Compromise Detection, Blocking and Removal Methodology

Last updated: 12 Mar 2008

Basic Steps

The steps should be taken only if you are not keeping evidence for criminal prosecution and you need to keep the system up as long as possible.

  1. Detect.
  2. Block.
  3. Remove.

Detect

  1. Detect anomalies
  2. Assess the physical environment
  3. Record open network ports as seen from outside
  4. Remotely investigate computer (Windows)
  5. Locally investigate computer (Windows)

Block

The vector from which the malware came needs to be blocked, and the attack surface needs to be minimized.

  1. Update Software
  2. Disable Unnecessary Services
  3. Strengthen Passwords
  4. Limit Privileges
  5. Limit Services
  6. Setup Host Firewall
  7. Enable Audits

Remove

Any payload that the malware deposited needs to be rendered ineffective so it can't re-infect, perform its function, or further harm the system.

  1. Disable Suspicious Services
  2. Kill Suspicious Processes
  3. Remove Suspicious Files
  4. Remove Suspicious Autoruns
  5. Remove Suspicious Scheduled Tasks