Solved

Backup or Viral scan first, is there a rule

Posted on 2002-05-07
25
187 Views
Last Modified: 2013-12-28
I'm the Defendant in a Small Claims trial against me and my one man only PC Consulting firm. I had a client who was illiterate & starting up a business and wanted her laptop evaluated to see if it would work well on a Lan, etc. There were to be many visits and I was going to do a backup but she had only a floppy drive, 50 Megs of data but no disks. So I was to come back, she was to buy an external Zip Drive and was going to update her Antivirus program on my advise (two years old NAV}. I left and she did a little too much on her own, she scanned for viruses, three were found, had them "Deleted" and then sadly she could no longer reboot. I am reading from page 2 of the site of ACR, a data recovery company, where they mention this as a common situation…

http://www.data-recovery-software.com/bp.htm

“…a virus has infected the boot sector and partition table, while leaving the rest of the file system intact. Many times, the individual who is sending us a hard drive for data recovery services, already knowns a virus existed but had run an anti-virus program and now cannot access the hard drive. This is because in order for the anti-virus software to remove the virus, it had to remove part of the boot sector or partition table. “

Her Expert Witness says there is an industry standard that you should always backup first but I can't find anything on that and wanted your opinion. It may not matter too much because she choose to lie and says this never happened, what happened she says is I left her with MS Defrag running, it finished, she shut down. Then next session on reboot,… nothing. So what does anyone think. There Expert also says MS Defrag is very risky and that is what corrupted her partition tables.
Thanks for any input.
200 for the best answer!
0
Comment
Question by:winsleuth
  • 10
  • 5
  • 2
  • +6
25 Comments
 
LVL 1

Author Comment

by:winsleuth
ID: 6995237
I need to know soon. I just need to know if there is some industry standard or to get something official that says how one decides.
0
 
LVL 1

Author Comment

by:winsleuth
ID: 6995238
I need to know soon. I just need to know if there is some industry standard or to get something official that says how one decides.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 6995275
"Her Expert Witness says there is an industry standard that you should always backup first but I can't
find anything on that and wanted your opinion."

Well Backing up systems before you make any changes are always good.  If you know you have a virus, then that is something that should not be backed up, but if you dont know what is or is not a virus there really is not much you can do.  As far as I am concerned although i am not an expert by any means.  But what is important is that she had a virus.  I dont know what kind of issues there are.  And I dont know how you are protecting yourself from that when you take on jobs like that.  First off what I usually do when I work with my clients is to always first and formost say that their data is never under guarantee.  And that they should back that up if they want.

"It may not matter too much because she choose to lie
and says this never happened, what happened she says is I left her with MS Defrag running, it finished,
she shut down. Then next session on reboot,… nothing. So what does anyone think."

Did you at any time tell her to defrag it?  or did you defrag it for her?  etc etc...

"There Expert also says MS Defrag is very risky and that is what corrupted her partition tables."

Are we sure and how does he know and how can he verify that?  What happens when you  turn the laptop on?
Do you have any contracts that she signed or any invoices etc?  If not next time I would suggest you look into getting some info on Warranty and guarantee especially on software and hardware.

I dont know how you can protect yourself but if you can prove anything on your part that software is never under guaranttee by you....and also show claims that even at other computer companies or stores or whatever claim to not guarantee software etc.  That is probably your only basis, unless you guaranteed her something about her software.


0
 
LVL 4

Expert Comment

by:EricWestbo
ID: 6995284
I won't go to court on this, but MS Defrag can cause problems if the system is shut down during defragmentation; however, unless your client took it upon herself to do so, it wouldn't normally do it on it's own.

However, it sounds like this was a boot sector virus that brought the system down when she deleted the infected file.  This is, in some cases, recoverable.

For more information:

To rewrite the master boot record:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q69013


hope this helps

/ew
0
 
LVL 22

Expert Comment

by:cookre
ID: 6995441
There is no such standard. Some folks do and some folks don't

In any case, that's really a mis-direction on their part.

This will likely end up with the judge deciding which of you is most believable.

1) The best piece of evidence is the laptop itself.  If it is still in the same state, it may not be bootable, but the file and directory data areas are probably still intact (along with a goodly portion of the FATs) and would show whether or not the alleged dfrag completed successfully.  

2) Unless you can be portrayed as an utterly incompetant bufoon, you can stress that there IS a standard that all but the most foolhardy always follow - never defrag a marginal box without backing up first.  After all, a defrag serves no purpose other than a possible improvement in performance and has nothing whatsoever to do with virus cleaning.

3) You were not in posession of the laptop when it became damaged.  
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 6995493
She should have had a regular backup routine.  The "industry standard" is to perform regular backups, both differential and incremental, with a total backup once a week.
Her failure to do so is her fault.
Hell, when you take a machine into a shop, usually they just format and reload the os (cheaper and easier for them and the client)
Also she got the virus, and failed to keep her antivirus defintiions up to date, again her fault. I would consider a counter suit, for wasting your valuable time, and damaging your reputation
0
 
LVL 1

Author Comment

by:winsleuth
ID: 6995511
I think cookre's #3 hits it on the head. I am confident about the order not, the laptop, which was completely restored by Ontrack has no defrag log left. I agree that degrag, any defragger, if stopped while writing can damage some files and may even prevent reboot but MS keeps putting it on EVERY OS. It does serve another purpose, if you cant get thru a defrag, your drive needs work. If not past 4% you have some frags out there. It will stop and warn of bad spots too. I use Speedisk with verify on. One thing I never learned about MS defrag is does it do a verify. As slow as it is it must. In 13 years and 100's of PC MS Defrag never caused me a lick of trouble.

