Incident Response

Incident Response describes the reaction on a security incident. DFN-CERT devides the occurrence treatment into six steps:

  1. Preparation
  2. Discovery
  3. Analysation
  4. Containment
  5. Gain control
  6. Postprocessing

On the   pages of the DFN-CERT these steps are described in more detail.


In many cases the discovery of an security incident is not easy. Sometimes viruses and worms show themselves through error messages or a very slow reaction time of the system. The discovery of rootkits is even more difficult as they try with all meassures to disguise their files and processes from the user's eyes and antivirus programs. GMER is a tool, that tries to reveal rootkits. Intrusion Detection Systems (IDS) like Snort or  Nepenthes discover infected PCs through their activity in the network. But often there is just an extraneous hint. After detection there has to be an environment free of viruses where the system can be examined and cleaned. Ideally a bootable CD-ROM is used. Scanning the system with different virus detection applications is recommended for achieving a maximum detection rate.

Rescue Systems

The computer magazin  c't offers a bootable Linux-CD in its  Desinfec't-Projekt with mulitple virus detection applications. Included are Avira, Bitdefender, Kaspersky and ClamAV. Avira provides another Linux-based Live CD AntiVir Rescue System which is updated several times a day so that the most recent signature updates are always available. Kaspersky offers the Kaspersky Rescue Disk.

There is no bootable Windows-CD for downloading. With the help of  Bart's PE Builder this CD can be created.  Ultimate Boot CD for Windows is based upon this CD. In either case there has to be a runnable Windows system with a valid license.  ClamWin is a free Virus-Scanner that can be used for Windows. The Standalone System Sweeper is a tool offered by Microsoft to create a Windows resuce system on a bootable CD or USB stick.


If you want to create your own Windows Update-Pack, a collection of all released patches for offline installation, you can use the scripts provided by  c't project Offline-Update.