SY0-501 Question #118: Real Exam Question with Answer & Explanation

Question

A security administrator has found a hash m the environment known to belong to malware. The administrator then finds this file to be in the preupdate area of the OS, which indicates it was pushed from the central patch system. The administrator pulls a report from the patch management system with the following output: Given the above outputs, which of the following MOST likely happened?

Options

• AThe file was corrupted after it left the patch system
• BThe file was infected when the patch manager downloaded it.
• CThe file was not approved in the application whitelist system
• DThe fee was embedded with a logic bomb to evade detection

Explanation

This question tests the ability to analyze patch management integrity and identify the point of compromise in a software supply chain attack.

Common mistakes.

• A. File corruption after leaving the patch system would typically result in a hash mismatch with the original patch, not a match with a known malware hash, making intentional malware infection a more accurate conclusion.
• C. An application whitelist system would block execution of an unapproved file but would not explain why the file's hash matches known malware, nor would it account for how the malicious file entered via the patch system.
• D. A logic bomb is a payload that triggers under specific conditions and is a separate concept from how the file entered the environment; the scenario describes a file already identified by hash as malware, not behavior-based evasion.

Concept tested. Supply chain compromise via patch management system

Reference. https://www.cisa.gov/topics/cyber-threats-and-advisories/threats/supply-chain-compromise

No community discussion yet for this question.