I run virus and malware scans on my C drive only. I have several external drives and I’m wondering if I should be scanning them as well?
Interestingly enough the answer on this one isn’t always clear. I personally don’t scan my external drives, but there’s actually a pretty strong argument that perhaps I should.
Become a Patron of Ask Leo! and go ad-free!
C: is the typical target
The vast majority of malware that’s out there targets only your system drive. That means that it installs files in your Windows folder or in the registry, or corrupts the programs that have been installed. In other words, it attacks stuff that’s normally placed on your C: drive.
That’s why all anti-malware tools are going to scan your system drive, aka your C: drive, by default.
Viral propagation
Now, there’s certainly malware that will install itself on external drives; but in order to propagate, not necessarily to technically infect those drives. So what happens is the stuff that’s on the external drive isn’t really infected, but the files that comprise the malware are copied somewhere onto the drive so that when that drive is installed or connected to another machine, that machine can become infected. The same happens with USB thumb drives.
The best way to think of this is that the drive isn’t really infected, per se; it’s more of a carrier of the malware. There’s no real damage to the files on the external drive. It’s just that some additional information has been placed there in the hopes of it propagating to another machine, should that drive ever be plugged into another computer.
Infected external drives
It is possible to actually infect files on external drives, but it’s uncommon. And the reason it’s not that common is that, other than moving a drive from one machine to another, malware authors can’t really count on the infected files on an external drive ever being used for anything.
I don’t know what you use your external drives for, but I use them for things like backup, archives, or just storing random data. Like most people, I don’t have any programs on external drives, so there’s no real software for the malware to infect. So, rather than take the time and risk detection because of its activities on external drives, most malware just doesn’t bother.
To scan or not to scan? That is the question.
Certainly, there’s no harm in doing scanning your external drives. So I’ll just go ahead and say “scan”. It’s certainly better to be safe than sorry. I’m also not terribly concerned if you don’t, for all of the reasons that I’ve mentioned above. I really don’t think it’s a particularly high risk area.
And in fact, your anti-malware tool may have already made a decision for you. It could be defaulting to scanning all the connected drives, or not. Have a look at it’s configuration.
Bottom line: This is one of those cases where if it makes you feel more comfortable, by all means, go for it. But if it ends up being too much of a burden on your system, or slows down your computer’s performance, or is just inconvenient, then I’d feel free to skip it.
I have several times picked up malware on an external USB drive or memory stick after it has been used to move data to another machine, especially in hotels (e.g. to print a document), copy shops, or when visiting clients. The malware relies on autoplay to install itself on your computer. So (a) always scan external drives that have been used elsewhere and (b) don’t enable autoplay.
Good point John. Leo has a great article on that as well:
http://ask-leo.com/is_autorun_really_that_evil_and_if_so_how_do_i_turn_autorun_off.html
Quote: “Like most people, I don’t have any programs on external drives…”.
But if you make an image backup or clone backup, you DO have programs on the ext drive.
Bob – In a backup you would have program “files” on the drive contained within the backup format, but not installed and runable programs.
Ah, but I do have programs on my external drive, eventhough it’s only for backup purposes. I make a copy of the installs of various tools I’ve downloaded. It’s handy to have them there when trying to fix up/restore a PC and you can’t get on the internet to download the utility. These exist outside the image backup. So conceivably they could get infected.
I have executable files on my removable disks too, but these are installation files not files I would be running from that drive regularly. Could a virus target them? Theoretically, yes. But as malware generally goes after low hanging fruit, I’m not particularly worried about those. My AV should warn me if I try to run an infected file from my removable drive.
I don’t have programs that I run from external drives.
My understanding is that the recent “cryptolocker” attack will encrypt files on all attached drives. I use an external USB hard drive for backup which I used to keep permanently attached but I now disconnect when not actually backing up.
It does not encrypt ALL files. It encrypts all files of certain types. So it will encrypt all your .doc files and .jpg and so on. As of today, it does not encrypt backup images.
Also, the fact that it might encrypt files on external drives has NO bearing on whether those drives should be scanned for malware. The malware typically resides on, and is installed on, and runs from the system drive (C:) – it then reaches out to mangle data on the other attached drives.
Here are probably the two best ways to prevent external media malware attacks:
To protect a specific PC, disable autoplay. Starting with Windows 95 as a feature that only worked with CDs and reintroduced in XP as “autoplay”, Windows by default automatically runs content from all media and must be explicitly disabled. I think that there is a KB article somewhere with a link to a Microsoft Fixit that will automatically do that. But, thankfully, Windows 8 finally has “ask what to do” as the default settings.
To protect PCs from a specific device: deal with autorun.inf. Make it blank, delete it, make it read-only or encrypt it, whatever it takes.
Good point. Leo has a couple of articles on how to do this:
Is autorun really that evil, and if so, how do I turn autorun off?
Leo –
Let’s say a malware did infect my portable external drive, and it did such a thorough job that the external drive file system is now RAW. Is that malware still “alive” even though the file system is now RAW? If the drive is connected to another computer, can that malware infect the other computer?
Thanks.
The malware, in order to run, lives on your system (C:) drive. So that your external drive is “RAW” means that the malware isn’t running, or even accessible, from there.