I have emails showing I was researching and getting answers back from MsAfee and the like. I just hope now that they will be admisible.

Dave
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 6995642
Dave,

Also the CIH virus, could cause the laptop to not boot.  Generally this virus hits on the 26th of April or so.....I dont think she got hit with that...but it is a good possibility...
0
 
LVL 1

Author Comment

by:winsleuth
ID: 6996030
I think cookre's #3 hits it on the head. I am confident about the order not, the laptop, which was completely restored by Ontrack has no defrag log left. I agree that degrag, any defragger, if stopped while writing can damage some files and may even prevent reboot but MS keeps putting it on EVERY OS. It does serve another purpose, if you cant get thru a defrag, your drive needs work. If not past 4% you have some frags out there. It will stop and warn of bad spots too. I use Speedisk with verify on. One thing I never learned about MS defrag is does it do a verify. As slow as it is it must. In 13 years and 100's of PC MS Defrag never caused me a lick of trouble.

I have emails showing I was researching and getting answers back from MsAfee and the like. I just hope now that they will be admisible.

Dave
0
 
LVL 4

Expert Comment

by:tituba2
ID: 6996378
Don't know about industry standard - but it is best practices to backup data and the registry before proceeding with extensive work.  However, there isn't one technical support person that hasn't forged ahead and then did a "woulda coulda shoulda"  We all know better yet sometimes we all make mistakes.  And we've all had users that take it upon themselves to "help"  I've got one customer that dropped her laptop and told me in all seriousness that "these things were meant to be dropped"

While we all feel very bad for your situation, I thank you for posting.  It is a wake up call to all of us doing work outside that we should have users sign waivers constructed by a lawyer to protect us from lawsuits.  Makes for an awkward few moments, but hey, better than what you are going through.

Do post back and let us know how it went for you.
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 6997700
winsleuth One thing I don't understand, if when you left it was running defrag, and then she rebooted and it wouldn't reboot, when did she update her norton, and when did she scan and find the virus?
0
 
LVL 1

Author Comment

by:winsleuth
ID: 6997844
Tthat is the catch of course. She is lying ?sp about it not rebooting. She called me the next day, Said it was fine, defrag finished, she connected to AOL, DL'd NAV updates, scanned, found three viruses, choose Delete, and then she couldnt reboot. Of course she doesnt want the judge to know that. Last night I found emails I had sent off to most the major antiviral Co's back then asking aobut this kind of virus so if admissable, I am in luck. Also I have a return receipt only from AOL with the subject Virus. That should help. This court crap is tediuos and exhausting.This all happened almost 2 years ago now and the trial just started!!!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 41

Expert Comment

by:stevenlewis
ID: 6997855
Well good luck to you. Stand up for all of us IT folks, and thanks for the reminder to get waivers signed (to bad you had to remind us the hard way)
Keep us informed of the progress
0
 
LVL 3

Expert Comment

by:pleasenospam
ID: 6998056
When viruses are involved, all bets are off.  I helped a neighbor get rid of SIRCAM
but we were lucky.  Many viruses are much worse.
0
 
LVL 3

Expert Comment

by:pallidin
ID: 7000407
According to the law, unless you have "specifically" stated that your maintenance agreement with the client includes your involment with updating and running anti-virus programs, the reponsibility lies with the client to do this. "A mechanic can fix your car, but you must pump the gas"
0
 
LVL 4

Expert Comment

by:EricWestbo
ID: 7000466
winsleuth...

y'know, the data on this lady's PC can very well be recoverable if sent to a 3rd party... and if any of the files on the HD post-date the day she claimed you "left defrag running" her case would fall apart.

just a thought

/ew
0
 
LVL 1

Author Comment

by:winsleuth
ID: 7001128
Thanks, I agree, unfortunately unless I subpoena more records from her {yes, she sent it out to Ontrack on my advisement}. She got everything back about $2500 later so that is why she is suing me. THe case is half over, they have rested and thankfully I have some more time to prepare my defense. Best thing going for me now since she is denying any knowledge of a virus is that I have an AOL Receipt that shows she read an email sent by me two days after the computer had supposedly crashed. Now it could have been she was running off another PC but I suspect this was during the session when she updated her definitions on her own, scanned and found three, had them deleted, then bye bye FAT's, etc. I have to be very careful in questioning her. At a minimum it will show the just I was emailing her about viruses and she is saying my running defrag killed her PC. I may have a Perry Mason moment coming though, I cant wait!
Dave
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 7003860
Just a comment, one normally runs scandisk first to avoid defrag from tagging good sectors as bad.
0
 
LVL 1

Author Comment

by:winsleuth
ID: 7004631
about this...
"Just a comment, one normally runs scandisk first to avoid defrag from tagging good sectors as bad."

