Troubleshoot Workstation Security Issues

Question 1

Answer 1

Actual Keylogger—Windows software that can run in the background to monitor different kinds of
computer activity

Question 2

Answer 2

WannaCry ransomware.

Question 3

Answer 3

Untrusted certificate warning in Mozilla Firefox.

Question 4

Answer 4

Threats discovered by Windows Defender Antivirus

Question 5

Answer 5

Microsoft’s Security Intelligence knowledge base can be used to obtain additional information about threats discovered by Windows Defender Antivirus.

Question 6

Answer 6

Microsoft’s Windows Defender Antivirus uses a system of continual threat/definition updates.

Question 7

Malware vectors

Answer 7

refer to the methods by which malware executes and spreads. Common types include viruses, which infect executable files; boot sector viruses, which hijack a disk’s boot process; and Trojans, which masquerade as legitimate software and often establish persistence by running at startup.

Question 8

Malware

Answer 8

is malicious software designed to harm systems, with classifications based on how it spreads and executes, aiding in identifying sources and impacts of security incidents.

Question 9

vector

Answer 9

is the method by which the malware executes on a computer and potentially spreads to other network hosts.

Question 10

Viruses

Answer 10

embed themselves in executable files (.EXE, .MSI, .DLL, etc.) and activate when the file runs, often gaining the same privileges as the infected process. Early viruses spread rapidly, while modern ones use stealth techniques to maintain control over a system.

Question 11

Malware payload

Answer 11

classification focuses on the actions malware performs beyond replication or persistence, helping to identify its specific impact on a system.

Question 12

Backdoors,

Answer 12

often implemented as remote access Trojans (RATs), grant attackers unauthorized access to a system, enabling data exfiltration, malware installation, or botnet integration for launching attacks. Threat actors establish covert command and control (C2) connections, often embedding commands within HTTPS or DNS traffic to evade detection.

Question 13

Spyware

Answer 13

alters browser settings, monitors activity, and can redirect DNS queries to spoofed sites, compromising security and user privacy.

Question 14

keylogger

Answer 14

is a form of spyware that records keystrokes, allowing attackers to capture sensitive information like passwords and credit card details.

Question 15

Keyloggers software/hardware

Answer 15

can be implemented as software that transmits keystrokes to an external server or as hardware devices that intercept inputs via modified USB adapters.

Question 16

Rootkits

Answer 16

are advanced malware that gain SYSTEM-level privileges, often exploiting vulnerabilities or escalating privileges post-installation. They can conceal their presence by modifying system processes, bypassing detection in tools like Task Manager, ps, or netstat, and even wiping system logs to further evade security measures.

Question 17

Ransomware

Answer 17

extorts victims by either blocking access to their systems or encrypting files, demanding payment to restore access. Crypto-ransomware, like Cryptolocker, encrypts data, making recovery nearly impossible without backups. Attackers use anonymous payment methods like cryptocurrency to evade law enforcement.

Question 18

Cryptomining, or cryptojacking

Answer 18

hijacks a system’s resources to mine cryptocurrency, leveraging immense computing power to generate digital coins. Attackers often deploy cryptominers across botnets to maximize mining efficiency while remaining undetected.

Question 19

malware signs

Answer 19

Unexpected system behavior or unauthorized configuration changes are common signs of malware infection. Identifying symptoms based on malware vectors and payloads helps determine the appropriate troubleshooting and remediation steps.

Question 20

malware infection issues

Answer 20

Performance issues like system slowdowns, boot failures, and network disruptions may indicate malware infection, requiring antivirus scans and potential quarantine for further investigation.

Question 21

Frequent crashes

Answer 21

of security-related applications like antivirus, firewalls, and Windows Update can indicate malware infection. Malware often targets vulnerable third-party software, especially browser plug-ins. If reputable software begins failing repeatedly, malware should be suspected, and quarantining or monitoring procedures applied.

Question 22

file system errors

Answer 22

File system anomalies, such as missing or renamed files, unauthorized executables mimicking system processes, altered file attributes, and unexpected access errors, often indicate malware infection. These issues warrant immediate investigation and system quarantine to prevent further compromise.

Question 23

Fake security alerts

Answer 23

Malware can exploit push notifications to mimic Windows alerts, tricking users into installing harmful software. Fake security alerts may lead to drive-by downloads or rogue antivirus scams, where attackers impersonate support representatives to gain remote access. Vigilance against unsolicited alerts and cold calls is essential to prevent infection.

Question 24

Malware targeting browsers

Answer 24

can lead to unexpected pop-ups, altered settings, and performance issues, often signaling infection by spyware or adware.

