nerdexam
EC-Council

312-50V11 · Question #281

A company has hired a security administrator to maintain and administer Linux and Windows- based systems. Written in the nightly report file is the following: - Firewall log files are at the expected

The correct answer is D. Log the event as suspicious activity, continue to investigate, and act according to the site's. Firewall log files shrinking repeatedly after midnight is a strong indicator of log tampering or deletion, which warrants investigation before escalation.

System Hacking

Question

A company has hired a security administrator to maintain and administer Linux and Windows- based systems. Written in the nightly report file is the following:

  • Firewall log files are at the expected value of 4 MB.
  • The current time is 12am. Exactly two hours later the size has

decreased considerably.

  • Another hour goes by and the log files have shrunk in size again.

Which of the following actions should the security administrator take?

Options

  • ALog the event as suspicious activity and report this behavior to the incident response team
  • BLog the event as suspicious activity, call a manager, and report this as soon as possible.
  • CRun an anti-virus scan because it is likely the system is infected by malware.
  • DLog the event as suspicious activity, continue to investigate, and act according to the site's

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    9% (3)
  • C
    3% (1)
  • D
    86% (30)

Why each option

Firewall log files shrinking repeatedly after midnight is a strong indicator of log tampering or deletion, which warrants investigation before escalation.

ALog the event as suspicious activity and report this behavior to the incident response team

Reporting immediately to the incident response team without further investigation may bypass the site's established policy and skip necessary evidence-gathering steps.

BLog the event as suspicious activity, call a manager, and report this as soon as possible.

Calling a manager immediately is premature - the site's incident response policy should dictate escalation paths, and acting outside that process can compromise the investigation.

CRun an anti-virus scan because it is likely the system is infected by malware.

Running an antivirus scan is not the appropriate first response to log file size anomalies, which more specifically suggest log tampering or deletion rather than malware infection.

DLog the event as suspicious activity, continue to investigate, and act according to the site'sCorrect

Log files should only grow unless they are being cleared or rotated, and unexpected shrinkage at irregular intervals suggests an attacker may be covering their tracks by deleting log entries. The correct procedure is to document the anomaly, continue gathering evidence, and follow the site's incident response policy rather than escalating prematurely or taking unilateral action. Acting according to established site policy ensures proper chain of custody and appropriate escalation steps.

Concept tested: Incident response procedures for log file anomalies

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#log tampering#covering tracks#incident response#firewall logs

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice