Lesson 8C Troubleshoot Workstation Security Issue

Question 1

Malware Vectors

Answer 1

The vector is the method by which the malware executes on a computer and potentially spreads to other network hosts.

Question 2

Viruses

Answer 2

Malicious code inserted into an executable file image. The malicious code is executed when the file is run and can deliver a payload, such as attempting to infect other files.
.EXE, .MSI, .DLL, .COM, .SCR, and .JAR.

Question 3

Boot Sector Virus

Answer 3

These infect the boot sector code or partition table on a disk drive. When the disk is attached to a computer, the virus attempts to hijack the bootloader process to load itself into memory.

Question 4

Trojans

Answer 4

Malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer.

Question 5

Worms

Answer 5

Type of malware that replicates between processes in system memory and can spread over client/server network connections.

Question 6

Fileless Malware

Answer 6

Exploit techniques that use the host’s scripting environment to create malicious processes.

Question 7

Malware Payload

Question 8

Backdoors

Answer 8

Also referred to as a Remote Access Trojan, allows a threat actor to access and control the infected host.

Question 9

Command and Control

Answer 9

Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

Question 10

Spyware

Answer 10

Can perform browsing reconfiguration, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks and so on. Take screenshots, activate recording devices.

Question 11

Keylogger

Answer 11

Records a user keystrokes in order to attempt to steal sensitive information.

Question 12

Rootkit

Answer 12

Class of malware that modifies system files, often at the kernel level, to conceal its presence.

Question 13

Ransomware

Answer 13

Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.

Question 14

Cryptomining

Answer 14

hijacks the resources of the host to perform cryptocurrency mining.

Question 15

Troubleshoot Desktop Symptoms

Answer 15

Any type of activity or configuration change that was not initiated by the user is a good reason to raise suspicion.

Question 16

Performance Issues

Answer 16

Computer is slow or behaving “oddly”.
-The computer fails to boot or locks up.
-Performance at startup or in general is slow.
-Host is unable to access the internet or network performance could be slow.

Question 17

Remediation for Performance Issues

Answer 17

Run an Antivirus Scan
Quarantine the System from the network..

Question 18

Application Crashes and Service Problems

Answer 18

Apps like anti-virus and Windows Update are frequently failing. Tools like Task Manager are currently failing.

Question 19

Remediation for Crashes and Service Problems

Answer 19

Monitoring and Quarantining if apps are consistently failing to startup.

Question 20

File System Errors and Anomalies

Answer 20

Changing system files and/or permissions are altered.
-Missing or renamed files
-Additional executable files with names resembling services but are not the actual service.

Question 21

Remediation for File System Errors and Anomalies

Answer 21

Quarantine the System and Investigate closely.

Question 22

Desktop Alerts and Notifications

Answer 22

A way for pop-ups to intimidate a user into clicking in order for malware to try and elevate privileges.

Question 23

Rogue Antivirus

Answer 23

Spoofed desktop notifications and browser ads designed to alarm users and promote installation of Trojan malware.

Question 24

Troubleshoot Browser Symptoms

Question 25

Redirection

Answer 25

A user attempts to open a page but is sent to another page. Could lead to a drive-by download or cause credentials to be stolen.

Question 26

Certificate Warning

Answer 26

A certification that is untrusted has a warning sign rather than a padlock signifying that the website is not safe.

Question 27

Reasons for Certificate Warning

Answer 27

The certificate is self-signed or signed by an untrusted CA.
The FQDN requested by the browser is different from the subject name listed in the certificate.
The certificate has expired or is listed as revoked.

Question 28

Best Practices for Malware Removal

Answer 28

1. Investigate and verify malware symptoms.
2. Quarantine infected systems.
3. Disable System Restore in Windows.
4. Remediate infected systems:
   -Update anti-malware software.
   -Scanning and removal techniques (e.g., safe
   mode, preinstallation environment).
5. Schedule scans and run updates.
6. Enable System Restore and create a restore point in Windows.
7. Educate the end user.

Question 29

Infected Systems Quarantine

Answer 29

After identifying the Malware Symptoms:
The next step is to Quarantine the System and disable System Restore.
Quarantine means that it is unable to communicate through the main network.
Move the system to a more secure segment or sandbox.

Question 30

Disable System Restore

Answer 30

Disabling System Restore and other automated backup systems, such as file history.
Delete old backups due to the likelihood of the backups being infected

Question 31

Malware Removal Tools and Methods

Answer 31

The main tool to try and remediate an infected system will be antivirus system.