Question 25

# malware Redirection

Answer 25

occurs when a user is sent to an unintended page, often mimicking the original site. Adware may use it for traffic generation, while spyware can exploit it for credential theft. If redirection is detected, check the HOSTS file for malicious entries, verify DNS server settings, and compare search results with a trusted workstation.

Question 26

# malware Certificate warnings

Answer 26

appear when a browser encounters an untrusted or invalid certificate, replacing the padlock icon with an alert. The URL may be displayed with a strikethrough, and access to the site is often restricted to prevent security risks.

Question 27

Certificate warnings causes

Answer 27

can arise from untrusted, mismatched, or expired certificates and may signal misconfigurations or malware attempting to intercept secure connections.

Question 28

Malware Removal

Answer 28

CompTIA's seven-step procedure for malware removal emphasizes investigating symptoms, quarantining infected systems, disabling System Restore, updating anti-malware software, scanning for threats, scheduling regular scans, re-enabling System Restore, and educating users. Antivirus vendors maintain malware encyclopedias that help identify and remove threats by matching system symptoms to known behaviors.

Question 29

Infected Systems Quarantine

Answer 29

Once malware symptoms are identified, quarantining the infected system and disabling System Restore help prevent further spread and ensure effective remediation.

Question 30

To quarantine an infected system

Answer 30

prevent users with administrative privileges from signing in to reduce the risk of malware compromising accounts. Disconnect the network link to stop malware from spreading, and move the system to a secure segment or sandbox for remediation. Scan any attached removable media to identify potential sources of infection and prevent further contamination.

Question 31

Disabling System Restore and backup systems

Answer 31

like File History helps prevent reinfection, as malware may have compromised previous restore points. If backups are necessary, scanning them with antivirus software ensures they are free of infection before use.

Question 32

Antivirus software

Answer 32

is the primary tool for malware removal, but if an infection evades detection, using an alternative suite or scanning the disk from another system may be necessary. Modern antivirus solutions protect against a wide range of threats, including viruses, worms, Trojans, ransomware, spyware, and cryptominers. Infected files can be cleaned, quarantined, or deleted, with configurable settings for handling detected threats.

Question 33

Advanced malware infections

Answer 33

may require manual removal steps and system reconfiguration to restore security. This process typically involves terminating suspicious processes in Task Manager, executing commands in a terminal or editing the registry, booting into Safe Mode via `msconfig`, using recovery media or WinPE for a clean command environment, and scanning the infected disk from another system to prevent cross-infection.

Question 34

OS reinstallation

Answer 34

If malware becomes deeply embedded in a system, antivirus software may be unable to recover infected files. In such cases, a complete system restore is necessary, which includes reformatting the disk, reinstalling the OS and software, and restoring data from a clean backup to ensure a secure environment.

Question 35

To prevent malware reinfection

Answer 35

after cleaning a system, implement security best practices such as keeping software and antivirus definitions up to date, enabling firewalls, using strong authentication methods, and restricting administrative privileges. Regular system monitoring and user education also help mitigate future security risks.

Question 36

On-access scanning

Answer 36

ensures security software checks files in real time before they are opened, preventing malicious files from executing. While it may slightly impact system performance, this proactive defense is crucial for maintaining robust malware protection.

Question 37

# malware payloads Backdoors

Answer 37

particularly RATs, are a serious concern because they provide remote access for an attacker, enabling data exfiltration and further compromise.

Question 38

# malware payload command-and-control (C2)

Answer 38

attackers maintain communication with compromised systems after gaining initial access to a network, allowing them to issue commands and control those systems.

Question 39

A Remote Access Trojan (RAT)

Answer 39

is a type of malware that gives an attacker remote control over a device or network. It allows them to access and manipulate the system, often without the victim's knowledge. RATs are often disguised as legitimate software or applications, making them difficult to detect.

Question 40

Troubleshoot Desktop Symptoms

Answer 40

Unexpected system behavior, sluggish performance, and network disruptions can indicate malware infection, requiring antivirus scans, close monitoring, or device isolation for further investigation.

Question 41

Application Crashes and Service Problems

Answer 41

Frequent crashes of security applications and system tools, along with failed updates, may indicate malware infection, requiring isolation, monitoring, and verification of file integrity.

Question 42

File system anomalies

Answer 42

such as missing or renamed files, unauthorized executables mimicking system utilities, altered file timestamps, and unexpected permission changes, can indicate malware infection. Since these issues rarely stem from benign causes, affected systems should be quarantined and thoroughly investigated.

Question 43

Desktop Alerts and Notifications

Answer 43

Malware can exploit push notifications to display fake alerts, tricking users into installing malicious software or visiting sites that enable drive-by downloads.

Question 44

Rogue antivirus

Answer 44

disguises Trojans through fake security alerts or fraudulent support calls, tricking users into enabling remote access for attackers. is a type of malware that falsely claims to be a legitimate antivirus program.

