iso27diy-corp/Corpus/Standards/SANS/SANS Incident Response step 4 Eradication.md at main

Richard Kranendonk ff77508bd1 Vault restructure

2026-04-23 11:51:51 +02:00

Eradication is intended to actually remove malware or other artifacts introduced by the attacks, and fully restore all affected systems.

The SANS eradication process involves:

Reimaging—complete wipe and re-image of affected system hard drives to ensure any malicious content is removed.
Preventing the root cause—understanding what caused the incident preventing future compromise, for example by patching a vulnerability exploited by the attacker.
Applying basic security best practices—for example, upgrading old software versions and disabling unused services.
Scan for malware—use anti-malware software, or Next-Generation Antivirus (NGAV) if available, to scan affected systems and ensure all malicious content is removed.