• Register

When accessioning born-digital materials, what actions should I take after discovering virus-contaminated materials?

+1 vote
asked Jul 23, 2014 by chelcie (270 points)

3 Answers

+1 vote

From #digpres14:

1 - There is an automated stop to the process. It doesn't continue to move through the system, so the preservation environment remains clean.  You go back to the source and request to get another copy that is clean.
2 - It may be possible to view this material on a throw away computer to see what is happening.  From this experience, you can decide better what to do.
3 - Is the virus a critical part of the environment that you want to maintain? A computer science researcher who studies viruses will presumably have viruses on his machine.  In preserving his work environment, do you want to keep his copies?  Store them in a secured partition?  Are there other things you can do?  Especially if the viruses are older, are they actually dangerous anymore?
answered Jul 23, 2014 by SpencerGoodwin (450 points)
+1 vote
That's probably a policy decision for an individual institution.  There are a few basic choices, discard them, fix them yourself if possible (and document this), ask the donor to supply a clean copy.  In some circumstances you might even accession them as they stand.

Our basic policy would be to ask the originating government department to supply a clean copy (and ask some questions about why the contamination hadn't been discovered previously).

The most likely situation where you'd actually accession the material is in the form of web archives where the WARC file is a pretty inert container, and the prevalence of viruses and malware on the open web might actually be of interest to future researchers (though obviously you'd also have to make it clear to users of the collection that such material may be present).

Of course a basic rule is to think very carefully about the environment in which you handle new material in order to reduce the risk to your general corporate infrastructure (and be aware that you may even be the subject of deliberate attack).
answered Jul 23, 2014 by DavidUnderdown (790 points)
0 votes
The answer to this will be slightly different if you are working with removable media and you are creating forensic disk images as part of your workflow. In that case, you don't have to necessarily do anything immediately, as the virus won't execute unless you mount the disk image. Therefore, depending on your workflow, it may be that all you do at the actual time of discovery is record the fact that you discovered it.
answered Jul 31, 2014 by ChristiePeterson (580 points)