Skip to main content

Recover From a System Compromise


If you haven't already reported the incident, do so now. Work with technical support to contain the system (as outlined in our Protect Evidence article) while you gather and provide incident details to the IT Security Office.

Take steps to protect evidence. If the compromised system may hold sensitive data (confidential, regulated, etc.), do not attempt any of the steps below, nor should you perform a virus or Spider scan, without explicit clearance from the IT Security Office.

The decision to wipe and rebuild a compromised system or attempt to fix it is a complicated one.

  • For compromises involving known, removable agents, such as a specific virus, remediation using automated tools and/or published instructions may be sufficient.
  • For compromises involving multiple or unknown agents, the only way to ensure the system is properly cleaned is to wipe the hard drive of the system and reinstall its operating system, software, and user data (from backups).
  • All passwords on that affected systems should be changed. Note, for user systems, this includes their NetID password. Many malware packages have the capability to either steal or crack passwords used on the system they are attacking. The assumption should always be made that any passwords used on a compromised system were themselves compromised.
  • Attempt to verify that the system has been cleaned by requesting a check from the IT Security Office.

About this Article

Last updated: 

Tuesday, June 20, 2017 - 8:40am

Was this page helpful?

Your feedback helps improve the site.

Comments?