A server looks compromised — does rebooting or shutting it down fix the problem?
Short answer
No. Most real intrusions establish persistence (services, scheduled tasks, run keys, implants) that survives a reboot, so the attacker simply returns. Worse, powering off wipes volatile evidence — running processes, network connections, in-memory malware, and encryption keys — that you need to scope the incident. The right move is to contain by isolating the host while preserving memory, then investigate. Rebooting or shutting down as a 'fix' is a damaging instinct.
The instinct to "turn it off and on again" is deeply trained into IT. Against a compromise it backfires twice: it usually doesn't remove the attacker, and it destroys the very evidence you'd use to understand what happened.
Why a reboot doesn't evict the attacker
Capable intruders don't rely on a single running process — they establish persistence so they survive exactly the kind of reset you're tempted to do. Common mechanisms include:
- Services and scheduled tasks that relaunch the implant on boot.
- Run keys and startup folders in Windows.
- Cron jobs, systemd units, or modified init scripts in Linux.
- WMI subscriptions, DLL hijacks, and bootkits for deeper footholds.
Reboot, and these fire right back up. The attacker returns, often before you've finished congratulating yourself. A reboot only "helps" against the rare purely in-memory implant with no persistence — and you can't know that's the case in advance.
Why shutting down makes scoping harder
Even worse than ineffective, powering off is destructive to the investigation. A live system holds volatile evidence that vanishes when the power drops:
- Running processes and their parent-child relationships.
- Active network connections, including the live C2 channel.
- Injected, fileless, in-memory malware that never touched disk.
- Encryption keys, decrypted data, and clipboard/credential material in RAM.
The order of volatility says capture the most fragile evidence first — memory before disk. Shutting down inverts that, throwing away the part that often holds the answer.
What to do instead
Contain without destroying:
- Isolate the host — pull it from the network (or use EDR network containment) so the attacker loses reach while the machine stays running.
- Capture volatile evidence — acquire a memory image, then collect disk artifacts.
- Investigate and scope — identify persistence, lateral movement, and accounts touched.
- Then remediate — typically reimage, after you understand the blast radius.
The interview takeaway
The strong answer is "isolate, preserve memory, investigate — don't reboot." Reaching for a reboot or shutdown signals you'd both fail to evict the attacker and destroy the evidence needed to scope the incident.
Likely follow-ups
- Which persistence mechanisms would survive a reboot, and how would you hunt for them?
- What volatile artifacts are lost the instant a machine powers off?
- How does network isolation contain a host without destroying evidence?