nerdexam
EC-Council

312-50V10 · Question #673

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

The correct answer is E. Reload from known good media. When a rootkit is confirmed, the only reliable remediation is reloading the OS from known good original media because rootkits can persist through most other recovery methods.

Malware Threats

Question

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

Options

  • ACopy the system files from a known good system
  • BPerform a trap and trace
  • CDelete the files and try to determine the source
  • DReload from a previous backup
  • EReload from known good media

How the community answered

(20 responses)
  • A
    5% (1)
  • E
    95% (19)

Why each option

When a rootkit is confirmed, the only reliable remediation is reloading the OS from known good original media because rootkits can persist through most other recovery methods.

ACopy the system files from a known good system

Copying system files from another system may miss rootkit components embedded in the kernel, boot record, or firmware, leaving the system still compromised.

BPerform a trap and trace

Trap and trace is a network monitoring technique used to identify an attacker's origin, not a remediation step for an already-installed rootkit.

CDelete the files and try to determine the source

Deleting identified files does not guarantee complete removal because rootkits often hide additional components that standard file operations cannot see or reach.

DReload from a previous backup

Reloading from a previous backup risks restoring an already-infected state if the backup was taken after the rootkit was installed, or may not remove kernel-level hooks.

EReload from known good mediaCorrect

Rootkits can modify the kernel, boot sector, or core system binaries, meaning the compromised OS cannot be trusted to accurately report its own state or fully remove the infection. Reloading from known good original media (such as vendor-supplied installation media) guarantees a clean, uncompromised baseline. This is the only method that eliminates the risk of reintroducing a rootkit that may have persisted in a backup or partial file copy.

Concept tested: Rootkit incident response and remediation best practice

Source: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/rootkits-malware

Topics

#rootkit remediation#incident response#system recovery#known good media

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice