Exactly right on the mark, Laura. THAT is security 101. If a box has been compromised, it is no longer yours and should not be trusted.
Modern malware is now dollar-driven and extremely motivated. The initial infection vector is rarely the entire compromise, and the secondary infections are built to last. Notice that it is infections, and not infection. The attacker seeks out a crack in your defenses and places as many ways back in as possible, assuming that you will eventually find them out and patch what you can detect. They have the same intell or better than most of us do. We all know that one detective program will find most malware, but not all. I perform incident response daily, and the first rule of thumb is to "get 'em back in business". Re-imaging takes 20-30 minutes. First rule of security is understand your attacker, so before I get 'em back in business, I take a forensic image of the system whenever possible. That generally takes an hour. My SLA is to have them back in business same or next day, depending on the criticality of the system and availability of a temp system. The trouble ticket closes when the system is restored to functional, but the investigation is open until I am satisfied that I have learned all that I can learn from the compromised box(es). Cheers, Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geekwench Sent: Wednesday, March 19, 2008 4:36 PM To: Mike Moratz-Coppins; [email protected] Subject: Re: Compromised WinXP box prob [Quote:] > Of course it is a case of picking the right time to close the > investigation and to correct the overall problem the quick way, but I am > sure that everyone on this list used to use an OS reinstall as the answer > to their problems more often than they do now. [/Quote:] Actually, I think you'll find that a significant portion of the people on this list use an OS reinstall *more* often than they did in the past, not less. If a forensic analysis is needed, that's one thing, but most of the people on this list would sooner reinstall than try to repair a compromised system. That's Security 101- if your system is compromised, it cannot be trusted and you cannot be absolutely certain that you've completely remediated whatever was done to it; therefore, a reinstall is pretty much a given. Laura
