Exam 312-50v11 topic 1 question 185 discussion

The correct option is A - Upload to a Virus total, because you don't know the strange IPs in advance, you need to gather IoCs from Virus total to look for it in 'netstat'

The question asks how we would determine if his PC is infected. It does not ask how we'll determine if the file is corrupt or malicious. The only PC tests of these options is D.

This is one of the EC-Council recommended way of checking if file is infected.

Really, te correcto option is D

The correcto option is A! You need identify the virus type, signature, name, etc

What tests would you perform to determine whether his computer is infected? This can be checked by the netstat command and not the virus total.

The answer is A VirusTotal is an Alphabet product that analyzes suspicious files, URLs, domains and IP addresses to detect malware and other types of threats, and automatically shares them with the security community. To view VirusTotal reports, you'll be submitting file attachment hashes, IP addresses, or domains to VirusTotal.

D cannot identify the connection make by virus

Static Malware Analysis: Local and Online Malware Scanning You can also upload the code to online websites such as VirusTotal to get it scanned by a wide-variety of different scan engines (p. 982)

i guest that the malware can be designed to hide its communication from tools

Hard to say for me. It's true that the malware could be idle, but it is also true that VirusTotal could not know this malware. The ideal answer would be to detonate the malware in an isolated environment, but for this case, to know if the computer is infected, I go with D.

A. You are wasting time unless you know precisely what this malware's communication looks like, if it is communicating at all. It may also be designed to hide its communication from tools like netstat.

Dynamic Malware Analysis: Port Monitoring Malware programs open system input/output ports to establish connections with remote systems, networks, or servers to accomplish various malicious tasks. Use port monitoring tools such as netstat, and TCPView to scan for suspicious ports and look for any connection established to unknown or suspicious IP addresses. # netstat -an (P.1014/998)

A. Virustotal

Both A and D are valid, BUT -IMHO- a Trojan doesn't always mean backdoor/reverse-shell, maybe his friend created a user or installed a keylogger. Think of ransomware, once the "downloader" is done there is no need to communicate, so netstat will give you nothing (because it is a snapshot in time), also, think of rootkit, maybe the malware replaced netstat... and so on. Your thoughts? In real life, you have to do more than this, but in any case, you should use external tools instead of the system tools, so I think A is the best choice here.

Shoud be A, because the infection symptoms may not direction relation to the network status , for example maybe this is a bmob.

Easiest things first, so VirusTotal seems to be the easiest thing.