1

Is it safe to scan and clean an external hdd of malware/virus on an otherwise clean system ie my system!?

Does the antivirus software on my machine do it's work externally? ie if a virus is detected does it quarantine the object to somewhere on the external hdd rather than onto my machine?

Would using a separate user account for this work be of any benefit? Thanks.

Kol12
  • 53
  • 4

2 Answers2

2

Are you sure tour system doesn't have an application that scan or index new devices? Like a media player that tries to extract metadata from multimedia files.

I would recommend booting from a live CD or live USB in read-only mode, not mounting your partitions, and disconnected from any network. After that load [a VM with] your antivirus, then mount your external drive and check it. However, this will not prevent a rootkit from infecting your BIOS and you will have no guaranty that your antivirus found all the malware. It's still better than nothing.

If you want a bullet proof method to remove your virus from the drive, the only way is to destroy it. Erasing it is not enough, as its firmware could be infected.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • 1
    Agree. If you do not want that a possible malware writes anything on your disk, use a read only disk (CD or DVD ROM). – Serge Ballesta Nov 21 '16 at 13:58
  • Bit Defender Rescue CD looks to be pretty highly regarded, will scanning the drive from this environment avoid any interference with my clean system drive? – Kol12 Nov 22 '16 at 01:04
  • @A.Hersean Is it possible to retrieve the valuable files before destroying if that route was taken? – Kol12 Nov 22 '16 at 01:06
  • @Kol12 I don't know this particular product, but Bit Defender Rescue CD might be a good solution, at least for its convenience. I would recommend using an old unused computer for this task as it's still possible for it to get infect, even though highly improbable. To reduce risks, do not recover files that can otherwise be download from trusted sources and do not recover executable files. – A. Hersean Nov 22 '16 at 08:13
  • Sounds like a plan @A.Hersean. Are you suggesting it would it be better to move the valuable files off the drive and format the drive or would the files remain safe on the drive once fully virus cleaned? – Kol12 Nov 22 '16 at 08:53
  • For the record, if Windows Defender detects a virus on an external drive would it likely transfer the file to the quarantine folder on the OS drive? I would imagine it probably does as WD probably just see's it as another drive? I would presume at least if that's true it still isolates the file from the OS but I'm going to veer on the extra cautious side by moving the task to separate machine... – Kol12 Nov 22 '16 at 09:12
  • @Kol12 It's unlikely but possible that your drive's firmware is infected, so it recommend to extract what you need and then discard and destroy the drive. If you want to bet that its firmware is fine, I would recommend to extract what you need and then wipe the drive. I don't know the specific internals of Windows Defender; read its documentation or ask Microsoft. – A. Hersean Nov 22 '16 at 10:16
  • Thanks @A.Hersean I will clean the drive up on an unused computer and then decide whether I destroy it or not. Hopefully if someone finds they're in a similar situation without a spare PC this will help. – Kol12 Nov 24 '16 at 07:03
1

First of all always use a virtual machine instead of your installed OS and mount it in read only mode when doing something with (probably) infected externals!

This prevents your PC/Account from being infected by whatever is on this HDD. Most likley a usual anti-virus should then be able to detect most of the malware and delete it.

If you doubt it anyway you can completely wipe the HDD using the VM.

In addition, there are already posts on this topic:

  1. Safe to connect to external drive?

  2. Mac OSX: What is the safest way to access an unknown USB storage?

Community
  • 1
Gistiv
  • 155
  • 1
  • 7
  • Wow! I always thought that a VM was just a client program on the host and did not know that you could install a external disk on a VM without first plugin it on the host... Maybe it is because my PC has no virtual connectors only real ones. More seriously, before you can mount the external disk on the VM you have to connect its physically to the host... and the risk is there is you have not blocked any automount feature first. – Serge Ballesta Nov 21 '16 at 13:53
  • Thanks for the reply's. @A.Hersean I have autorun disabled so the drive doesn't get scanned. I use Windows Defender (Win10) which also does not scan the drive on mount. Using Win 10 home edition a virtual machine won't be an option, could I still boot from a live cd without using a VM? – Kol12 Nov 22 '16 at 00:16
  • Now that I think of it I have another computer downstairs that I could set up for this job but will have to pick up another monitor. So that will greatly reduce any risk to my system but once the drive has been cleared of viruses how safe are the remaining valuable files? I may end up using this drive on my machine again. I suppose unless a virus has made it's way into the firmware which I understand is rare it should be clear? – Kol12 Nov 22 '16 at 06:44
  • As @A. Hersean pointed out, the only bulletproff method is destryoing it. – Gistiv Nov 22 '16 at 06:54
  • I should note also that I use my personal machine with a standard user account as another security barrier against any virus entering administrative directory's. – Kol12 Nov 22 '16 at 07:08
  • @Gistiv Does that mean there's not any chance of first retrieving valuable non infected files? – Kol12 Nov 22 '16 at 07:11
  • Before I decided I should move my virus scanning on the drive elsewhere I did actually scan a suspected file with Windows Defender for which it detected a Trojan. I chose for Windows Defender to delete the file. Now when I open Windows Defender and navigate to the history tab the trojan shows in there as being quarantined, does that mean the trojan was moved to the OS drive and has not yet been deleted or is it just a log showing that the file was quarantined before it was deleted? – Kol12 Nov 22 '16 at 07:43
  • It is possible that you will get the HDD clean and you can use your files without any risk, but you will have no proof or garantuee for it. – Gistiv Nov 22 '16 at 07:49
  • The external device first needs to be recognised by the host before it can be mounted by the guest VM. Your answer is misleading. – schroeder Nov 29 '16 at 07:57