Could you rephrase that since I am not getting your meaning. I mentioned to someone earlier, I guess it wasnt here, that I never knew if MS Defrag does a verify. I have noticed that it wont go past 4% and actually start defragging since I think it runs at least a subset of scandisk and if file fragments are found it stops and suggests you run scandisk. Also I have seen it have problems further along rarely and give an error suggesting you may have a bad sector. I use Speedisk with verify on and never have problems with that but my question to anyone out there is...

Does MS Defrag do a verify after relocating each block of data? I thought it interesting that what appears to be Diskeeper by Executive systems in now used in Windows XP>
Dave
0
 
LVL 3

Expert Comment

by:pallidin
ID: 7009624
Hmmm....

First, it IS an industry "standard" to back up prior to significant change. This is mostly due to the fact that "significant" change often involve some type of change to the Windows Registry, which clearly states that a back up should be performed prior to the change. But, since nearly everything one does on the computer affects the registry, I suppose it's a matter of interpretation as to how far that rule should be extended.

Secondly, it is also an industry standard to run Scandisk and Defrag on a regular basis dependent on compter usage. As such, you are at no fault per se, because that IS a standard. However, a "thorough" Scandisk should be run prior to Defrag, else Defrag may, in it's process of moving files around, place a critical file on a bad area of a hard drive that Scandisk(thorough option) would have otherwise previously "locked-out"

Third, the 3 virii likely created the ground work for the eventual problem, which you had NOTHING to do with in regards to her getting them.
So, her arguments are a little lame, because it's like saying that "a firefighter helping a World Trade Center victim out of the burning building slips on the floor of a darkened room and is responsible for her further injuries"
That statement is absurd in context, because he slipped on a condition(the slippery floor and darkened room) created by the acts of the terrorists (the virii).
No judge in the world would convict him of malicious intent or negligent culpability. My point here being that a virus caused the ground work for the problem, and remedial efforts slipped. So what!!! It happens!! Why is she blamming you!!! Instead, the blame surely should rest on her not keeping up to date with her virus scanner to prevent, not disinfect, her system.
Personally, I would have nothing further to do with this woman after the court hassle.
0
 
LVL 1

Author Comment

by:winsleuth
ID: 7009933
I have gotten most the ammo I need to present my defense June 6th but my searches as to what Defrag does, eg. the first 4% would seem to be a mini chkdsk, I havent been very successful getting more info. My main question is ...
does Defrag verify each written block, compare it with the original block, before it moves on. As slow as it is, I would think so but unlike Speed Disk there is no way to turn such a feature on or off. From your answer mentioning writing to a bad areas my guess is you dont think it does. What more do you know? Defrag has never done me any harm in 13 years onsite and at my office and I am a defragaholic. If Defrag were not a better program than most are trying to make it out as, I doubt I would get so few hits when searching "defrag + problems", etc. Though slow, I also believe it avoids more files than most defraggers, makeing it safer and I cant believe it would lamely write data to a bad area without some level or error checking.
Dave
0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 200 total points
ID: 7009994
defrag runs a basic scan disk first, and if it sees any errors it will tell you to run scandisk and fix the errors, and it will not proceed. scandisk will mark clusters bad, and no data will be written to a bad cluster. This is to protect the data integrity
0
 
LVL 1

Author Comment

by:winsleuth
ID: 7018506
Thanks for sticking with me. I think I can prove there were viruses involved with a return receipt, subject line "Viruses", I got from her after the incident, I guess from another uncrashed PC. The judge should then realize her complete denial of any viral involvement is a lie and so likely is a lot of what she says. But in case that is not enough I will present copious amounts of evidence pertaining to why every drive mfgr, software package, etc. have a disclaimer saying they are not responsible for lost data. Hard drives can crash at anytime sometimes without any warning or obvious cause. Also I will accentuate the fact that her going for even a minute with 50 megs of apparently some very valuable data was completely irresponsible.

My defense of the charges is June 6th, and Ill let you know how it goes.

Dave H
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7018527
Dave, yes, please keep us advised of how it goes. We're pulling for ya!
0
 
LVL 1

Author Comment

by:winsleuth
ID: 8516871
Back a little late but the outcome was good and bad. I lost and was ordered to pay a $3300? judgement. Hey, she was a lawyer herself and I am just an honest PC technician and couldnt make an illiterate judge understand. This guy was 60+, gave no slack to a pro se defendant and didnt know a floppy from a flat screen monitor. So you can be sued and lose for a client taking you antiviral advise and on her own time trashing her system with bad decisions. I was not even there. Ontrack supported me the whole way but she kept those records suppressed and basically just trumped me with legal trickery and of course a healthy dose of pure lies. The good news is she has never come after me to get the money. That could be because she got a judement against my company only and not me as well as was stated in the suit. I dont know why. Just in case I closed the company to start a new one since I wont pay a dime to a criminal lawyer. But thanks to you all for your support.
Dave
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now