Initial Core 2 study project

notes/SEC-6-malware-removal-process.md

@@ -0,0 +1,247 @@
+# SEC-6: Malware Removal Process
+
+Status: not started
+
+Domain:
+- 2.0 Security
+
+Objective alignment:
+- 2.6 Malware removal process
+
+## What You Need To Know
+
+The exam expects the malware removal process in order. Do not just know the steps individually; know what comes next.
+
+Important idea:
+- Full wipe/reimage from known-good media is the cleanest answer for severe malware.
+- Remediation is sometimes done to recover data or restore enough function to continue business.
+
+## Memory Trick
+
+Use **I-Q-D-R-U-S-R-S-E-E**:
+
+1. **I**nvestigate and verify symptoms
+2. **Q**uarantine infected systems
+3. **D**isable System Restore/System Protection
+4. **R**emediate infected systems
+5. **U**pdate anti-virus/anti-malware
+6. **S**can and remove
+7. **R**eimage/reinstall if needed
+8. **S**chedule scans and run updates
+9. **E**nable System Protection and create restore point
+10. **E**ducate the end user
+
+Short phrase:
+- **Investigate, Quarantine, Disable, Remediate, Update, Scan, Reimage, Schedule, Enable, Educate.**
+
+## Step 1: Investigate and Verify Symptoms
+
+Look for:
+- Odd error messages
+- Fake security alerts
+- Application failures
+- Slow boot
+- Slow applications
+- Browser redirects
+- Files encrypted/renamed/missing
+- Unknown processes
+
+Goal:
+- Confirm there is a real problem before changing anything.
+
+## Step 2: Quarantine Infected Systems
+
+Actions:
+- Disconnect from network.
+- Disable Wi-Fi/Bluetooth if needed.
+- Isolate removable media.
+- Prevent file transfer from the infected system.
+
+Goal:
+- Stop spread.
+
+## Step 3: Disable System Restore/System Protection
+
+Why:
+- Malware can hide in restore points.
+- Restoring later could bring the infection back.
+
+Exam clue:
+- Disable before remediation, re-enable after cleanup.
+
+## Step 4: Remediate Infected Systems
+
+Actions:
+- Remove/quarantine malicious files.
+- Remove malicious startup entries.
+- Remove suspicious apps/extensions.
+- Repair changed settings.
+
+Goal:
+- Remove the infection or reduce damage.
+
+## Step 5: Update Anti-Virus/Anti-Malware
+
+Actions:
+- Update signatures/definitions.
+- Update scanning engine.
+- If malware blocks updates, use a trusted clean system or offline media.
+
+Goal:
+- Make sure tools recognize current threats.
+
+## Step 6: Scan and Remove
+
+Techniques:
+- Normal scan
+- Safe Mode scan
+- Offline/preinstallation environment scan
+- Bootable rescue media
+
+Goal:
+- Detect and remove malware using updated tools.
+
+## Step 7: Reimage/Reinstall If Needed
+
+When:
+- Rootkit/persistent infection.
+- Cleanup fails.
+- System integrity is not trusted.
+- Time-sensitive business recovery needs a known-good image.
+
+Goal:
+- Return to a clean known-good state.
+
+## Step 8: Schedule Scans and Run Updates
+
+Actions:
+- Enable scheduled scans.
+- Enable automatic definition updates.
+- Run OS updates.
+- Run application updates.
+
+Goal:
+- Reduce reinfection risk.
+
+## Step 9: Enable System Protection
+
+Actions:
+- Re-enable System Protection/System Restore.
+- Create a clean restore point.
+
+Goal:
+- Restore recovery capability after the system is clean.
+
+## Step 10: Educate The End User
+
+Topics:
+- Avoid suspicious links.
+- Avoid unknown downloads.
+- Report symptoms early.
+- Validate pop-ups and security alerts.
+- Use approved software sources.
+
+Goal:
+- Reduce repeat infection.
+
+## Commands To Enter
+
+Windows inspection commands:
+
+```powershell
+windowsdefender:
+```
+
+What it does:
+- Opens Windows Security.
+
+```powershell
+taskmgr
+```
+
+What it does:
+- Opens Task Manager for process/resource review.
+
+```powershell
+resmon
+```
+
+What it does:
+- Opens Resource Monitor for detailed activity.
+
+```powershell
+rstrui.exe
+```
+
+What it does:
+- Opens System Restore.
+- For this lab, view only. Do not restore.
+
+```powershell
+SystemPropertiesProtection
+```
+
+What it does:
+- Opens System Protection settings.
+- For this lab, view only. Do not disable protection unless working a real guided incident.
+
+```powershell
+shutdown /r /o /t 0
+```
+
+What it does:
+- Restarts into Advanced Startup options.
+- This is how you can reach recovery tools.
+- Do not run unless you are ready to reboot.
+
+Linux/macOS comparison:
+
+```bash
+top
+ps aux
+```
+
+What it does:
+- Shows running processes and resource usage.
+
+## Mini Lab
+
+Goal:
+- Practice the process order and safe inspection.
+
+Windows:
+1. Open Windows Security with `windowsdefender:`.
+2. Open Task Manager with `taskmgr`.
+3. Open Resource Monitor with `resmon`.
+4. Open System Protection with `SystemPropertiesProtection`.
+5. Do not disable System Protection during practice.
+6. Record:
+   - Defender status:
+   - Highest CPU process:
+   - System Protection state:
+   - Where Advanced Startup is located:
+
+Tabletop:
+For each scenario, write the next step:
+
+1. User reports fake antivirus pop-ups and slow performance.
+2. You confirm malware symptoms.
+3. The system is disconnected from the network.
+4. System Restore is disabled.
+5. Malicious files are removed.
+6. Anti-malware signatures are updated.
+7. Scan fails to remove a suspected rootkit.
+8. Clean image is restored.
+9. Updates and scheduled scans are configured.
+10. Clean restore point is created.
+
+## Quick Check Before Quiz
+
+You are ready for the SEC-6 quiz when you can answer these without looking:
+- What is step 1?
+- What comes after verifying symptoms?
+- When do you disable System Restore?
+- When do you re-enable System Protection?
+- Why educate the user?
+- When should you reimage/reinstall?
+