Skip to content

A server looks compromised — does rebooting or shutting it down fix the problem?

Short answer

No. Most real intrusions establish persistence (services, scheduled tasks, run keys, implants) that survives a reboot, so the attacker simply returns. Worse, powering off wipes volatile evidence — running processes, network connections, in-memory malware, and encryption keys — that you need to scope the incident. The right move is to contain by isolating the host while preserving memory, then investigate. Rebooting or shutting down as a 'fix' is a damaging instinct.

The instinct to "turn it off and on again" is deeply trained into IT. Against a compromise it backfires twice: it usually doesn't remove the attacker, and it destroys the very evidence you'd use to understand what happened.

Why a reboot doesn't evict the attacker

Capable intruders don't rely on a single running process — they establish persistence so they survive exactly the kind of reset you're tempted to do. Common mechanisms include:

  • Services and scheduled tasks that relaunch the implant on boot.
  • Run keys and startup folders in Windows.
  • Cron jobs, systemd units, or modified init scripts in Linux.
  • WMI subscriptions, DLL hijacks, and bootkits for deeper footholds.

Reboot, and these fire right back up. The attacker returns, often before you've finished congratulating yourself. A reboot only "helps" against the rare purely in-memory implant with no persistence — and you can't know that's the case in advance.

Why shutting down makes scoping harder

Even worse than ineffective, powering off is destructive to the investigation. A live system holds volatile evidence that vanishes when the power drops:

  • Running processes and their parent-child relationships.
  • Active network connections, including the live C2 channel.
  • Injected, fileless, in-memory malware that never touched disk.
  • Encryption keys, decrypted data, and clipboard/credential material in RAM.

The order of volatility says capture the most fragile evidence first — memory before disk. Shutting down inverts that, throwing away the part that often holds the answer.

What to do instead

Contain without destroying:

  1. Isolate the host — pull it from the network (or use EDR network containment) so the attacker loses reach while the machine stays running.
  2. Capture volatile evidence — acquire a memory image, then collect disk artifacts.
  3. Investigate and scope — identify persistence, lateral movement, and accounts touched.
  4. Then remediate — typically reimage, after you understand the blast radius.

The interview takeaway

The strong answer is "isolate, preserve memory, investigate — don't reboot." Reaching for a reboot or shutdown signals you'd both fail to evict the attacker and destroy the evidence needed to scope the incident.

Likely follow-ups

  • Which persistence mechanisms would survive a reboot, and how would you hunt for them?
  • What volatile artifacts are lost the instant a machine powers off?
  • How does network isolation contain a host without destroying evidence?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.