Exam CS0-002 topic 1 question 47 discussion

I would check the hash against virustotal before doing anything else

C. Run an antivirus against the binaries to check for malware.

I see people leaning to C option but how would an analyst know that a machine is compromised??? they do already have AV in place that flagged the machine. The analyst wants to confirm if that payload is malicious only, so he will open Virus total and check the hash if it was flagged by other sources. Option A is the correct one.

I was leaning toward C, and verified with other websites that others are leaning toward C as well. Why would you ask and wait for an answer from a trusted source when you could just quickly run a scan and get the answer you are looking for?

Validating the binaries' hashes from a trusted source or using file integrity monitoring to validate the digital signature may be helpful, but they do not guarantee that the binaries are not malicious. Similarly, only allowing whitelisted binaries to execute can be a good security practice, but it does not address the immediate concern of the potentially compromised machine. Therefore, running an antivirus is the most appropriate step in this scenario.

"after extracting strings..unexpected content"....gives direction to what he is trying to confirm

My thought process is that the AV should have already caught those binaries if they. have the signatures or hash. I would check the binaries hash first. So A for me.

Question is asking for the NEXT step. We already know that binaries are already compromised as the questions stated that the analyst observed abnormal behavior and unexpected strings in the file. NEXT step to take is to run an antivirus against the binaries.

Well... I would run the full anti-malware scan first, in the meantime (while the scanning is in progress), I would go and compare the hash. Both actions at the same time, but the first one it's to rule out/discard/contain/delete a threat in place. If the hash is clean and/or the report shows no results for threats, then we are good :) I talked based on my experience.

Validate the hash is first action i think.

Validating the hashes of the binaries from a trusted source and using file integrity monitoring to validate the digital signature can be important steps in the forensic analysis process, but they do not directly address the issue of the unexpected content found in the binaries. Running an antivirus against the binaries to check for malware is a more direct step to determine if the abnormal behaviors are a result of malicious activity. If the binaries are found to contain malware, then steps can be taken to mitigate the threat and prevent further harm, such as only allowing whitelisted binaries to execute.

"...After extracting the strings, the analyst finds unexpected content..." something different or something that should not be there...you validate the hash to confirm why data was altered/changed/edited and is not what is expected

A it is

A wouldn't hurt to do, but C seems like the more thorough answer

Hey amateurguy, I literally said the exact same thing. I also checked another site and they have C as the answer as well. I selected C too. I searched more before Submitting this and found another site for C and another for A. I am going for C!

This is confusing, why would you try to validate the binaries against a trust source when you already know its a compromised machine and you know theres binaries exhibiting abnormal behaviour. Wouldn't C be the most reasonable thing to do?