EC-Council
312-50V10 · Question #673
312-50V10 Question #673: Real Exam Question with Answer & Explanation
The correct answer is E: Reload from known good media. When a rootkit is confirmed, the only reliable remediation is reloading the OS from known good original media because rootkits can persist through most other recovery methods.
Malware Threats
Question
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
Options
- ACopy the system files from a known good system
- BPerform a trap and trace
- CDelete the files and try to determine the source
- DReload from a previous backup
- EReload from known good media
Explanation
When a rootkit is confirmed, the only reliable remediation is reloading the OS from known good original media because rootkits can persist through most other recovery methods.
Common mistakes.
- A. Copying system files from another system may miss rootkit components embedded in the kernel, boot record, or firmware, leaving the system still compromised.
- B. Trap and trace is a network monitoring technique used to identify an attacker's origin, not a remediation step for an already-installed rootkit.
- C. Deleting identified files does not guarantee complete removal because rootkits often hide additional components that standard file operations cannot see or reach.
- D. Reloading from a previous backup risks restoring an already-infected state if the backup was taken after the rootkit was installed, or may not remove kernel-level hooks.
Concept tested. Rootkit incident response and remediation best practice
Reference. https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/rootkits-malware
Topics
#rootkit remediation#incident response#system recovery#known good media
Community Discussion
No community discussion yet for this question.