nerdexam
GIAC

GCIH · Question #521

Which of the following methods is the most likely to detect a user mode rootkit?

The correct answer is C. Run a file integrity checker such as Tripwire or AIDE from read-only media. The most reliable method of detecting a rootkit that has been installed on a system is to install a file integrity checker program like Tripwire or AIDE before a system is put on the network, and create a database of signatures to be stored off-line in read-only format. Then run

Malware Analysis & Advanced Persistent Threats

Question

Which of the following methods is the most likely to detect a user mode rootkit?

Options

  • ARun the strings command on the /bin/login binary
  • BUse the fc command to compare the kernel to a known good version
  • CRun a file integrity checker such as Tripwire or AIDE from read-only media
  • DCompare the output of the Is command against that of the 鈥find鈥 command

How the community answered

(33 responses)
  • A
    3% (1)
  • B
    9% (3)
  • C
    85% (28)
  • D
    3% (1)

Explanation

The most reliable method of detecting a rootkit that has been installed on a system is to install a file integrity checker program like Tripwire or AIDE before a system is put on the network, and create a database of signatures to be stored off-line in read-only format. Then run the integrity checker periodically to recreate the signatures of the files and compare them against the off-line database of signatures to determine if a file was changed.

Topics

#rootkit detection#file integrity#Tripwire#user mode rootkit

Community Discussion

No community discussion yet for this question.

Full GCIH Practice