Incident Response

Incident Response describes the reaction on a security incident. DFN-CERT devides the occurrence treatment into six steps:

  1. Preparation
  2. Discovery
  3. Analysation
  4. Containment
  5. Gain control
  6. Postprocessing

On the   pages of the DFN-CERT [de] these steps are described in more detail.


In many cases the discovery of an security incident is not easy. Sometimes viruses and worms show themselves through error messages or a very slow reaction time of the system. The discovery of rootkits is even more difficult as they try with all meassures to disguise their files and processes from the user's eyes and antivirus programs. GMER is a tool, that tries to reveal rootkits. Intrusion Detection Systems (IDS) like Snort discover infected PCs through their suspicious activity in the network. But often there is just an extraneous hint. After detection there has to be an environment free of viruses where the system can be examined and cleaned. Ideally a bootable CD-ROM or USB stick is used. Scanning the system with different virus detection applications is recommended for achieving a maximum detection rate.

Rescue Systems

The computer magazin  c't offers a bootable Linux-CD in its  Desinfec't-Projekt [de] with mulitple yearly updated virus detection applications. Included are Avira, Bitdefender, Kaspersky and ClamAV. Most antivirus vendors offer so called rescue systems which allow to boot and scan your system, e.g. Avira Rescue System, Kaspersky Rescue Disk or ESET SysRescue Live. If you don't have a CD/DVD drive you can use UNetbootin to copy the CD images to a USB stick.

There is no bootable Windows-CD for direct downloading because of copyright. With the help of  Bart's PE Builder this CD can be created.  Ultimate Boot CD for Windows is based upon this CD. In either case there has to be a runnable Windows system with a valid license.  ClamWin is a free Virus-Scanner that can be used for Windows. Windows Defender Offline is a tool offered by Microsoft to create a Windows resuce system on a bootable CD or USB stick.


If you want to create your own Windows Update-Pack, a collection of all released patches for offline installation, you can use the scripts provided by  c't project Offline-Update.

Updated: 2015-05-28