A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue?
A.
The malware fileless and exists only in physical memory.
B.
The malware detects and prevents its own execution in a virtual environment
C.
The antivirus does not have the malware's signature.
D.
The malware is being executed with administrative privileges.
A. Is the MOST likely answer. I would dismiss C, specifically because of the "up-to-date" and "well known" statement. Additionally, file-less malware can still be detected by some modern AV, but in this event, A is the most likely to me.
C. The antivirus does not have the malware's signature. Antivirus relies on signature-based detection, and new or obfuscated malware might evade detection until the antivirus is updated with the latest signatures.
C. The antivirus does not have the malware's signature.
If the antivirus cannot detect the malicious executable, it may be because the antivirus does not have the specific signature or pattern of the malware in its database. Antivirus programs rely on signatures, heuristics, and other detection methods to identify and block known malware. If the malware is new or has been modified in a way that changes its signature, the antivirus may not be able to recognize it.
Even though it is "Well-known" and the anti-virus is "up-to-date" it does not mean that they have the signatures in the AV. The only reason I don't think it's fileless is because the security analyst detected a well-known EXECUTABLE (Which is a file). So how the hell could it be fileless? Not a good question.
Great, now I am second guessing myself after reading this article.
"fileless refers to the fact that attackers leverage Windows PowerShell to load an executable file directly into memory rather than writing it to the disk (where it can be detected by average malware scanners)."
"https://www.sentinelone.com/cybersecurity-101/fileless-malware/#:~:text=In%20cases%20like%20this%2C%20fileless%20refers%20to%20the,it%20can%20be%20detected%20by%20average%20malware%20scanners%29".
I think when test time comes... I will pray this doesn't show up. But, at this point I'd probably go with A.
I will be the only one to go with C then
C. The antivirus does not have the malware's signature.
Antivirus software typically relies on a database of known malware signatures to detect and prevent malicious executables from running on a system. If the antivirus does not have the specific signature of the well-known malicious executable in its database, it will not be able to identify and block it.
CompTIA guide says:
Most modern malware uses similar fileless techniques to avoid detection by signaturebased
A-V and file integrity monitoring security software. Fileless means that the
malware code is executed by a script or small piece of shellcode to create a process in
system memory without having to use the local file system; some fileless techniques
do depend on dropping the initial script to a temporary directory, though.
The SIEM detects a "malicious executable" AKA a FILE right? Why would a fileless virus be using a malicious file?
I think C - just because the antivirus is up-to-date doesn't mean it has the same signatures as every other antivirus. Check your results on HybridAnalysis or VirusTotal, and you will see - not every AV detects threats as threats. Maybe they have a crappy antivirus
Antivirus software typically relies on malware signatures or patterns to detect and block malware. Malware signatures are unique characteristics or patterns of code that are associated with specific malware variants. If the malware does not have a signature that is recognized by the antivirus, it will not be detected or blocked, even if the antivirus is up-to-date.
Re-read the question. The analyst detects the executable, not the AV software. I take this as an analyst browsing/search through log files and see a suspicious executable (file) so it cannot be fileless. The only answer that makes sense is C.
Fileless malware can be difficult to detect by traditional antivirus (AV) software, as it does not rely on creating or modifying files on a system's hard drive. Instead, fileless malware operates entirely in memory, using legitimate system processes and tools, such as PowerShell or Windows Management Instrumentation (WMI), to carry out its malicious activities. Some AV software may be able to detect fileless malware by monitoring system memory and identifying suspicious behavior, but it is generally considered more difficult to detect than malware that uses files.
A. The malware fileless and exists only in physical memory.
A fileless malware is a type of malware that lives in the memory of a computer, rather than on its hard drive. Because the malware doesn't create files or leave traces of itself on the hard drive, it can be difficult to detect with traditional antivirus software. It may evade detection by running only in memory, and it may also manipulate or hide itself from the operating system, making it difficult to detect.
The malware detects and prevents its own execution in a virtual environment (B) is a technique used by some advanced persistent threat (APT) groups, but it is not the most likely cause of this issue.
The antivirus does not have the malware's signature (C) is a possible cause but it's not the most likely cause since the malware is known by the analyst.
The malware is being executed with administrative privileges (D) is a possible cause but it's not the most likely cause since the malware is fileless and exist only in physical memory.
The AV vendor most likely doesn't contain the malicious signature. This is the case in VirusTotal as well, you can search a known malicious hash and you'd be surprised how many AV vendors it bypasses.
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Ah_Leb
Highly Voted 2 years, 3 months ago2Fish
2 years, 1 month agoanhod1578
Most Recent 1 year, 2 months ago32d799a
1 year, 5 months agoTatba26
1 year, 10 months agoTatba26
1 year, 10 months agoTatba26
1 year, 10 months agokyky
1 year, 10 months agoDany_Suarez
1 year, 12 months agoNerdAlert
2 years agoHereToStudy
2 years agokhrid4
2 years, 1 month agoAaronS1990
2 years, 2 months agochuck165
2 years, 2 months agoAaronS1990
2 years, 2 months agotrojan123
2 years, 3 months agotrojan123
2 years, 3 months agobdub16
2 years, 5 months agoComptia_Secret_Service
2 years, 5 months agoforest111
2 years, 5 months agosaspurstx21
2 years, 2 months ago