CISSP · Question #1334
Which of the following is the MOST effective measure for dealing with rootkit attacks?
The correct answer is D. Reinstalling the system from trusted sources. Rootkits deeply embed themselves into the OS kernel and core system files, making complete eradication extremely difficult without a full reinstallation from trusted, verified media.
Question
Which of the following is the MOST effective measure for dealing with rootkit attacks?
Options
- ATuring off unauthorized services and rebooting the system
- BFinding and replacing the altered binaries with legitimate ones
- CRestoring the system from the last backup
- DReinstalling the system from trusted sources
How the community answered
(20 responses)- A5% (1)
- B5% (1)
- C10% (2)
- D80% (16)
Why each option
Rootkits deeply embed themselves into the OS kernel and core system files, making complete eradication extremely difficult without a full reinstallation from trusted, verified media.
Turning off unauthorized services and rebooting does not remove a rootkit because rootkits are designed to persist through reboots by embedding themselves at the kernel or bootloader level, reactivating automatically on system start.
Replacing altered binaries is insufficient because rootkits can hide their presence by intercepting system calls, meaning the tools used to identify and replace binaries may themselves be compromised and unable to accurately detect all affected files.
Restoring from the last backup is unreliable because the rootkit may have been present and embedded in the system before the backup was taken, meaning the restored backup could contain the same infection.
Reinstalling from trusted sources is the most effective measure because rootkits operate at the kernel or firmware level, hooking into core OS functions and potentially corrupting the very tools used to detect or remove them. Since the integrity of the compromised system cannot be guaranteed, a clean reinstall from verified, untampered media ensures all malicious code is eliminated. This is the industry-recommended approach as any other method risks leaving remnants of the rootkit in place.
Concept tested: Rootkit remediation and incident response best practices
Source: https://www.cisa.gov/sites/default/files/publications/Ransomware_Guide_0.pdf
Topics
Community Discussion
No community discussion yet for this question.