312-50V11 · Question #673
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
The correct answer is E. Reload from known good media. A rootkit deeply compromises the operating system, making the only reliable remediation a full reload from trusted, uninfected installation media.
Question
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
Options
- ACopy the system files from a known good system
- BPerform a trap and trace
- CDelete the files and try to determine the source
- DReload from a previous backup
- EReload from known good media
How the community answered
(42 responses)- A2% (1)
- B5% (2)
- E93% (39)
Why each option
A rootkit deeply compromises the operating system, making the only reliable remediation a full reload from trusted, uninfected installation media.
Copying system files from another system does not guarantee removal of all rootkit components, especially those embedded in the registry, firmware, or non-OS locations.
Trap and trace is a network monitoring technique used to identify attackers, not a method to remediate a rootkit infection on a host.
Deleting visible rootkit files is ineffective because rootkits use stealth techniques to hide their presence and may have hidden components that survive deletion.
Reloading from a previous backup is risky because the backup may predate discovery but not the infection, meaning the rootkit could already be present in the backup image.
Rootkits replace or hook into core OS components, making the infected system untrustworthy for any in-place recovery. Reloading from known good media (a clean OS installation source) guarantees no rootkit code persists, as it bypasses any potentially compromised files, backups, or system utilities on the infected machine.
Concept tested: Rootkit remediation and incident response
Source: https://www.cisa.gov/sites/default/files/publications/Rootkits_FS_S508C.pdf
Topics
Community Discussion
No community discussion yet for this question.