We recommend wiping a host whenever it has been compromised by malware. This is especially important in cases where the malware runs under an account with administrative privileges. You never know what else may have been changed. Since Huntress only looks at auto-starting applications, we do not see operating system files that may have changed, malicious files that do not automatically start, or user accounts that may have been created.
We do realize, however, that is not always possible to wipe a host which is why additional remediation suggestions are included in each of the incident reports. The majority of our partners remediate rather than wipe the host, but it all depends on your level of comfort and acceptance of risk.
Please sign in to leave a comment.