Viruses can transfer through backup files?

azeqebo_757 · #1 October 29th, 2008, 01:45 PM

So I have a laptop which I booted up using the Acronis bootcd (Acronis 11). I want to save the image from the laptop to a working desktop computer. Now, I don't know how badly infected the laptop's files maybe. But since the backup is in a *.tib archive, can viruses still transfer over to the working computer? How big of a risk am I taking?

bilbus · #2 October 29th, 2008, 02:10 PM

sure if you backed up a virus it will be in the TIB

Are you asking if it can jump from the TIB to the computer ... nope it can not .. unless you open a infected exe inside the TIB.

If you restore files from the TIB to the new computer your fine. If you restore files to the new computer and run the file and that file has a virus you will get infected

Karma · #3 October 29th, 2008, 02:13 PM

Hi, I'll venture a guess and then the smart ones will correct me if I'm wrong.

I doubt that there's any risk of an infected object INSIDE of a TIB would hurt your system.

Except in these cases:

1. You mount the TIB to a drive letter and proceed to restore the infected object to a location outside of the TIB on your hard drive. Then in a "what's this?" moment, you proceed to execute it.

or

2. You mount the TIB to a drive letter and proceed to double-click an infected (application) object so that it executes straight out of the "virtual drive".

or

3. You inadvertently mount the TIB and attach an infected object from the TIB to an email. And then inadvertently send that email to your (soon to be former) best friend.

or

4. You perform a "restore" of a partition from the TIB to a live computer (could be the same one or a different one from the computer that was backed up), then somehow load, execute, email, or otherwise "wake up" a virus that was attached to an object that got backed up on the original computer.

As I see it, you'd have to make a series of mistakes in order for a backed-up infected object to do any major damage. You'd almost have to try with malicious intent!

This is why it's critical to regularly run an anti-virus program. If you keep a clean house in the first place, then you won't need to worry about backing up any viruses.

azeqebo_757 · #4 October 29th, 2008, 02:19 PM

Alright, Karma's post kind of confused me, but I kind of get what it means. I am just making an image, not going to be mounting it or exploring it in anyway.

Quote:

Are you asking if it can jump from the TIB to the computer ... nope it can not .. unless you open a infected exe inside the TIB.

Thats exactly the question, so if it can't jump from a TIB file then I hope its ok.
I do wonder how this is accomplished though, aren't files copied over to the backup computer one by one? Or does this tib file work differently? I thought tib files were just like zip files... Or I just don't understand how viruses spread in archives.

Karma · #5 October 31st, 2008, 12:02 AM

I think viruses can only spread from "ZIP" files if you extract then access/open/execute them.

If they're just sitting in a ZIP file and you never extract or execute the infected object, then nothing will happen. They will lie dormant like a seed that never gets water or sunlight.

Which is what I said in my post above. In far too many words, I'll admit. But I was in a mood.

Maybe somebody from Acronis will add some knowledge for us.

Good luck!

seekforever · #6 October 31st, 2008, 09:37 AM

A virus is a piece of code, be it assembly language, macro language or whatever. For it to do anything it has to be "run" so a virus sitting inside a file that is just sitting on the HD or CD can't do anything. If you open the file and give it the needed access to execution facilities then it will do its work. If you have a Word document that has a macro virus in it, and you open the document with Word's macro processing feature enabled, the virus will execute. If the macro processing is disabled, you can open the document and the virus cannot execute but it will still be present in the document file.

Obviously, the best thing to do is to keep them out of your system since it is impossible to know what is required to execute every known virus type.

Ltuae · #7 October 31st, 2008, 07:46 PM

Quote:

Originally Posted by azeqebo_757

So I have a laptop which I booted up using the Acronis bootcd (Acronis 11). I want to save the image from the laptop to a working desktop computer. Now, I don't know how badly infected the laptop's files maybe. But since the backup is in a *.tib archive, can viruses still transfer over to the working computer? How big of a risk am I taking?

Logically, if you have good grounds for suspicion that the Image taken from the laptop might be infected, then you would not want to ever restore the rotten thing as a whole package anyway.

Equally, in that sense the purpose of taking the Image would be to at least backup as much good useful material as possible, and have it available nicely crammed in a .tib, for selective replacement or use if ever required.

