Exam CS0-003 topic 1 question 73 discussion

A. Update the system firmware and reimage the hardware. Reimaging the hardware involves wiping the device and restoring it to a known-good state. This is a common and effective remediation technique for malware infections. Updating the system firmware is also a good practice to ensure that known vulnerabilities are patched. It's important to perform these actions to eliminate the malware and any potential persistence mechanisms that may exist.

This is common practice at my job. It makes more sense to wipe the whole machine and install fresh OS to ensure no traces of the malware are on the machine, then you can backup data from good known state before malware was applied.

Questionamento confuso, mas na minha opção Atualizar o Firmware não parece ser razoável visto que não é citado a causa raiz do incidente. Excluir o perfil e recuperar o backup parece ser o mais próximo do ideal.

B. Due to the following comment.

This is tricky because the incident response team wasn't able to determine the root cause so they wouldn't want to reimage the device, instead you would harden the device by increasing the security.

Based on the actions taken so far and the need to remediate the infected device, the most appropriate option would be:D. Delete the user profile and restore data from backup.By deleting the user profile, you remove any potential lingering malware or malicious configurations associated with that profile. Then, restoring the data from a backup ensures that the device is returned to a known, clean state, reducing the risk of further infection or compromise. This approach effectively removes the malware and restores the device to a safe state without the need for extensive hardware changes or additional software installations.

I agree with A since the website cannot be identified and there's no way of knowing the capability of malware without further analysis. It would be better if they clone it to run in a sandbox for study before purging.

The more I consider it the more it makes sense that A is the correct answer. You have to clean the disk to ensure there's not persistence and reinstall OS from fresh.

D. can not guarantee elimination of persistence. What kind of script kiddy garbage hides itself in a user profile and not at least in a central drive location? A. is the only clear guarantee of remediation.

Please, who has chosen these options as an answer? B and C have nothing to do with each other. These options are discarded. Let's go with the other two During an incident, the system must be rebuilt, either from scratch or using an image or backup of the system from a known safe state. If the system was compromised because it contained a security vulnerability, and not because of the use of a compromised user account, it is likely that backups and images of that system will have that same vulnerability. After this explanation, it seems that option D is not the best option as the malware could have infected system files and by deleting and restoring the user's profile, the malware would still be there. Option A talks about firmware and reimages the hardware Wouldn't it be the software? Normally malware infects system files. Now then. It could be that the malware has exploited some vulnerability in the hardware and in that case, option A would be the best answer and, once the hardware has been updated, proceed to restore the system.

D) Deleting the user profile and restoring data from backup would be the best action to remediate the infected device, according to CompTIA CySA+ CS0-003 objective 3.2. Remediation involves removing malware and restoring systems. Deleting the infected user profile and restoring from a clean backup removes the malware persistence while restoring data. A) Firmware updates and full reimage is unnecessary based on the details. B) Additional scanning software is useful but does not directly remediate. C) A proxy server helps prevent future infections but does not address current malware. Therefore, wiping the infected user profile and restoring data from backup aligns closest with effectively remediating the compromised system, as covered in the CS0-003 incident response domain.