Do you scan your backups for malware?

Porthos · Dec 28, 2022

Even if you scan a mounted Macrium image, any changes done to it are lost/reverted when you unmount the image.
Scanning it is useless.....

ThrashZone · Dec 28, 2022

kelper said:
Where did OP say he never disconnects his backup drive? I do a backup weekly or monthly. If I realised that I had a bit of malware, how could I be sure that it wasn't in my last backup, just waiting to shoot its wad? I think the OP's question was valid.

Hi,
Just by this part insinuates he leaves backup connected all the time otherwise why would he state this below

Haydon said:
disconnect your backups when you scan your system for malware?

Leaving a backup drive connected leaves it just as at risk as the os drive.

The VM bit well if you think playing with a system image file is good practice we will agree to disagree :lmao:

TraderGary · Dec 28, 2022

No, I don't scan my backups for malware.
Microsoft Security (Defender) scans constantly.
I run these three backup methods concurrently.
1. Microsoft OneDrive
2. Microsoft File History
3. Macrium Reflect Full Image

Haydon · Dec 28, 2022

Folks, what does Windows Defender do if it encounters a compressed file (like a Macrium Reflect image file)

a) Windows Defender recognizes that it is a compressed file and skips (does not scan the compressed file)

OR

b) Windows Defender scans the compressed file nonetheless

What does MalwareBytes do if it encounters a compressed file?
----------------------
BTW, I am the OP and I have 3 backup media that I rotate on a weekly basis. I just find it convenient to have 1 backup medium connected all the time.

Haydon · Dec 28, 2022

Porthos said:
Even if you scan a mounted Macrium image, any changes done to it are lost/reverted when you unmount the image.
Scanning it is useless.....

Well, I would not say useless. I would thrash a backup that fails a malware scan, just like I would thrash a backup that fails a verification of some sort.. Better an ounce of prevention now than a pound of trouble later.

Porthos · Dec 28, 2022

Haydon said:
What does MalwareBytes do if it encounters a compressed file?

A Macrium image is not a standard compressed file. It can only be opened/mounted by Macrium itself.

Haydon said:
Well, I would not say useless. I would thrash a backup that fails a malware scan, just like I would thrash a backup that fails a verification of some sort..

It would not thrash the image because all possible changes made by a malware detection would be discarded as soon as the image is unmounted.

So again a waste of time.

KevTech · Dec 28, 2022

Only thing I do before making backups is these.
If there are no errors then I make the backup.

Dism /Online /Cleanup-Image /ScanHealth

sfc /scannow

bikemanI7 · Dec 28, 2022

I typically scan my systems with Windows Defender & Malwarebytes Premium prior to making the backup of my systems here.

Then make the backup, once its finished/verified, then i disconnect the backup drive, rotating out every other week the 8TB drives. In addition to some files on Onedrive.

In fact think i'll scan with the secondary 8TB drive connected tonight, and then do backup for this week on that one once it's finished with the scans i normally run

Overall think my backup practice has improved alot since 2005, when i didn't do too many backups at the time, and i did lose some files then after a very very my own fault infection at the time

Haydon · Dec 28, 2022

Porthos said:
A Macrium image is not a standard compressed file. It can only be opened/mounted by Macrium itself.

It would not thrash the image because all possible changes made by a malware detection would be discarded as soon as the image is unmounted.

So again a waste of time.

View attachment 48662

You misunderstood me on both issues.

On the first issue, the question is the same for both the Windows Defender and the MalwareBytes apps. Regardless of whether the anti-malware apps recognize the backup file as compressed or not, and without doing any decompression, do the anti-malware apps scan the compressed backup file or not?

(I myself think that the anti-malware apps do scan the compressed backup file, because malware can hide in compressed files too. I just like to have my thoughts verified or falsified)

On the second issue, it's not the app that is doing the thrashing, it's the human that does the thrashing, i.e. it's a human like me that puts any dubious backup file in the recycling bin. In other words, the human uses a malware scan (or a verification of some sort) as a useful tool to decide whether to delete a backup or to keep it.

