Last year I learned a hard lesson: I was hit by ransomware. I thought I was safe because I faithfully backed my data every day to a USB external hard drive. I was devastated to learn that the USB drive data was also clobbered!
I'd like to know that when I receive the message from your software that the device is safe to remove, is my data on that drive still at risk even if I do NOT physically disconnect it? Can malicious software still get to it?
Hi JohnC998,
In theory a malicious software can access your drive's content even when it's safely removed or disabled. First it can return it back the same way as our software does (by restarting the USB hub). But it's not easy since when the device is safely removed there's no way to know it was a disk device. The malware must remember the device unique ID (PnpName) when it was active and then reactivate it by restarting the whole USB hub where the device was connected to.
The other way malware can write data to a "stopped" device it can install an intermediate driver that will make device pretending being stopped (the OS is sending disconnect signal to a device driver, it is intercepted by an intermediate malware driver, the driver reports to the OS the device is stopped but actually it's not and the malware can write data to the drive. However it's even more difficult for malware to implement this way because it must write directly to the drive without using standard filesystem API.
In short it's possible that ransomware write to "stopped" device but I doubt there are or will be such malware. Because it's hard to implement and malware discloses its presence with this activity (reactivation of the drive or blinking drive's led when it must be off).
My main reason for asking is that I'm trying to reduce HDD power cycles. I believe I will get longer device life by leaving it on all the time. With my backup scheme, I believe that I can leave the device powered up.