Question 45

Browser infections

Answer 45

can cause frequent pop-ups, unauthorized toolbar installations, homepage changes, unusual search results, sluggish performance, and excessive crashes.

Question 46

Unauthorized redirection

Answer 46

occurs when a user is sent to an unintended webpage, often mimicking legitimate sites. Adware uses this for traffic manipulation, while spyware may capture authentication details. To troubleshoot, check the HOSTS file for malicious entries, verify DNS server configurations, and compare search results with a known-good workstation.

Question 48

Certificate warnings def.

Answer 48

indicate an untrusted or invalid site security certificate, displaying alert icons, strikethrough URLs, and possible content blocking in the browser.

Question 49

Certificate warnings causes

Answer 49

can arise due to a self-signed or untrusted certificate authority (CA), a mismatch between the browser-requested FQDN and the certificate's subject name, or an expired/revoked certificate.

Question 50

Improper certificate

Answer 50

use can indicate a misconfigured site or a malware attack attempting to redirect users to a spoofed page. In a **man-in-the-middle (MITM) attack**, a malicious proxy intercepts a secure request and presents a fake certificate. If accepted or overridden by the user, the attacker gains control over the session, allowing them to intercept and manipulate encrypted traffic without detection. Analyzing certificate details and verifying URLs is crucial to identifying and mitigating such threats.

Question 51

seven-step malware removal process

Answer 51

includes verifying symptoms, quarantining infected systems, disabling System Restore, updating and scanning with anti-malware tools, scheduling future scans, re-enabling System Restore, and educating users. Antivirus vendors maintain databases of malware types, symptoms, and removal methods to assist in identifying and mitigating threats effectively.

Question 52

Infected Systems Quarantine

Answer 52

malware symptoms are confirmed, quarantining the infected system prevents further spread while disabling System Restore ensures that malicious files aren’t inadvertently restored. These steps help contain the infection before remediation.

Question 53

Quarantine Infected Systems

Answer 53

prevents malware from spreading by restricting network communication and administrative access. Disconnect the device from the network, move it to a secure segment or sandbox, and ensure that necessary tools can be accessed without compromising the production network. Additionally, scan and isolate any removable media that may have been used, as it could harbor the infection.

Question 54

sandbox

Answer 54

is a controlled and isolated environment used to safely analyze and execute potentially malicious code or applications.

Question 55

Disabling System Restore

Answer 55

prevents reinfection by ensuring that malware isn't restored from previous backups. Since automated backup systems like File History may also contain infected files, it's safest to delete old restore points. If retention is necessary, scanning backups with antivirus software helps verify their integrity before recovery.

Question 56

Malware Removal Tools and Methods

Answer 56

Antivirus software is the primary tool for malware removal, but if it fails to detect a threat, using a different suite or scanning the disk from another system may be necessary. Modern antivirus solutions protect against various threats, including viruses, worms, Trojans, ransomware, and cryptominers. Infected files can be cleaned, quarantined, or deleted, with false positives occasionally requiring manual review.

Question 57

Recovery mode for malware removal

Answer 57

involves manually disabling persistence mechanisms and restoring the system to a secure baseline. This includes terminating suspicious processes via Task Manager, using regedit to remove malicious registry entries, booting into Safe Mode with **msconfig**, running commands in Windows Preinstallation Environment (WinPE), and scanning the infected disk from a separate system while preventing cross-infection.

Question 58

OS reinstallation

Answer 58

If malware has embedded itself deeply into the system, antivirus software may be ineffective, requiring a full OS reinstallation. This process includes **reformatting the disk, reinstalling the OS and applications**, and restoring data from a verified clean backup to eliminate persistent threats.

Question 59

# malware prevention On-access scanning

Answer 59

enables antivirus software to inspect files when they are accessed, preventing malware execution before it occurs. While it may slightly impact performance, it is crucial for real-time protection.

Question 60

# malware prevention Scheduled scans

Answer 60

help detect malware proactively but can affect system performance, so they should run when the computer is idle. Regular updates to malware definitions and antivirus engines are essential for maintaining strong security.

Question 61

# malware prevention Re-enable System Restore

Answer 61

After malware removal, re-enable System Restore and automatic backups, create a fresh restore point, validate security-critical services, inspect DNS settings for spoofing risks, and restore firewall configurations to block unauthorized access. Conduct a final antivirus scan before safely returning the system to service.

Question 62

# malware prevetion User education

Answer 62

is critical for malware prevention, as untrained individuals are vulnerable to phishing and social engineering attacks. Training should cover password management, security features, threat awareness, safe browsing and email practices, and anti-phishing techniques. Continuous education ensures that knowledge remains up-to-date against evolving threats.