True Image backups containing a virus

Discussion in 'Acronis True Image Product Line' started by BillPorter, Oct 3, 2006.

Thread Status:
Not open for further replies.
  1. BillPorter

    BillPorter Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    10
    I just ran a virus program (Avast!) on my system and it detected exactly ONE file infected with a virus. The file was a backup image (MyBackup.tib). My virus program gave me the options of deleting or quarantining the file. Of course, I deleted the file and proceeded to make annother backup image. My guess is that the backup image file with the virus was made when there were one or more viruses on the boot drive that were later removed. It may seem obvious, but I would certainly recommend running a virus scan BEFORE creating a backup image. BTW, I just ran a virus scan on the newly created MyBackup.tib and found it virus free.
     
  2. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    Sure, but this sounds as if it attached itself after you had created it.


    F.
     
  3. BillPorter

    BillPorter Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    10
    Yes, I can't rule out that possibility. Ideally, I would create a backup image on my external (USB) HD and then turn off or disconnect the external drive until it was needed.
     
  4. shieber

    shieber Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    3,710
    If the virus was included during backup, it would have undergone compression and probably not been recognizable to the antivirus program. so probably it latched on afterward -- so it might have been on your system disk before the backup was made or maybe not -- so a good idea to run antivirus after a restore, too.

    good luck,
    sh
     
  5. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    If an AV software states that a particular tIB file has a virus, then that means:

    1. The AV software is screwed up and issued a false positive, or;
    2. THe TIB file has been replaced by malware using the same file name.

    I do not believe that Acronis would reveal the format of a TIB file so AV software could check within the archive.

    To check for malware in a backup, mount each volume of the archive and run the AV software over the mounted volumes.
     
  6. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    Or, a virus has attached itself after the tib was created.

    F.
     
  7. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    A virus cannot "attach" to a file.

    All it can do is replace the file with it's own code.
     
  8. Christopher_NC

    Christopher_NC Registered Member

    Joined:
    Jun 24, 2006
    Posts:
    293
    Location:
    North Carolina USA
    Just how invisible are the contents of .tib files, even those made without compression? I understand that most corrupt .tib files cannot be read even by a data recovery engineer, once the file structure/partition information is lost. So this says that .tib files are quite well disguised.

    Would there be zero traces of even a well-known virus visible to a competent virus scanner? If a virus was known to infect compressed files, or image files of any kind, perhaps the virus scanner knew what to look for? Or, could it have been a false positive?

    In theory, why couldn't a virus be written that would infect .tib files? Are they really beyond the reach of viruses, or, more likely, just not targets?
     
  9. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    Sure this is one type of virus strategy, but viruses can and do "attach" by inserted or appending and changing the effective entry point to the executable. I can understand that the overall effect can look like a replacement since the original code is often bypassed, but this is not necessarily the case.

    If you are interested have a look at http://www.viruslist.com/en/virusesdescribed?chapter=152540474

    F.
     
  10. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    A virus consists of "code".
    The code would have to overrite a file, or if th structure of the file is known, the code could be inserted to modify/replace/add code. If not done properly, the file becomes corrupt.

    In order to insert something into a TIB file, one would have to know how to parse its structure.
     
  11. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    A TIB is not an executable.
     
  12. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    Howard,

    Actually a virus *can* do whatever its author pleases. You are correct in that the benefits of attaching to a non executable are questionable - but the way a virus works are simply down to the virus programmer - when you say "a virus cannot" you make it sound like like viruses are operating outside the realms of computer science. Actually they are not. A 10 year old can write code which modifies a file regardless of whether an OS wishes to execute after it has loaded.

    I concede that it is unlikely that a virus would have attached to a non executable - but unless my understanding of the word English word "cannot" is incorrect, this is a thousand miles away from what you are trying to claim.

    F.
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Newbie question. Is it good practice to scan the backup.tib files for viruses, or is this not recommended and/or a waste of time. My weekly scan includes the drive containing the backup.tib.
     
  14. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    I personally wouldn't bother. In the unlikely event that a tib is targetted by a virus it will not be executable anyway. The worst it could do is render the tib corrupt. Life is way too short for this imv.

    The main thing is to ensure that the data going in to the image has been virus checked.

    F.
     
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks foghorne, that's what I wanted to hear. :cool:

    Merry Christmas and a good 2007 !
     
  16. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I would have mounted the "infected" file as read/write and scanned it.

    I suspect a false positive but if it was infected I doubt it would mount. What virus did it claim to have found.

    Thanks,
    Phasechange
     
  17. BillPorter

    BillPorter Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    10
    Sorry to say that I didn't write anything down and it has been too long for my to remember it. I'm now thinking it was a false positive, but who knows?
     
Thread Status:
Not open for further replies.