Compromised Computer Procedures

ITS General Response Procedures for Compromised Computers 

Below is a summary of the steps ITS staff are to follow when responding to a compromised computer. Detailed procedures for each step are available in IT Request tech-only KB #15998.
Note: A computer with no restricted data that has quarantined a virus is NOT considered to be compromised.

Summary:

  1. A compromised machine is reported/detected
  2. Disconnect machine from network unless IT Security has said not to
  3. Create ticket & do restricted data check
  4. Scramble/Change passwords
  5. Refer incidents involving restricted data or machines in the Data Center to IT Security
  6. Rebuild machine and harden system
  7. Do AV scan – for workstations and applicable servers
  8. Reconnect machine to network
  9. Assist client with changing passwords, if necessary
  10. User education
  11. If possible, check other systems on the same subnet for signs of compromise
  12. Resolve the original ticket
  13. Delete old data

Also included:

  • Additional procedures for major outbreaks
  • Links to related IT Request KBs and procedures

Rev. 10/26/12