ATI 11 PC clean after restoring a image?

Discussion in 'Acronis True Image Product Line' started by Pay87, Dec 11, 2008.

Thread Status:
Not open for further replies.
  1. Pay87

    Pay87 Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    6
    Hi,
    I had some viruses on my pc, after letting my son surf through the internet.
    Before the virus came in I made a clean backup of my pc with acronis 11.
    I encrypted my backup with aes 128 bit so there shouldn't be any changes in the backup file from a virus. I restored my pc using the acronis boot disk with my (hopefully) clean image, so windows wasn't loaded while restoring. I also restored MBR (selected the MBR and Track 0 checkbox).
    Is my pc clean again? I mean is there still the possibility that there is something left of the virus, trojan, rootkit? Maybe in the MBR of my second external harddrive? Thanks :)
     
  2. TerryFox

    TerryFox Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    217
    If your full back up image wasn't infected when you made it ? Then when you restore your backup image it should be clean ... But if you made a full back up image while your computer was infected ? Then yes it still will have a virus ... This is why when using ATI and make a full backup image its best to do it when you do a clean installment and have everything up to date , this way your almost certain there no bugs/viruses ...
     
  3. Pay87

    Pay87 Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    6
    Hello,
    Thats good to hear. I first thought I have to format the hole hdd and then restore the image, but its good that I don't have to. The backup was from a clean installation, I only hope that the virus did not change something in it, but I never heard from a virus which changes something in a image.
    The non system partitions (external hdd) are not a security risk, are they? I mean they don't should contain any virus information in there MBR, and even when, that shouldn't matter because I boot from the system partition and there I restored the MBR from the clean backup? Thats the only point I still worry about. Thank you :)
     
  4. Pay87

    Pay87 Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    6
    No one? Oh I forgot to ask this, too.
    Can I use Acronis 11 Images in Acronis 2009?
     
  5. DwnNdrty

    DwnNdrty Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    3,335
    Location:
    Florida - USA
    I think you answered your own question regarding the MBR. Why don't you run the virus checker on the clean restored drive?
    The beta of 2009 will restore ver 9 Images so it should restore ver 11 Images.
     
  6. dwalby

    dwalby Registered Member

    Joined:
    Nov 20, 2007
    Posts:
    174
    Location:
    SoCal
    I think there are probably two answers to your question, one based on what is LIKELY, and one based on what is POSSIBLE. I don't have much experience with the exact nature of viruses, and given that there are so many different ones out there I don't know how many different ways they can do harm. I'm also responding as much to ask others what they think as I am to tell you a few things that I think I understand, but I'm not 100% sure about myself.

    When you restore one of your backup images to a partition, AFAIK you only write back the sectors of that partition that were actually used at the time of the backup, you don't write over the entire partition or otherwise wipe out any of the other sectors. So in theory malware that resided in one of the sectors not re-written by your restore is still there. But don't panic, by restoring your system partition with your backup you have pretty much removed any required reference to that malware, so its not likely that it could do anything harmful after the restore. So that's what I mean by its not LIKELY that you'll continue to have problems, but its technically still POSSIBLE. To be 100% sure that you have removed any trace of malware, you should use a utility that actually writes over every sector in the infected partition prior to restoring with your backup. That guarantees that whatever infected that partition is now gone. If you simply format the partition that won't remove existing data either AFAIK, it only removes references to any files written on that partition, you have to use a disk writing utility to actually change the data.

    Regarding the non-system partitions, I've asked that same question here before and never got any answers. In my case I have two internal HDs plus one external. I always keep the external turned off except to do backups, because you can't install a virus on a disk that's not turned on. But I wonder about what could get installed on one of my other internal partitions if I picked up a virus. I think its easier to detect malware on data partitions because it would have to be an executable file that is easy for AV s/w to spot, and you might even notice the unexpected file yourself while browsing. So I think once you get the system partition back in order its not a big job to scan the other partitions for problems as well, and I think if there is any real threat it would be easily detected. The big question is what if the virus damaged one or more of your data files and you don't notice it right away? You could continue to backup your damaged data and eventually throw out the last good backup copy of a particular data file that you don't access that often. So you might feel more secure by just restoring your data at the same time you restore the system partition.

    What I don't know is if virus attacks even bother going after partitions other than the system partition or not. They like to wipe out your MBR, because that renders your system inoperable, and they like to get into your OS and do other nasty things, but I never seem to hear about them going after separate data partitions specifically. I'd appreciate any input others may have in this regard because I have no experience at all with that topic.
     
  7. Pay87

    Pay87 Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    6
    I thought ATI 11 formats the hdd before restoring a image.
    In this case it is possible that the virus is still on a formated sector, but as far as I know it is no risk for us because the malware is not connected or linked to the running system and as long you don't restore the virus with recuva etc and run the virus (double clicking on it etc) it will just be overwritten when new data is stored on that sector. Am I right?

    If Acronis is not formatting the drive before restoring, what happen if the image is smaller and contains less sectors than the filesystem with malware on it? Will it leave the newly added sectors alone?
    That would be very critical because any malware could be easily started by the system or the user again, after restore because it won't be overwritten by the backuped sectors?

    Well if the malware wipe out the MBR of the second hdd we all would see that something is going wrong with the 2nd hdd.
    But what if the virus just include the malware in the MBR and leave the rest alright. We probably wouldn't even notice a change.
    That is why I am little curious about it, if its possible that a virus writes malware on a 2nd external hdd MBR, too and not just to the system hdd or system partition. And if yes, would it be harmful to connect this hdd to a running (restored) system?

    I might look a litte paranoid, but I never read something about this cases in the internet etc. Also it is a part how the developer of the backup software is handling the restoring progress, so you can't say if paragon drive backup will format the drive before restoring acronis true image will also do it.. :p
     
Thread Status:
Not open for further replies.