312-50V10 · Question #673
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
The correct answer is E. Reload from known good media. When a rootkit is confirmed, the only reliable remediation is reloading the OS from known good original media because rootkits can persist through most other recovery methods.
Question
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
Options
- ACopy the system files from a known good system
- BPerform a trap and trace
- CDelete the files and try to determine the source
- DReload from a previous backup
- EReload from known good media
How the community answered
(20 responses)- A5% (1)
- E95% (19)
Why each option
When a rootkit is confirmed, the only reliable remediation is reloading the OS from known good original media because rootkits can persist through most other recovery methods.
Copying system files from another system may miss rootkit components embedded in the kernel, boot record, or firmware, leaving the system still compromised.
Trap and trace is a network monitoring technique used to identify an attacker's origin, not a remediation step for an already-installed rootkit.
Deleting identified files does not guarantee complete removal because rootkits often hide additional components that standard file operations cannot see or reach.
Reloading from a previous backup risks restoring an already-infected state if the backup was taken after the rootkit was installed, or may not remove kernel-level hooks.
Rootkits can modify the kernel, boot sector, or core system binaries, meaning the compromised OS cannot be trusted to accurately report its own state or fully remove the infection. Reloading from known good original media (such as vendor-supplied installation media) guarantees a clean, uncompromised baseline. This is the only method that eliminates the risk of reintroducing a rootkit that may have persisted in a backup or partial file copy.
Concept tested: Rootkit incident response and remediation best practice
Source: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/rootkits-malware
Topics
Community Discussion
No community discussion yet for this question.