Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Should I back up if my machine is infected?

//
I try to be careful about opening my email, but there’s a hacker out there who has the names in my address book. He or she sends out emails that look like they come from people I know. Their email address doesn’t show up, so I can see the address is not correct, but some made up address. The title is something like “Look here” and the message is “Hello, excellent website!” with a name of the website. I opened it thinking that the email was from my son. I got two of these kinds of emails and one after the other before I got suspicious and realized that I’d been hacked. So far, nothing bad has happened. Now I’m afraid to do a backup because it might mean the importation of the virus into my external backup drive. Is my thinking about this correct?

It is and it isn’t.

When people think their machine is infected, I typically tell people to backup that machine. Yes, you are backing up a possible infection, but that’s actually okay. You’re never going to actually restore that infection simply because you know that it’s there.

So why backup?

Let’s walk through the scenario.

Become a Patron of Ask Leo! and go ad-free!

Why should I back up an infected machine?

When you back up, you’re preserving everything that you can. Like I said, the backup includes the malware, but it also has all of your data, your programs, everything. That means that no matter what havoc the malware – or removal attempts – might wreak, you always have a backup of your machine and your data.

Now, like I said, you should back up, but you must be careful not to restore the entire backup to your machine1. You’d use it only for pulling specific files and pieces of data that you know aren’t infected from that backup.

You can’t necessarily predict what files you’re going to want later, which is why you should back up the entire machine.

Back up, get rid of the malware, then back up again

Getting rid of malware sounds like it’s very simple to do. It may or may not be, but you need to do this if you suspect someone infected, hacked, or placed malware on your machine.

You’ll need to run your anti-malware tools – make sure that they’re up-to-date. Then, run an offline anti-malware tool. If you have additional malware tools, like Malwarebytes, run those until your machine comes up clean.

At that point, take another backup. Again, it’s a safety net. This says, “Okay, this is the machine after I did everything that I could to clean up the malware.” That way, you know that you’ve got a snapshot of that point in time as well.

Back up before you’re infected

Because you are doing backups, I need to throw out one additional option that may be easier than any of the above.

Restore your machine to an image backup that was taken immediately before the infection.

That way, the malware isn’t there yet. Moving forward, you know not to open that email or  click on those links.

Backing up an infection does not infect the backup drive

One point that often confuses people is whether backing up an infected machine causes the backup drive to, itself, become infected.

No.2

Perhaps the best way to think of this is similar to the difference between a setup program, and the program that it sets up.

A setup program contains a program that you might want installed on your machine. But it’s not until you run the setup that the program is actually installed and ready to run.

Backing up malware works kind of in reverse: when malware is backed up its files are collected into the backup, but it’s not in any way that actually allows the malware to run. Now, once you restore the backup the malware may be able to do things, but as long as it’s just part of a backup somewhere it’s benign.

Infected!Infection versus hacking

Now, I have to throw out one additional caveat here. In your question, you said that you were hacked. Did you mean hacked, where someone gains access to your online email account? Or did you simply have malware infect your machine?

Malware on your machine is what we’ve been talking about here. That’s what anti-malware tools remove and why you could be originally concerned backing up the infection to your external hard drive.

On the other hand, if your account has been hacked – somebody other than you who isn’t supposed to have access to your account knows your account login name and password – that may have absolutely nothing to do with your machine. And in fact, it’s one of the things that can happen if you click the wrong link and log in to what you think is a site that isn’t really the one that you think it is.

So, be sure that you understand the difference here before you get too concerned about the backup scenario.

If your account has been hacked, then I would point you to an article called, “Email hacked: 7 things you need to do right now.” That will walk you through the steps to recover and rescue your online account.

Footnotes & references

1: Actually there is a scenario where restoring an infected backup might make sense: if your attempts to remove the malware actually make your machine less stable or perhaps even completely unusable, you might consider restoring an infected backup so that you can restart your cleanup efforts.

2: As always there are exceptions. If you “back up” by cloning a drive, so that the cloned drive can simply physically replace the original, then indeed, this type of backup performed on an infected drive does cause the backup drive to become infected. This is not the case for normal  file, image, or online backups.

8 comments on “Should I back up if my machine is infected?”

  1. In the olden days, if you put a floppy drive in your infected computer, the virus would copy itself to the floppy drive so the next computer you put your floppy into, the virus would copy itself to that computer. Have malware writers stopped this behaviour?

    What’s the guarantee that the malware won’t copy itself to my removable hard drive so that it can copy itself back to the computer that I just cleaned?

    • James,
      Yes, malware can still do this. In fact it’s often smart enough to transfer to a USB device or even a camera. The biggest thing I got from Leo’s article is that your whole problem is pre-solved if you were backing up all along. Then you simply restore and get on with your life. But if you don’t have a backup, and you do get a virus, then you need to make some attempt to preserve all your data.

      • Yeah, I get that too. But before I restore my system with my backup, I will want to hook up my external hard drive to my malware infected computer to copy the data that’s changed since the last backup. In the process, the malware transfers to my external hdd. Then I pull out the recovery boot CD and reboot. So far, clean system. Hook up external hdd to begin the recovery process with the pre-infection backup and copy data that’s changed since. In the process, the malware transfer from my external hdd to my now clean computer.

    • To the best of my knowledge that never happened with Floppy drives, as auto-run and auto-play are the main culprits today in removable storage. That’s one reason I recommend turning those features off.

  2. Hi, so I already made a full system scan (clean) and it took me a few external hard drive scans until it told me it was free from viruses. More than anything, I’m worried about files being deleted by a virus. Would I easily notice if that were to happen? And should I still worry about that after the mentioned steps I took? The viruses are a few years old and my AV is up to date.

    Thanks

    • It depends on how often you use those files. If they’re not files you use or access frequently of course you might not realize they’re gone for some time. That’s why I so strongly recommend backing up. Always.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.