How can I safely back-up files from an infected computer?

"How can they know that one of their files isn't infected"? You can't. Well you can if you get down into the bits of the file, but that's pretty tedious and expensive.

If you have an idea of the date the device got infected, files not altered before that date stand a higher chance of not being infected. That's not a guarantee, because changing a file's date isn't hard. So even that's not foolproof.

Really the only halfway decent option is to scan the file, copy it to an external drive, then scan it again and copy it back. Odds are that it's a generic and not a targeted infection. By waiting a couple days, to give AV vendors time to update their virus definitions, you stand a better chance of removing the infection when you move and scan the files. That's not 100%, though - unless you know the infection and that the AV in question resolves the infection, you could set yourself up for a reinfection.

The only safe alternative is to wipe everything and have the user buy an external hard drive. Then they should use it regularly to back their files up.


What do you mean by "files?"

If you mean system files, registry settings, binaries, and scripts, then the other answers are correct that there's essentially no way to be safe. Since this is a question about recovery from infection, then the standard advice -- do a clean OS install -- still applies.

However, if by files you mean the more common usage of data files like text and images, then you really don't have to worry about reinfection from a backup as long as you don't "execute" anything from your backup. An "infected" image file can't affect your system barring a serious bug in the software you use to view or edit it.

At the end of the day, I think most people will be happy if they can save their family photos and Word documents from an infected computer, and that can be done really without much danger. You can always "rebuild" your installed programs, settings, browser profiles, etc.


Make a backup any way you want. Assume that the backup is infected. In fact, always assume that ANY backup is infected. The trick is avoiding the infection from spreading back to your machine afterwards.

Make sure your machine will only boot from its own hard disk and not from any external disk or stick, CD drive, or network. This is a BIOS setting.

As a second line of defense, never restart or turn the machine on with any media inserted. However, you will forget this some day, so the BIOS setting is important.

Never restore program files from backup, only data files. Programs should be restored from their original source. Install all security updates.

Once upon a time, this would have been enough since only programs get infected, data files does not. Unfortunately, times have changed and files that look like data files actually contains program code too.

If you open a document and it says something like "This document contains active macros. Allow them to run?", you say NO. The actual wording of the question will vary from program to program, but just say NO anyway.

Even after all this, you will still get hit again someday, so

Keep making backups!