CompTIA Security Plus Mock Test Q337

A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature?

A. TCP/IP socket design review
B. Executable code review
C. OS Baseline comparison
D. Software architecture review

Correct Answer: C
Section: Compliance and Operational Security

Zero-Day Exploits begin exploiting holes in any software the very day it is discovered. It is very difficult to respond to a zero-day exploit. Often, the only thing that you as a security administrator can do is to turn off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to keep the network safe. In this case you want to check if the executable file is malicious. Since a baseline represents a secure state is would be possible to check the nature of the executable file in an isolated environment against the OS baseline.

Incorrect Answers:
A: A socket is a combination of IP address and port number. A TCP/IP socket design review is useful since sockets are the primary method used to communicate with services and applications such as the Web and Telnet. It is not used to check if an underused server may have a zero-day exploitable file.
B: Executable code review. Executable scripts often run at elevated permission levels and infect more components in your network. This is best done with the underused server in isolation. The purpose of code review is to look at all custom written code for holes that may exist. The review needs also to examine changes that the code — most likely in the form of a finished application — may make: configuration files, libraries, and the like. This could be unwise to run if you suspect a zero-day exploit.
D: Software architecture review is not the way to check if an existing file on a server is malicious nor not. Comparing the existing files to a baseline would be a better option.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 338, 345-346