CIRTs situation is complicated with long physical distance and user’s initial unwillingness to remediate the intrusion. CIRT members should understand that their request is disrupting for users. Messages from CIRT should always stay firm, but also objective and polite – while on one hand any kind of threats both open and hidden is absolutely unacceptable, on the other hand accepting user’s suggestions is a bad practice from the security point of view. Also, any message that may be interpreted that the user is (partially) responsible for the infection, may trigger a self-defense actions on the user’s side, which would make any future communication much more difficult and also would negatively impact CIRT’s reputation among user’s colleagues.

The strongest argument that CIRT has is that company security policy clearly supports their request. Also, a concise explanation why a simple antivirus scan is insufficient may convince the user to comply. Helpful may be also to objectively point out dangers of working on an infected host, such as data theft, data deletion or further malware spreading through the organization.

Intervening manager may have a position high enough to enforce his will. In such situation, CIRT should clearly communicate risks associated with keeping infected computer in the company network, should push for a clearly defined date when system will be reinstalled and should actively seek if the reinstallation took place. Messages towards management may also be a slightly more polite and descriptive.

And it is never wrong to say “Thank you” and send regards ;-)