove the malware actually make your machine less stable or perhaps even completely unusable, you might consider restoring an infected backup so that you can restart your cleanup efforts.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.