[SOLVED] Is my hdd safe from any virus if I bring it offline?

Jul 23, 2019
10
0
10
Hello,

I bought an HDD for backups, but it's an internal drove. So now I wondered how safe that actually is. I can bring it offline, is that enough to prevent programs from fiddling with my back-ups? Or can something bring it offline without me knowing?

Thanks in advance,
Silas
 
Solution
99.9% yes its safe.
Now a virus could search for drives that are available and not mounted, then mount them. But i know of no virus this deep in their invasiveness.

I would imagine a uefi infection would happen first and they are much worse.

Bitdefdender has a ransomware safe area. If a program tries to alter files in a directory you choose it gets blocked until you whitelist it. I dont know how effective it is but it might be worth looking at.

Lutfij

Titan
Moderator
You might want to invest in an anti virus or practice a healthy behavior of not visiting suspicious sites or downloading suspicious applications or the worst kind, working with pirated apps.

You might want to consider disconnecting the drive from the system if you think the data on it is valuable or might be used as ransom if locked out.
 
Jul 23, 2019
10
0
10
Thanks for your reply.

I am very carefull on the internet, that's why I bought this HDD. I know that any time I can just plug the cable of the HDD, that's the best solution. But do you happen to know how big the chance is that a virus enables my HDD? I know I shouldn't be picking chances..

Silas
 
99.9% yes its safe.
Now a virus could search for drives that are available and not mounted, then mount them. But i know of no virus this deep in their invasiveness.

I would imagine a uefi infection would happen first and they are much worse.

Bitdefdender has a ransomware safe area. If a program tries to alter files in a directory you choose it gets blocked until you whitelist it. I dont know how effective it is but it might be worth looking at.
 
  • Like
Reactions: Silas Peters
Solution
Jul 23, 2019
10
0
10
99.9% yes its safe.
Now a virus could search for drives that are available and not mounted, then mount them. But i know of no virus this deep in their invasiveness.

I would imagine a uefi infection would happen first and they are much worse.

Bitdefdender has a ransomware safe area. If a program tries to alter files in a directory you choose it gets blocked until you whitelist it. I dont know how effective it is but it might be worth looking at.
Thanks, I was encrypting it anyway. So AND encrypting AND bringing it offline should do the job. I don't think such a UEFI attack will hit me.
 
Thanks, I was encrypting it anyway. So AND encrypting AND bringing it offline should do the job. I don't think such a UEFI attack will hit me.

That should do the job. But two notes:

1. Encrypted files can still be overwritten by a virus. They just can't be read.

2. If you did have a UEFI virus, it wouldn't matter if you removed the infected drive and replaced it with a new one. The UEFI would reinstall the virus once the new drive was reattached. That includes your backups. The only way to prevent this is to be sure to reset all your UEFI keys which resets the UEFI. It's a feature only modern motherboards offer. (It was added after the weakness was discovered) It's the impetus for SecureBoot initiative.
 
Jul 23, 2019
10
0
10
That should do the job. But two notes:

1. Encrypted files can still be overwritten by a virus. They just can't be read.

2. If you did have a UEFI virus, it wouldn't matter if you removed the infected drive and replaced it with a new one. The UEFI would reinstall the virus once the new drive was reattached. That includes your backups. The only way to prevent this is to be sure to reset all your UEFI keys which resets the UEFI. It's a feature only modern motherboards offer. (It was added after the weakness was discovered) It's the impetus for SecureBoot initiative.
Ah good to know, thanks! I will research some more about that virus. Do you think my motherboard from around a year ago supports that function, where you reset the keys? It's the Gigabyte x470 Aorus Ultimate Gaming.
 
Ah good to know, thanks! I will research some more about that virus. Do you think my motherboard from around a year ago supports that function, where you reset the keys? It's the Gigabyte x470 Aorus Ultimate Gaming.

As I don't have any Gigabyte X470 builds on hand, I couldn't tell you. Sorry. Maybe ask the motherboard forum.

Info on bootkits/UEFI viruses and their history:
 
Last edited:
Alright thanks a lot
One more thing: Be sure to restore the default keys after the wipe. The wipe clears out any arbitrary keys that might have been put there that validated a bad signature as good. Your windows will also need to run in UEFI Secure boot mode as well.

Unfortunately wiping the keys does not guarantee the actor's malicious code will be removed. If they have access to a valid digital certificate, then you are screwed. This is possible if they gain kernel level access. SRC: https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/

Only an official OEM UEFI image can fix that. (I don't know if a ROM update would force a UEFI boot loader overwrite/reset or not)
 
Last edited:
And with the OEM UEFI you mean like a clean image of windows?

No. I mean a clean wipe of the motherboards UEFI image. Windows can install new UEFI code modules, but it can't restore them to an uncorrupted state.

UEFI bootkit viruses are persistent, and hard to detect, and a pain to remove. Hence why they are growing in popularity and used by state actors. Even OEM's have been guilty of misusing UEFI before.

 
Last edited:
Jul 23, 2019
10
0
10
No. I mean a clean wipe of the motherboards UEFI image. Windows can install new UEFI code modules, but it can't restore them to an uncorrupted state.

UEFI bootkit viruses are persistent, and hard to detect, and a pain to remove. Hence why they are growing in popularity and used by state actors. Even OEM's have been guilty of misusing UEFI before.


Are those virusses used enough to make me worry? And is there any way to prevent the virus from working?
 
Are those virusses used enough to make me worry? And is there any way to prevent the virus from working?

The short answer is "There isn't much you can do to stop it. If an hacker wants you bad enough he will get you." Your job is deciding "How tasty a target am I? And what defenses am I going to put up to reduce my tastiness?"

If you wanted to go whole cow, you would layer your defenses. But it's a lot of work.

But for 99.9% of people just staying away from questionable activities, or websites, running a standard (non-admin) account, and using an up to date anti-virus will protect you.

Chrome is still the gold standard on sandboxing. However you have to deal with google's data tracking even in private mode. So google protects you, just not from themselves.
 
Last edited:
Jul 23, 2019
10
0
10
The short answer is "There isn't much you can do to stop it. If an hacker wants you bad enough he will get you." Your job is deciding "How tasty a target am I? And what defenses am I going to put up to reduce my tastiness?"

If you wanted to go whole cow, you would layer your defenses. But it's a lot of work.

But for 99.9% of people just staying away from questionable activities, or websites, running a standard (non-admin) account, and using an up to date anti-virus will protect you.

Chrome is still the gold standard on sandboxing. However you have to deal with google's data tracking even in private mode. So google protects you, just not from themselves.
Yeah, your data is everywhere these days. You can't control what you share, but to who you shate. At least, with some of it.

I will see what I can do to make it the hackers as hard as possible.

Edit: how can I mark this question as solved? I feel like noob now haha
 
Jul 23, 2019
10
0
10
You have to choose best answer. That marks the thread Solved
Thanks this did it.
And digitslgriffin, I am for 100% going to use that ransomsware function from Windows Defender! I can't believe I forgot about that one, since I do use it on my school laptop.

Thanks to everyone in this thread. Jeez I feel like I said "thanks" a bit too much this thread :sweatsmile:.

Edit: and I think I will try the ransomsware program mdd1963 suggested.
 
Jul 23, 2019
10
0
10
Hello,
I ran into 2 more questions. After that evrything is clear.

- Is clearing the CMOS enough? I have a button for that on the motherboard. I can't find anything in the BIOS to reset the EUFI.

- If I somehow ever do happen to get such a UEFI virus, will my backup drive be infected if it is offline, and I do not enable it until the virus is a goner?