Skip to main content

Cornell University

Recover From a System Compromise

This article applies to: Security Essentials for IT Professionals

If you haven't already reported the incident, do so now. Work with technical support to contain the system (as outlined in our Protect Evidence article) while you gather and provide incident details to the IT Security Office.

Take steps to protect evidence. If the compromised system may hold sensitive data (confidential, regulated, etc.), do not attempt any of the steps below, nor should you perform a virus or Spider scan without explicit clearance from the IT Security Office.

The decision to wipe and rebuild a compromised system or attempt to fix it is a complicated one.

  • For compromises involving known removable agents, such as a specific virus, remediation using automated tools and/or published instructions may be sufficient.
  • For compromises involving multiple or unknown agents, the only way to ensure the system is properly cleaned is to wipe the hard drive of the system and reinstall its operating system, software, and user data (from backups).
  • All passwords on the affected system should be changed. Note that for user systems, this includes their NetID password. Many malware packages have the capability to either steal or crack passwords used on the system they are attacking. The assumption should always be made that any passwords used on a compromised system were themselves compromised.
  • Attempt to verify that the system has been cleaned by requesting a check from the IT Security Office.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.