And to do that, you would have to access and extract ("run") files from within the .tib archive, which does expose some danger.
edit: By "run" I didn't mean 'execute' implicitly, I meant transfer (copy) into system memory, and optionally onto media. That's enough to evoke malware and allow it opportunity to infiltrate. A good AV will realtime alert during an attempted access~copy of naughty data.

To be near totally safe why don't you simply exclude in ATI from backing up the common known troublemaker extensions?
eg. something like:
*.EXE,*.COM,*.BAT,*.CMD,*.VBS,*.PL,*.BAS,*.JS,*.JAVA,*.REG,*.SHS,*.PIF,*.SCR,*.DLL,*.SSH,*.CHM,*.HLP,*.LNK,*.{*},*.CPL

..would cover most potential nasties and give some surety that when inspecting or extracting from the .tib you wouldn't be touching vermin that could infiltrate onto your 'good' PC(s).

Also make sure you're running very good latest-updated AV and Malware murdererware while ever you're playing in the .tib and you'll be pretty safe.
edit2: corrected my disgraceful spelling [your>you're].

Make sense?

--
Ltuae

Karma · #8 November 1st, 2008, 08:51 AM

Ltuae, you make some great points.

Quote:

Originally Posted by Ltuae

Logically, if you have good grounds for suspicion that the Image taken from the laptop might be infected, then you would not want to ever restore the rotten thing as a whole package anyway.

Yes!

Quote:

Equally, in that sense the purpose of taking the Image would be to at least backup as much good useful material as possible, and have it available nicely crammed in a .tib, for selective replacement or use if ever required.

Plus, a TIB, being a single file, is somewhat portable, though probably only portable from hard drive to hard drive (and not to a memory stick, etc).

Quote:

And to do that, you would have to access and extract ("run") files from within the .tib archive, which does expose some danger.
edit: By "run" I didn't mean 'execute' implicitly, I meant transfer (copy) into system memory, and optionally onto media. That's enough to evoke malware and allow it opportunity to infiltrate. A good AV will realtime alert during an attempted access~copy of naughty data.

Yes, the difference between "run" and "execute" should be kept in mind. Opening a spreadsheet with macros in it is kind-of/sort-of like running a program.

Quote:

To be near totally safe why don't you simply exclude in ATI from backing up the common known troublemaker extensions?
eg. something like:
*.EXE,*.COM,*.BAT,*.CMD,*.VBS,*.PL,*.BAS,*.JS,*.JAVA,*.REG,*.SHS,*.PIF,*.SCR,*.DLL,*.SSH,*.CHM,*.HLP,*.LNK,*.{*},*.CPL

..would cover most potential nasties and give some surety that when inspecting or extracting from the .tib you wouldn't be touching vermin that could infiltrate onto your 'good' PC(s).

This is the one spot where I might disagree with you; though only slightly. If the OP is backing up a data partition (or folder structure), then yes, he could exclude the file types you list.

But in this day and age, most people don't really keep their data on a single partition. And, in a trend disappointing to me, more and more applications are mixing their data, config, and application code into common folders. Disappointing to me because it makes it harder and harder to just back up my data, if I so desire.

Quote:

Also make sure you're running very good latest-updated AV and Malware murdererware while ever you're playing in the .tib and you'll be pretty safe.

Indeed. And one thing that I need to get better at is actually RUNNING my AV scan and my malware scan from time to time...

Acronis Support · #9 November 28th, 2008, 08:12 AM

Hello all,

Thank you for using Acronis True Image

The archives previously created can be infected (I mean after their creation), but it is very unlikely. At any rate, we are not familiar with such cases, and the likelihood of it is considered to be theoretical.

If a virus is already present inside a backup archive, it can't infect the system if you don't touch the backup file. If you launch an infected recovered application, or mount the archive, explore it, etc., the malware can become active and infect the system.

Thank you.

__

Oleg Lee

dbknox · #10 November 28th, 2008, 11:40 AM

When I was using win 98 and XP ( I haven't had a virus yet with Vista after a year ) and I got a particularly nasty virus/worm that was proving to be almost impossible to get rid of, I would use TI to restore a known good image and my problem would be easily solved!
I would make a backup every second day. ( With Vista it is now once a month).

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search