My previous posting discussed various approaches to dealing with a Windows computer that's been infected by malicious software (malware).
The easy approach, installing anti-malware software and having it scan the machine, is the least likely to fully remove the infection. At the other end of the spectrum, re-installing Windows is guaranteed to remove the infection but at a huge cost in terms of time and effort to put Humpty Dumpty back together. Somewhere in the middle is removing the hard drive and scanning it from an uninfected machine.
But, there is another alternative: roll back the entire C disk to a known clean state.
Some software literally does a rollback. That is, it runs continuously in the background, logging all hard disk activity. This activity log can be used to undo recent changes.
Examples of this approach include SteadyState from Microsoft, Deep Freeze from Faronics and some virtual machine software such as VMWare Workstation (GoBack from Symantec was popular in the old days, but it has been replaced by Ghost version 14).
I don't like this approach, however. It's complicated, there's a constant overhead, it can only rollback so far and software constantly running in the background strikes me as an accident waiting to happen.
DISK IMAGE BACKUPS
My preferred approach is disk image backups.
An image backup is focused on hard disk sectors, rather than files. That is, the intent of a disk image backup program is to backup the entire hard disk - every last bit.
Yes, this is a bit wasteful, as much of the hard disk doesn't need to be backed up. But the upside is the guarantee of being able to restore the computer to a known good state.
If you've ever dealt with a "recovery" CD, DVD or partition that returns a computer to the factory-fresh state, what it's doing is restoring a disk image backup.
With image backups there is no need to have software constantly running, there is no activity log file, no overhead and no limit on how far back the system can be restored. If you don't mind keeping an image backup, a computer can be restored to its state months or years ago.
There are many disk imaging products to chose from including Drive Image XML from Runtime Software, True Image from Acronis, ShadowProtect Desktop from StorageCraft, Drive Backup Express from Paragon Software, DriveClone Express from Farstone, Ghost from Symantec and Image for Windows from Terabyte Unlimited.
Some companies combine regular file-oriented backup with disk image backups into a single product, but I prefer the simpler approach offered by a single-purpose program.
Some disk imaging programs install and run as a normal Windows application. The downside, however, of backing up Windows while it's running should be self-evident, you're painting a picture of a moving subject.
Other disk imaging programs run from a bootable CD and thus backup the system when Windows is not running. When it comes to backup, my preference is for simple, and this is the simpler way to go.
SMALLER IMAGE BACKUPS
Image backups are large and thus are best written to an external hard disk, another LAN resident computer or a Network Attached Storage device. The image backup program should have an option to split the backup into multiple files, each sized to fit on a single CD or DVD.
There are a number of ways that disk imaging programs decrease the size of the image backup.
Every imaging program that I've seen offers compression, some offer different types of compression letting you trade off disk space savings vs. cpu usage and elapsed time.
The biggest savings probably comes from being file system aware. That is, the image backup program won't backup disk space that isn't allocated to a file. Obviously, this can be a huge savings, but if the file system is damaged, so too is the backup. It also limits the imaging application to backing up file systems that it understands.
Another trick might be skipping things like the page/swap file which should never need to be backed up.
A good disk imaging program will offer its file system aware features as an option. This way, you can make small backups most of the time, but still have the option to make a full image backup if the file system breaks or files get deleted by accident. Drive Image XML, for example, can operate in "raw mode" to backup everything. If you don't enable raw mode, then it's file system aware and makes smaller backups.
Although file backups are not the main reason to make image backups, many disk imaging applications let you mount an image backup and see/copy the files within it. Drive Image XML does not allow this for raw mode backups.
Even with file system tricks, making a disk image is still relatively slow and the backups are relatively large. It's not something you'd want to do every day. Fortunately, it's not needed every day.
On my main computer, I make an image backup once a month, just before running Windows Update. On my other computers, the schedule is haphazard but I have at least one image backup of every computer that I use.
Typically when I work on a computer for a client, the very first thing that I do is make an image backup. This way, if something goes wrong with whatever I'm doing, I can always go back to square one. First do no harm.
I suggest making an image backup before making any significant system changes. For example, make a backup prior to installing a service pack (be it Windows or Office), before running Windows Update, before starting malware removal (a lesson I learned the hard way) and before installing a new release of Internet Explorer. When you buy a new computer, install your applications, then make an image backup.
This brings up the issue of how many backups to retain.
While falling back to a prior image backup is, by far, the best way to approach malware removal, there's always a chance that the backup is infected too. There is no one right answer, it depends on factors such as how important the computer is, how big the backups are, how much storage space you have for backups, etc. As a rule of thumb, I'd start by keeping two backups of important machines and one of those you don't judge to be important.
Next time, using partitions with disk image backups.