James Mckenzie This is the difference. If honey pot people followed you methods we would be tons of wasted drives. Excess cost. No effective for threat trapping. Full honeypot level includes a firmware audit. You are basically a stupid fool to a honeypot person say only way to be 100 percent clean is junk the machine. When there are no executable code left that has not been inspected there is no operational home for the virus. So virus is dead. A virus is only software not hardware. Firmware audits are extremely fun to perform after the fact. Its so much simpler with the main bios chip of a motherboard has been in a flash writer and backed up as a binary compare image. The you should never backup infected file is 100 percent invalid for people who do honey potting. We are after the infected files so signatures can be developed. Basically we are offensive system admins not just defensive. Achieving data from infected system allows drive to be clear and data for working out what the attack was to be intact. So drive become reusable. When you have 500+ machines to clean up being able to use 1 drive per 10 machines is one heck of a saving. Yes that is about the pack down so 50 drives vs 500. Generating comparative data between machines is also useful for locating attacks. Note altered files don't all have to be infected. The method you are following can be a higher risk. The back up of the files allow in cases that critical files created from the time of the last backup that was clean to infection to be attempted to be recovered. Ie if file cleanable of all forms of executable code. Process of stripping all executable code takes time. Longer than the time you normally have the system back up. My complete cycle for binary compare and back online with deb and rpm based systems is only 10% more on doing a clean install. Difference is that 10 percent more saves heck load on harddrives required. Basically what would you do if you had 500 machines and could only get 50 clean drives. The best part about this I can get lot more machines back online just from the materials in stores than you can. Ie 3 drives in stores 30 machines possible back online. Time is money true. The more machines that can be brought back on line the better. I am about to tell you the best part about my stunt. The evil thing is transparent. Diskless remote boot or Linux Terminal Serivces Project from recovery server means that a 500 machine network can be back partly usable in under 15 min of infection being detected. Even that the compare process on the harddrives in place has began. Sorry 500+ machine networks I am use to dealing with. Even running harddrive image restores of windows machines with Linux Terminal Services or Diskless remote boot providing user with interface to use their machines while the infection is cleaned out. Lot of staff can perform other duties as long as there system at least somewhat works. As you said downtime is important. Client sides of the networks I reduce downtime to basically nothing since I am not needing to physically work on the internals of the machine and the machine is at least part functional the complete time I am removing the problem. A software infection is a software infection. 12 hours of disruption to restore servers. Clients should be under 1 hour of non function if setup in advance for problem. With imaging by next day at worse client machines should be back online as if nothing happened. And the complete time the clients are being cleaned up by software . I can be starting the backup search and data recovery process against the possible infected data while rest of staff are already back on the job. Lack of protected firmwares are a worry to me. Nothing strange for me to have replaced the server bios chips with eproms instead of flash on ones without a physical switch. So that is not a threat location. The argument is that you don't have time. You have tones of time if you are setup right. 9/11/2001 has taught you guys nothing. Your processes to bring networks back to operational in case of client infect are far too long and labour consuming. The fear that backing up infected files is wrong prevents cost effective and equal result methods from being used.