What should be your first action if you suspect a user's computer is infected with a virus?

The first action when you suspect a user's computer is infected with a virus is to disconnect the computer from the network. This step is crucial because it helps prevent the potential spread of the virus to other devices on the same network and stops any data exfiltration or communication between the infected computer and malicious servers. Isolating the infected machine minimizes the risk to both the individual user’s information and the entire network, allowing you to address the infection more effectively.

Restarting the computer in safe mode can be a useful recovery step but is typically employed after disconnecting the computer from the network. Replacing the hard disk drive is usually a last resort when the damage caused by malware is extensive. Installing antivirus software is important for scanning and cleaning the system, but this step should follow the initial action of isolating the infected device to contain the threat.