2 Replies Latest reply on Apr 27, 2012 3:38 PM by erase*.*

    Detections: When to re-image machine


      I am curious, so I figured i`d start a thread..


      What are peoples general criteria as to what do do with machines when you get a detection.


      How do you rate a detections to be clean enough to leave the machine there versus when do you ask your helpdesk to re-image the machine?


      For example, I had a box with the ZeroAccess rootkit, and VSE says it cleaned up, but with rootkits, I generally want the box re-imaged anyway, just in case.


      How are different people handling detections?

        • 1. Re: Detections: When to re-image machine

          I think that is depending on the time it takes to re-image a machine and how long the user will be without a machine.

          If the user gets a replacement machine, re-imaging can be started faster than when this affects the time the user cannot work.

          • 2. Re: Detections: When to re-image machine

            Depends on the status of the detections & the severity of the threat; if the threat was cleaned successfully, I will just keep an eye on the machine for a few days to ensure there are no further dectections.  Usually I'll kick off full scans remotely on machines that have detections to be on the safe side. 


            If a machine continues to report detections and additional hands-on mitigation doesn't eliminate the issues, the machine is reimaged.


            Message was edited by: erase*.* on 4/27/12 3:38:42 PM CDT