How to manage malware in OS X backups

We recently covered how to remove malware from OS X. Here are options for tackling and removing this from system backups you may have.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

In yesterday's article on protecting your Mac from recent malware developments in the Mac community, I mentioned briefly to exclude specific download folders from your Time Machine backups or other backup options to prevent any downloaded malware installers from being retained in a backup. In response to this article, MacFixIt reader "Harry" wrote in wondering what to do if malware or other unwanted items do get backed up to Time Machine.

Time Machine runs every hour, so if you have installed the recent malware or another unwanted item and your backup routine has run, then it is likely the unwanted files have been included in your backup. You have two options if this happens: leave it alone, and attempt to remove the malware.

If you leave it alone, then you will be perfectly fine as long as you have removed the malware from your boot disk. While malware you have downloaded might be backed up to your system's backup disk, it will just be sitting dormant on that disk and will not affect anything. The real concern here is that if you restore your system with one of these backup instances that contains the malware, then it will also be restored to the system. However, subsequent backups to Time Machine will not include the malware, so you can just be sure to use more recent backup instances if restoring your system, and you will avoid the malware.

Over time the older Time Machine backups will eventually be replaced with newer ones, and the malware will disappear. The same goes for if you use a cloning system, where once the malware is removed from your main boot drive, the clone should be updated to reflect this and remove the malware as well.

The second option you have is to try to remove the malware, which is recommended if you do not want to worry at all about having malware on your system. To do this, first go to the Time Machine system preferences and turn off Time Machine (or otherwise disable your backups) and then do the following to check your backup drive and correct the problem:

  1. Scan the backup drive

    If you have a malware scanner, update it and scan the Time Machine drive. This will help you determine if malware has been located on the drive, though it will only work if the malware definitions have been updated to properly detect the malware in question. If you do not have malware on your drive and are trying to remove other unwanted backups, then this will not work. Keep in mind that Time Machine drives have multiple hard links to files (numerous directory entries for the same data on disk), which may cause some scanners to take an extraordinarily long time when managing the drive.

  2. Delete specific files or backup instances

    If you locate the files on a backup clone or in Time Machine either with a scanner or manually, you can remove them without harming the backup. Put them in the trash and empty it to remove the files, and you should be good to go. If you are using Time Machine and know exactly when you downloaded or installed the unwanted files on your system, you can manually remove the backups since that time which would contain the unwanted files. Go to the Time Machine disk and open the "backups.backupdb/COMPUTERNAME" folder. Then locate the backup instances (folders are named by date and time of the backup) and delete them.

  3. Format the backup drive

    If you are not concerned about keeping specific backup files (i.e., you don't care about using Time Machine as an archive), then format the drive and start anew. This will ensure that all instances of the backed up files are gone. If you are using a cloning utility, then you likely do not need to do this since the clone should update the backup to mirror your boot drive properly; however, it is an option for you to use.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.