SY0-301 · Question #789
A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the fo
The correct answer is C. OS Baseline comparison. Because the exploit is zero-day, it will not have known signatures in antivirus databases, making traditional signature scanning ineffective. An OS Baseline comparison involves comparing the current system state - files, registry entries, running processes, and configurations - a
Question
A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature?
Options
- ATCP/IP socket design review
- BExecutable code review
- COS Baseline comparison
- DSoftware architecture review
How the community answered
(18 responses)- A6% (1)
- B17% (3)
- C72% (13)
- D6% (1)
Explanation
Because the exploit is zero-day, it will not have known signatures in antivirus databases, making traditional signature scanning ineffective. An OS Baseline comparison involves comparing the current system state - files, registry entries, running processes, and configurations - against a known-good, clean snapshot (the baseline). Deviations from the baseline reveal unauthorized files, modified system files, or suspicious changes the executable may have caused, indicating malicious behavior. This is a key forensic and heuristic technique for detecting unknown malware. Executable code review (B) is a valid reverse engineering technique, but OS baseline comparison is more practical for quickly determining if the file has already impacted the system. TCP/IP socket and software architecture reviews (A, D) do not directly analyze the binary's behavior or impact.
Topics
Community Discussion
No community discussion yet for this question.