SY0-301 Question #789: Real Exam Question with Answer & Explanation

The correct answer is C: OS Baseline comparison. Because the exploit is zero-day, it will not have known signatures in antivirus databases, making traditional signature scanning ineffective. An OS Baseline comparison involves comparing the current system state - files, registry entries, running processes, and configurations - a

Question

A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature?

Options

ATCP/IP socket design review
BExecutable code review
COS Baseline comparison
DSoftware architecture review

Explanation

Because the exploit is zero-day, it will not have known signatures in antivirus databases, making traditional signature scanning ineffective. An OS Baseline comparison involves comparing the current system state - files, registry entries, running processes, and configurations - against a known-good, clean snapshot (the baseline). Deviations from the baseline reveal unauthorized files, modified system files, or suspicious changes the executable may have caused, indicating malicious behavior. This is a key forensic and heuristic technique for detecting unknown malware. Executable code review (B) is a valid reverse engineering technique, but OS baseline comparison is more practical for quickly determining if the file has already impacted the system. TCP/IP socket and software architecture reviews (A, D) do not directly analyze the binary's behavior or impact.

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice