Compromise Detection, Blocking and Removal Methodology

Last updated: 12 Mar 2008

Basic Steps

The steps should be taken only if you are not keeping evidence for criminal prosecution and you need to keep the system up as long as possible.

• If you must retain evidence, follow proven procedures for computer forensic analysis.
• If you can shut down the system or block network access at some point, do it as soon as possible to prevent further compromises, perform offline analyses to determine the vector(s), then re-install the OS with something in place to block the vector(s).

1. Detect.
2. Block.
3. Remove.

Detect

1. Detect anomalies
2. Assess the physical environment
3. Record open network ports as seen from outside
4. Remotely investigate computer (Windows)
5. Locally investigate computer (Windows)

Block

The vector from which the malware came needs to be blocked, and the attack surface needs to be minimized.

1. Update Software
2. Disable Unnecessary Services
3. Strengthen Passwords
4. Limit Privileges
5. Limit Services
6. Setup Host Firewall
7. Enable Audits

Remove

Any payload that the malware deposited needs to be rendered ineffective so it can't re-infect, perform its function, or further harm the system.

1. Disable Suspicious Services
2. Kill Suspicious Processes
3. Remove Suspicious Files
4. Remove Suspicious Autoruns
5. Remove Suspicious Scheduled Tasks