GCIH · Question #521
Which of the following methods is the most likely to detect a user mode rootkit?
The correct answer is C. Run a file integrity checker such as Tripwire or AIDE from read-only media. The most reliable method of detecting a rootkit that has been installed on a system is to install a file integrity checker program like Tripwire or AIDE before a system is put on the network, and create a database of signatures to be stored off-line in read-only format. Then run
Question
Which of the following methods is the most likely to detect a user mode rootkit?
Options
- ARun the strings command on the /bin/login binary
- BUse the fc command to compare the kernel to a known good version
- CRun a file integrity checker such as Tripwire or AIDE from read-only media
- DCompare the output of the Is command against that of the 鈥find鈥 command
How the community answered
(33 responses)- A3% (1)
- B9% (3)
- C85% (28)
- D3% (1)
Explanation
The most reliable method of detecting a rootkit that has been installed on a system is to install a file integrity checker program like Tripwire or AIDE before a system is put on the network, and create a database of signatures to be stored off-line in read-only format. Then run the integrity checker periodically to recreate the signatures of the files and compare them against the off-line database of signatures to determine if a file was changed.
Topics
Community Discussion
No community discussion yet for this question.