PrepAway - Latest Free Exam Questions & Answers

Which of the following can the researcher do to determine if the file is malicious in nature?

A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file
was found on an underused server and appears to contain a zero-day exploit. Which of the following can
the researcher do to determine if the file is malicious in nature?

PrepAway - Latest Free Exam Questions & Answers

A.
TCP/IP socket design review

B.
Executable code review

C.
OS Baseline comparison

D.
Software architecture review

Explanation:
Zero-Day Exploits begin exploiting holes in any software the very day it is discovered. It is very difficult to
respond to a zero-day exploit. Often, the only thing that you as a security administrator can do is to turn
off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to
keep the network safe. In this case you want to check if the executable file is malicious. Since a baseline
represents a secure state is would be possible to check the nature of the executable file in an isolated
environment against the OS baseline.
Incorrect Answers:
A: A socket is a combination of IP address and port number. A TCP/IP socket design review is useful since
sockets are the primary method used to communicate with services and applications such as the Web
and Telnet. It is not used to check if an underused server may have a zero-day exploitable file.
B: Executable code review. Executable scripts often run at elevated permission levels and infect more
components in your network. This is best done with the underused server in isolation. The purpose of
code review is to look at all custom written code for holes that may exist. The review needs also toexamine changes that the code—most likely in the form of a finished application—may make:
configuration files, libraries, and the like. This could be unwise to run if you suspect a zero-day exploit.
D: Software architecture review is not the way to check if an existing file on a server is malicious nor not.
Comparing the existing files to a baseline would be a better option.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 338, 345-346
http://www.techrepublic.com/blog/software-engineer/reverse-engineering-your-net-applications/


Leave a Reply