Score:0

Server

Why not nuke an machine after malware cleanup?

mcry

11/28/23, 1:33 PM

So this is a noob question.

Why do we perform a clean up on a machine that has been infected with malware and not nuke it directly instead? I understand that in some situations this would not be possible(like large DB servers or when we don't have a backup). But many instruction videos and tools are designed for workstations and not large scale servers.

I think my workflow would probably be something like: Clean up machine/Recover files that has not been backed up -> Nuke/reinstall machine -> patch/update/restore backup -> add machine back to the network.

But as I understand it, if possible only the first step "clean up machine" is done as a measure to handle malware. But can we fully trust that all malware has been removed in the "clean up" step? Am I being to paranoid and doning 10x work for what is needed or do I miss something?

Thank you for your answers.

2 + 1

cleanup

malware

best-practices

Gerald Schneider

11/28/23, 1:40 PM

This is a very opinionated question, which are off topic here. Personally, I'd never try to "clean" a compromised machine without a very good reason.

Score:1

Server

Phill W.

11/28/23, 1:49 PM

Clean up machine/Recover files that has not been backed up ...

... any or all of which may be compromised. You should only use these files for diagnostic purposes, off-network, to trace the vulnerability that let in the malware. You should not try to rebuild a running system based on them.

Nuke/reinstall machine ... patch/update/restore backup ... add machine back to the network.

This is generally accepted way to deal with a compromised server, but potentially takes a long time and a poorly-worded corporate Recovery Strategy might not allow for this. That's why we get asked to "patch" things back together "quickly", despite the inherent risk of doing so.

+ 0

Score:0

Server

diya

11/28/23, 3:50 PM

"many instruction videos and tools are designed for workstations"

_{(That should probably read: for home users)}

A fair assumption for many home users would be that they don't make (regular) backups and their laptop/pc is their (only) pet. Their time and effort are "free" and their data and files have only become really valuable to them after that malware infection.

On that premise it makes sense that they expend significant effort into making a laptop or PC functional enough to properly boot and becoming useable enough again to access and recover their data and files.

For many home users in such a situation that is already quite the achievement and they're happy now.
End of video.

They either don't know or simply ignore that of course their system isn't "fully repaired" and that data still can't be trusted to be clean.

As a professional you might be getting directions from people that have the worldview of such a home user (i.e. that "repairing" and getting a compromised system back up and running is an almost insurmountable task and always necessary to recover files and data), who believe that you as professional can achieve many things they can't (admittedly correct) and who then (incorrectly) also believe that when YOU make the repairs the compromised system and data can be trusted to be clean again without a re-install.

It is up to the IT department / you to give proper pushback there.

For example in theory (and in reality, right?) you have proper back-ups and/or data replication to meet the RPO and RTO and don't need to recover data from a compromised server for business continuity.

Nuke the compromised system, run your automated installation and configuration scripts, redeploy and be happy.

I think my workflow would probably be something like:
Clean up machine/Recover files that has not been backed up
-> Nuke/reinstall machine
-> patch/update/restore backup
-> add machine back to the network.

It sounds like that you're starting to write what in "enterprise jargon" is called an Incident Response Plan.

That is a reasonable first start. PhilL W.'s answer already linked to a good resource here on ServerFault but please be aware that the incident response plan is not only written by and for a system administrator, but should also be supported by your business. The decisions there are closely related to your disaster recovery plan where often data backup and recovery (RPO and RTO) are decided.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why not nuke an machine after malware cleanup?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.