nerdexam
(ISC)2

CISSP · Question #1334

Which of the following is the MOST effective measure for dealing with rootkit attacks?

The correct answer is D. Reinstalling the system from trusted sources. Rootkits deeply embed themselves into the OS kernel and core system files, making complete eradication extremely difficult without a full reinstallation from trusted, verified media.

Submitted by tom_us· Mar 5, 2026Security Operations

Question

Which of the following is the MOST effective measure for dealing with rootkit attacks?

Options

  • ATuring off unauthorized services and rebooting the system
  • BFinding and replacing the altered binaries with legitimate ones
  • CRestoring the system from the last backup
  • DReinstalling the system from trusted sources

How the community answered

(20 responses)
  • A
    5% (1)
  • B
    5% (1)
  • C
    10% (2)
  • D
    80% (16)

Why each option

Rootkits deeply embed themselves into the OS kernel and core system files, making complete eradication extremely difficult without a full reinstallation from trusted, verified media.

ATuring off unauthorized services and rebooting the system

Turning off unauthorized services and rebooting does not remove a rootkit because rootkits are designed to persist through reboots by embedding themselves at the kernel or bootloader level, reactivating automatically on system start.

BFinding and replacing the altered binaries with legitimate ones

Replacing altered binaries is insufficient because rootkits can hide their presence by intercepting system calls, meaning the tools used to identify and replace binaries may themselves be compromised and unable to accurately detect all affected files.

CRestoring the system from the last backup

Restoring from the last backup is unreliable because the rootkit may have been present and embedded in the system before the backup was taken, meaning the restored backup could contain the same infection.

DReinstalling the system from trusted sourcesCorrect

Reinstalling from trusted sources is the most effective measure because rootkits operate at the kernel or firmware level, hooking into core OS functions and potentially corrupting the very tools used to detect or remove them. Since the integrity of the compromised system cannot be guaranteed, a clean reinstall from verified, untampered media ensures all malicious code is eliminated. This is the industry-recommended approach as any other method risks leaving remnants of the rootkit in place.

Concept tested: Rootkit remediation and incident response best practices

Source: https://www.cisa.gov/sites/default/files/publications/Ransomware_Guide_0.pdf

Topics

#Rootkit#Malware remediation#Incident response#System reinstallation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice