Fred Langa: How do I safely transfer files from an old, possibly infected laptop to an external HDD?

Topic

New Reply

Give them a double washing. More great advice from Fred Langa on his website.
[See the full post at: Fred Langa: How do I safely transfer files from an old, possibly infected laptop to an external HDD?]

1 user thanked author for this post.

Elly

Reply | Quote

Replies

I use a Linux Mint DVD/USB boot media. It reads NTFS out of the box and is uninfectable from Windows’ c***.

Reply | Quote

Actually, Linux is perfectly capable of becoming infected with Windows executables. They won’t damage the Linux OS, so they don’t interfere with Linux operations. But when exposed to an infected Linux computer, a Windows PC can pick up the Windows-targeted executables very easily, and the Windows PC then becomes infected.

This is why there used to be a cottage industry in “Linux Antivirus”, which was really scanning almost exclusively for these transferable Windows-targeted malicious executables. But over time, folks didn’t take up these products in sufficient numbers, and they have fallen by the wayside.

Moral is: when transferring files or data from a Linux installation into a Windows installation, scan every incoming file with Windows antivirus scanners before allowing anything onto the Windows PC.

-- rc primak

3 users thanked author for this post.

Elly, Bill C., GoneToPlaid

Reply | Quote

I think we need to distinguish between being infected with and containing an infected file.

The idea to use a write-protected Linux to retrieve the files might protect you from some type of malware that hide below the file level when reading the NTFS drive from Linux.

Also, if Linux isn’t infected, it insn’t infected. Transferring tainted files doesn’t even mean Windows will be infected either if the file isn’t run in some cases, although yes, in specific contexts if the file was read and triggered a buffer overflow on a vulnerable app in Windows, then you could have the Windows PC infected. The vulnerable app could be an antivirus scanner, an image viewer, a pdf reader, Word, etc.

So using Linux to retrieve data, using an antivirus Linux product, then copying the data back to a clean patched Windows drive and then mounting that up as a data drive only in a clean Windows with an up to date antivirus might be a good idea since you will have more chances to only copy files and avoid rootkit type issues or other Windows antivirus vulnerabilities at the first stage.

Then, you make sure to not run those files or have them read by programs with vulnerabilities for a while. Your risk will still not be 0, but waiting a bit for antiviruses to catch up with the 0 days threats is not a bad idea and will lower your risk at well. That sounds like a lot, but being infected might not be always a minor issue that is easy to fix. And we always need to remember that antiviruses are not a panacea. They might not detect a lot of new or less common malware for a very long time.

1 user thanked author for this post.

Elly

Reply | Quote

No single antivirus software catches everything: I would run two different AV scanners from Live CD/USB media on the old laptop prior to the scan that Fred proposes after copying the files to the external HDD and plugging it into the new computer.

Some may consider this overkill, but to my mind the extra step is well worth it if I have any reason to believe the old laptop might be infected.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

3 users thanked author for this post.

SueW, GoneToPlaid, rc primak

Reply | Quote

I agree. I would also suggest running a rootkit scanner and removal tool.

1 user thanked author for this post.

Cybertooth

Reply | Quote

I would like to point out that many if not most of these stand-alone, bootable scanners have been abandoned by the major AV vendors, and are no longer supported.

Some which are still supported include the ones from BitDefender, Kaspersky and Trend Micro.

If you pretend you’re running Windows 8.1, you can follow those instructions to download and create a CD or USB Flash Drive version of Windows Defender Offline. This may be necessary if your system won’t boot fully into Windows, a common side-effect of an infection. On my Intel NUC with a dual-boot, I cannot get the built-in Windows 10 version of Windows Defender Offline to complete a scan and file its report. Whatever the cause of this abort and restart behavior, I would have to run WDO from bootable USB media. The last update of the bootable form of WDO used WinPE3, which is pretty far out of date.

I concur with Cybertooth that running more than one offline scan is good insurance. Belt and suspenders, you know!

To be honest, since I use system image backups and full data backups, as well as drivers and some configuration files, I’d rather just do a low-level disk reformat and reinstall Windows 10 from my backup image. Making sure of course that the image selected was from before the infection was suspected.  That’s the only way to make sure nothing survives the cleanup, unless hardware microcode or firmware got infected, which can happen these days.

-- rc primak

2 users thanked author for this post.

Cybertooth, AlexEiffel

Reply | Quote

According to Alex Eiffel: ”  …yes, in specific contexts if the file was read and triggered a buffer overflow on a vulnerable app in Windows, then you could have the Windows PC infected. The vulnerable app could be an antivirus scanner, an image viewer, a pdf reader, Word, etc. ”

To me, as written, and correct me if I am wrong, as I might well be, this suggests that scanning the copied files for viruses and other malware can trigger an infection, which would run contrary to the advice of scanning with antivirus also offered here and, to me again, seems like a logical precaution. Perhaps someone could explain this, as this is a topic of considerable interest, so others non-experts might not be left, on reading these entries, equally puzzled as I am.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

AlexEiffel

Reply | Quote

OscarCP wrote:

scanning the copied files for viruses and other malware can trigger an infection

I’ve never seen that happen.

2 users thanked author for this post.

Elly, Kirsty

Reply | Quote

https://borncity.com/win/2017/06/30/stack-buffer-overflow-vulnerability-in-avast-antivirus/

https://landave.io/2017/06/avast-antivirus-remote-stack-buffer-overflow-with-magic-numbers/

Although you might not have seen it, antivirus are a great asset to compromise due to their low level access to the OS…

So, Oscar, to respond to you and other users, yes, in theory, it would be safer although not very useful to just copy your files on Windows and let them sit there forever without ever opening them with an antivirus or anything else until you end up switching to Linux. And it would be safer to never use the Internet, or your computer.

Jokes aside, this is a good question. One maybe reasonable compromise would be to let them sit a few days if possible so if any vulnerability that is not kept very secret by some dark organization or nation got out and was patched, your antivirus would not be vulnerable anymore. But, yes, this might not be a very high risk anyway since vulnerabilities known only to secret organizations might be used mostly to do targeted attacks, it’s just for the sake of being rigorous that I mentioned antiviruses among many other apps. Those things exists. Antivirus are complex products that read files so of course they are not immune to these type of vulnerabilities.

But my suggestion to let files sit a bit was not just for antivirus vulnerabilities, but to give a bit of time for antivirus to catch up with the latest malware signatures so that a virus that had infected you on the other computer might now be recognized before you open it again with a vulnerable app, antivirus or another.

1 user thanked author for this post.

Elly

Reply | Quote