Chapter 2.4

Question 1

HIPS

Answer 1

HIPS (Host Intrusion Prevention System) is software located on the host system and has an active response to threats. It can prevent events, such as system files being modified or block unauthorized remote network connections.

Question 2

HIDS

Answer 2

HIDS (Host Intrusion Detection System) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state. Key difference is to monitor.

Question 3

NIPS

Answer 3

NIPS (Network Intrusion Prevention System) is an appliance placed on the network to provide an active response to any network threats that matches its policies or signatures.

Question 4

NIDS

Answer 4

NIDS (Network Intrusion Detection System) is a system that uses passive hardware sensors to monitor traffic on a specific segment of the network. If there are any warnings, a log is generated, and a notification is sent out.

Question 5

SFC

Answer 5

SFC (System File Checker) is a Windows tool used to manually verify operating system (OS) files.

Question 6

SEP features

Answer 6

The virus and spyware protection feature of SEP (Symantec Endpoint Protection) is the commonly known anti-virus software that should be on every client image.

The proactive threat protection feature of SEP provides a behavioral approach to protecting the system against unknown threats. For example, a process utilizing high levels of CPU for a long time is a possible threat that will be stopped by the software eventually.

The network and host exploitation mitigation feature of SEP protects the system against exploits on the web, network, and any zero-day attacks.

Question 7

process explorer

Answer 7

Process Explorer is part of Windows Sysinternals suite of tools. It can filter out the legitimate activity generated by normal operation of the computer.

Question 8

WSUS

Answer 8

The WSUS (Windows Server Update Service) server is a central repository for updates related to OS and applications like Microsoft Office. Once downloaded locally, WSUS distributes the updates to the client computers.

Question 9

device instance ID

Answer 9

Information, like a vendor ID, product ID, or device instance ID, can be added to the “excluded drives” definition. Doing so will prevent all drives, except the specified USB IDs.

Question 10

Autoruns

Answer 10

The Autoruns tool, which is part of Windows Sysinternals, can help with hunting down malware on a computer.

The Autoruns’ ability to identify the startup services and their locations, can lead to researching ways to remove the malware and its rogue services.