Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can backups be infected? And if so, what good are they?

Question:

I have read your many archives and there you suggested to backup regularly.
I agree. But honestly I want to know that backup images (I use Paragon Backup
& Recovery) can be infected by virus? I’ve 500GB of HDD and I backup all my
data regularly to my another 100GB partition but if virus still can infect
those image files then what does it worth?

Can a backup be infected with malware? Absolutely. I’ll explain how that
happens.

Does that make the backup useless? Absolutely not. I’ll
explain how the backup continues to remain both important and valuable even if
it happens to contain malware.

And finally, I’ll review how to avoid the situation in the first place.

]]>

Infected Backups

The simplest scenario is this:

  1. your machine becomes infected with malware

  2. before any anti-malware tools clean it up, you backup your machine

“If you don’t get infected in the first place, then you won’t be backing up an infection.”

If you’re doing system/image backups, you’ve just backed up the malware. Even if you’re just doing data backups, it’s possible that you’ve just backed up the malware.

In addition, if you backup by simply copying files, then the backup location may also be vulnerable to direct infection. Say you periodically copy the contents of your My Documents folder to an external drive to back them up. Malware comes along and scans your machine for all “.doc” files and infects them – both in your My Documents folder, as well as the backup files you have stored on your external drive. It’s just an example, but some malware does work this way – scanning your machine for files or drives to infect.

The good news is that most common backup tools actually collect the files being backed up into a single large archive. Acronis, for example, creates “.tib” files containing your backed-up system or data. While theoretically possible, once these backups have been made even if they remain online and accessible, they’re not typically vulnerable to further infection.

But yes, it’s quite possible for a backup to contain malware, through any of a number of scenarios that depend on exactly how you backup.

The Value of an Infected Backup

While an infected backup is something to be avoided it’s not the end of the world, and doesn’t invalidate the backup.

If a backup is infected there are generally two scenarios where it’s still extremely valuable:

  • Restore uninfected files. If you’ve backed up your entire system with an image backup, for example, there’s nothing that says you must restore the entire image. Most backup programs will let you extract and restore specific files and folders from that image. Since an image backup by definition has everything, you know that the data files you care about are there – so in case you need them you can restore just those files, by-passing any malware that might be elsewhere in the backup image.

  • Restore & Clean. Your backup’s infected, and you know it. That means you know to take extra precautions should you need to restore it completely. For example, you might restore to a different disk and then immediately run up-to-date anti-malware scans on the restored data. Or you might disconnect your machine from your network, restore the system image and then once again immediately run up-to-date anti-malware scans to rid it of the infections. It’s not guaranteed, it’s not ideal, but it’s one way of getting what you need from that backup without having to throw it away completely.

“It’s not ideal” is the truth – there’s no getting around that you might be restoring in infection when you restore an infected system image. That doesn’t invalidate the backup, but it does mean you have to be careful and take additional steps to stay safe.

Avoiding the Problem

The ideal is very simple: don’t get infected in the first place.

If people put as much energy into preventing infection as they did into recovering from (or planning to recover from) an infection, I’m convinced it’d be much less costly overall.

And the rules are ones we all know: keep Windows up to date, don’t click on links in email that you aren’t absolutely positive are valid, don’t open attachments or file transfers that you’re not expecting or from people that you don’t know, and so on.

If you don’t get infected in the first place, then you won’t be backing up an infection. Very simple.

Another approach to reducing the impact is to keep your backups for a while. If you perform a daily backup, for example, then on Wednesday you realize that on Tuesday your machine became infected and you backed it up, you can simply restore to Monday’s backup before the infection occurred.

Put your energy into staying safe in the first place. Then, if somehow you end up with an infected backup, be sure to take care should you use it to recover your data.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “Can backups be infected? And if so, what good are they?”

  1. This reminds me of an issue I was encountering frequently when my external (backup) drive was connected to my computer. All of a sudden my AVG scan would kick in and start scanning everything including my backup drive. I didn’t *need* it to scan something that is unchanging, and that was malware free at the time I made the backup. It was loud and slow and obnoxious. So after weeks of putting up with this and stopping the scan manually every time it started, I finally found the place in the AVG config that let me tell it to scan *only* C:. Now I’m a happy camper again. But I know it’s important to make sure my machine is clean before I do any backups!

    Reply
  2. 08-10-2010

    I never got in trouble (malware-wise)until I restored my computer from a highly regarded online backup site.

    Reply
  3. Im afraid if you use your computer enough that you will in fact someday get a virus,or mal-ware or whatever you wanna call it.IMO the key is to already be prepared to bring your machine back from the dead.Update and backup is always the key in my opinion.While some data may be lost for the most part I have always been able to get back to a point where I can function.
    MIKLO

    Reply
  4. An important issue in backing up is how many copies should one keep. Since I counsel my clients to take backups off site, the question becomes, how many tapes (or flash drives or what have you) should I cycle? The answer is, how much time do you want to have before you find out that you have a problem?
    Assuming that you are using the entire backup volume each time, if you only use one device and if you backup everyday, as you should, then you only have one day to find out you have a problem. After that, both your original and your backup have the same problem. (I am actually over simplifying the matter because you can do differential backups but I find few people doing that.)
    If you cycle 2 different volumes for backing up, you then have 3 days to find out you have a problem, and so forth. It is important to note that it may take one month to find problems in certain files. For example, “month end” files might get harmed but used only once per month. You might not find you have a problem for weeks.
    This makes backup software especially attractive (as opposed to the often used “drag and drop” approach) because they can actually pack many, many backups per volume being that they give each backup a unique filename.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.