Team: Huntress Endpoint Detection and Response
Environment: Incident Reports
Summary: Incident reports may suggest wiping an endpoint to fully clear detected malicious activity.
We recommend wiping a host whenever it has been compromised by malware. This is especially important in cases where the malware runs under an account with administrative privileges. You never know what else may have been changed. Since Huntress only looks at auto-starting applications, we do not see operating system files that may have changed, malicious files that do not automatically start, or user accounts that may have been created.
While we realize reimaging an endpoint may not always be feasible or practical, certain incidents require this step in order to completely eradicate the infection or fully address the compromise. Where such reimaging is noted by Huntress and you may not be able to perform it, you understand and accept that that there may be additional malicious activity not caught by the remediations alone and that a potential re-infection possibility exists.