Porthos · Dec 28, 2022

Haydon said:
malware apps recognize the backup file as compressed or not, and without doing any decompression, do the anti-malware apps scan the compressed backup file or not?

No, they are too large for any scanner to properly scan.

Haydon said:
to decide whether to delete a backup or to keep it.

Do some basic disc cleanup and scan the system before backup.

Haydon · Dec 29, 2022

Porthos said:
No, they are too large for any scanner to properly scan.

What is the basis for saying 'compressed backup files cannot be properly scanned because they are too large?' Why is scanning time not simply commensurate with file size?

Porthos said:
Do some basic disc cleanup and scan the system before backup.

That's what I already said in my OP or at least 'scanning the source' bit. But scanning the compressed backup file is another tool, and scanning the decompressed backup file is yet another tool, etc etc. This thread is to discuss all these tools.

cereberus · Dec 29, 2022

Some of these posts seem to be confusing mounting an image with creating a vm with viboot.

Mounting an image as a drive means host pc scans the image, and will be faster but has a greater risk of infection of host if mounted drive is infected e.g. if an exe file is accidentally run. To be fair, risk is low but not different to risk of virus infection from any secondary drive. Key point is risk may low but is not zero.

Creating a viboot vm using viboot means the image is scanned by guest OS and risk of virus transfer to host OS is lower still than above, and virtually zero provided other external drives or network drives attached.

Also, with viboot, you can carry on safely using host whilst vm os being scanned.

kelper · Dec 29, 2022

When people say thrashing, do they mean trashing? How odd!
My laptop only has 4GB of ram so ViBoot runs but oh so slow!

cereberus · Dec 29, 2022

kelper said:
When people say thrashing, do they mean trashing? How odd!
My laptop only has 4GB of ram so ViBoot runs but oh so slow!

In computer science, thrashing occurs when a computer's virtual memory resources are overused, leading to a constant state of paging and page faults, inhibiting most application-level processing.[1] This causes the performance of the computer to degrade or collapse. The situation can continue indefinitely until either the user closes some running applications or the active processes free up additional virtual memory resources.

With only 4GB and Viboot - you will be thrashing your pc.

Winuser · Dec 31, 2022

Porthos said:
Do some basic disc cleanup and scan the system before backup.

That's only going to work on known viruses and malware. The security program isn't going remove any viruses or malware that it doesn't know exist. A scan of the mounted image before using it to do a restore could find threats that wasn't know at the time the image was made. If it does, then one can decide if they want to use it or look for an image that isn't infected.

WAI · Dec 31, 2022

Just do a scan before you backup if you think you are infected...

Winuser · Dec 31, 2022

Haydon said:
On the first issue, the question is the same for both the Windows Defender and the MalwareBytes apps. Regardless of whether the anti-malware apps recognize the backup file as compressed or not, and without doing any decompression, do the anti-malware apps scan the compressed backup file or not?

I tried Malwarebytes on an image, and I can say that it didn't scan it. The scan took one second. I didn't actually time the scan on the mounted image but I do know it took way longer than one second.

Winuser · Dec 31, 2022

WAI said:
Just do a scan before you backup if you think you are infected...

That's only going to find known viruses and malware.

WAI · Dec 31, 2022

Winuser said:
That's only going to find known viruses and malware.

So in otherwards you think malware/viruses can infect backups? Unless you store the backup on the computer yes but if not then no unless I don't understand what you mean

Winuser · Dec 31, 2022

WAI said:
So in otherwards you think malware/viruses can infect backups? Unless you store the backup on the computer yes but if not then no unless I don't understand what you mean

No! that's not what I think. If a system is infected with a new virus or malware and they are not in the security programs database yet, how is the security program supposed the threat exist. Why do you think security programs are constantly getting new security updates.