Last Updated: 2008-10-31 02:05:23 UTC
by Johannes Ullrich (Version: 1)
The second day in our "recovery" phase: A system isn't exactly "safe" after the malware is removed. What you actually need to figure out is how the system got compromissed in the first place, and how to prevent a future compromisse. As already pointed out, just removing the malware will just get you back to getting exploited again.
What software and what tricks do you use to:
- make sure the vulnerability was remidiated?
- acertain some level of confidence that the malware didn't leave behind any backdoors?
- Nessus, a popular vulnerability scanner, has recently changed licenses. Did this affect you (or not)? Are there any alternatives?
- How do you continually monitor systems as new vulnerabilities and patches are released all the time.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute