3.2 and 3.3 Troubleshooting Workstation Security

Question 1

List the seven steps, in order, of the malware removal process

Answer 1

1. Identify and research malware symptoms
2. Quarantine the infected systems
3. Disable System Restore (if Windows OS)
4. Remediate the infected system
5. Schedule scans and run updates
6. Enable System Restore and create a restore point (Windows
7. Educate the end-user

Question 2

Which two steps of the malware removal process are specific to Windows machines?

Answer 2

Step 3 (Disable System Restore) and Step 6 (Enable System Restore and create a restore point)

Question 3

What is step 4 of the malware removal process?

Answer 3

Remediate the infected system

Question 4

Quarantining the infected system should be done after what?

Answer 4

Identifying and researching malware symptoms

Question 5

What is a PUA?

Answer 5

Potentially Unwanted Application

Question 6

What might you use Nmap to find?

Answer 6

• Which devices are running on the network
• Open ports and services
• Vulnerabilites

Question 7

What does netcat allow users to do?

Answer 7

Read from and write to network connections using TCP or UDP

Question 8

How would you quarantine an infected system?

Answer 8

By moving it into a logically or physically isolated secure segment of the network

Question 9

What are some different methods that could be used to logically isolate an infected system?

Answer 9

VLANs, access controls, encryption, partitioning

Question 10

What sort of environment should be created to scan and test an infected computer?

Answer 10

A sandbox environment

Question 11

Disabling System Restore does what?

Answer 11

Turns off automated backup systems, such as cloud and external disk backups

Question 12

What is the ultimate effect of disabling System Restore?

Answer 12

The computer is prevented from returning to a previous state if the OS happens to become unstable

Question 13

Why might System Restore be disabled?

Answer 13

Because it prevents a computer from returning to a previous state, it also prevents the re-infection of said computer with malware that may have been present at the created restoration point

Question 14

Give the two main parts of remediating infected systems

Answer 14

• Updating anti-malware software
• Implementing scanning and removal techniques

Question 15

List the four steps involved in scanning and removal

Answer 15

1. Reboot in safe mode, run scanning/removal tools
2. Turn off necessary services/background tasks by running task manager, regedit, msconfig
3. Boot PC using Windows recovery/installation disk
4. Re-image/re-install system from good backup/installation disk

Question 16

How often should scans be scheduled?

Answer 16

At least daily

Question 17

How does scanning on-access work?

Answer 17

Local and network files are scanned when they are accessed to check for any new malware threats that may be trying to enter the system

Question 18

What is defined as ‘access’ for scanning on-access?

Answer 18

Opening, moving, copying or executing a file

Question 19

In step 6 of the malware removal process, how should you go about re-enabling System Restore?

Answer 19

• Ensure the device is free of all malware
• Re-enable system restore
• Create new restore point after malware removal
• Turn on automated backups again and validate critical services

Question 20

Give five possible symptoms that would indicate a browser is infected

Answer 20

• Browser redirection
• Certificate warnings
• Wrong address
• Automatic redirection
• Host file infection

Question 21

What is a host file?

Answer 21

A text file that maps domain names to IP addresses and is used by the PC to resolve DNS queries

Question 22

Explain further how host file infection works

Answer 22

• Malware targets the PC’s host file to hijack its internet connectivity
• It changes the host file to redirect users to malicious websites
• It can also block detection by security software or stop users from visiting other sites

Question 23

How would you clean up a host file infection?

Answer 23

• Scan the system, uninstall and reinstall the browser
• Check proxy settings and verify no proxy is being used

Question 24

Define ‘dropper’.

Answer 24

A trojan horse that has been designed to deliver malware to a device, often packaged to evade detection by anti-malware software

Question 25

Define ‘payload’.

Answer 25

The malicious code delivered by the dropper, which is converted into executable form if necessary and then executed on the system

Question 26

What is a rogue antivirus?

Answer 26

A malicious software that tricks users into believing there is a virus on their computer and that they need to download (and sometimes pay for) a fake malware removal tool, which is actually the malware itself

Question 27

List 4 things that a rogue antivirus might do.

Answer 27

• Alter the system’s security settings
• Block access to Task Manager or Registry Editor
• Disable Windows Firewall
• Kill processes associated with AV solutions

Question 28

How might you remove rogue antivirus?

Answer 28

• Go to the Program Files window
• Find the rogue software program folder
• Delete folder

Question 29

How can you check if malware is causing OS updates to fail?

Answer 29

Turn off the update service and run the system file checker to see if there is malware affecting it