Compromised Computer Procedures
ITS General Response Procedures for Compromised Computers
Below is a summary of the steps ITS staff are to follow when responding to a compromised computer. Detailed procedures for each step are available in IT Request tech-only Knowledge Base (KB) article KB0015998 (login required).
Note: A computer with no restricted data that has quarantined a virus is NOT considered to be compromised.
Summary:
- A compromised machine is reported/detected
- Disconnect machine from network unless IT Security has said not to
- Create ticket & do restricted data check
- Scramble/Change passwords
- Refer incidents involving restricted data or machines in the Data Center to IT Security
- Rebuild machine and harden system
- Do AV scan – for workstations and applicable servers
- Reconnect machine to network
- Assist client with changing passwords, if necessary
- User education
- If possible, check other systems on the same subnet for signs of compromise
- Resolve the original ticket
- Delete old data
Also included:
- Additional procedures for major outbreaks
- Links to related IT Request KBs and procedures
Reviewed Aug 2015