kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-6-malware-removal-process.md

247 lines
5.2 KiB
Markdown
Raw Permalink Blame History

# SEC-6: Malware Removal Process
Status: not started
Domain:
- 2.0 Security
Objective alignment:
- 2.6 Malware removal process
## What You Need To Know
The exam expects the malware removal process in order. Do not just know the steps individually; know what comes next.
Important idea:
- Full wipe/reimage from known-good media is the cleanest answer for severe malware.
- Remediation is sometimes done to recover data or restore enough function to continue business.
## Memory Trick
Use **I-Q-D-R-U-S-R-S-E-E**:
1. **I**nvestigate and verify symptoms
2. **Q**uarantine infected systems
3. **D**isable System Restore/System Protection
4. **R**emediate infected systems
5. **U**pdate anti-virus/anti-malware
6. **S**can and remove
7. **R**eimage/reinstall if needed
8. **S**chedule scans and run updates
9. **E**nable System Protection and create restore point
10. **E**ducate the end user
Short phrase:
- **Investigate, Quarantine, Disable, Remediate, Update, Scan, Reimage, Schedule, Enable, Educate.**
## Step 1: Investigate and Verify Symptoms
Look for:
- Odd error messages
- Fake security alerts
- Application failures
- Slow boot
- Slow applications
- Browser redirects
- Files encrypted/renamed/missing
- Unknown processes
Goal:
- Confirm there is a real problem before changing anything.
## Step 2: Quarantine Infected Systems
Actions:
- Disconnect from network.
- Disable Wi-Fi/Bluetooth if needed.
- Isolate removable media.
- Prevent file transfer from the infected system.
Goal:
- Stop spread.
## Step 3: Disable System Restore/System Protection
Why:
- Malware can hide in restore points.
- Restoring later could bring the infection back.
Exam clue:
- Disable before remediation, re-enable after cleanup.
## Step 4: Remediate Infected Systems
Actions:
- Remove/quarantine malicious files.
- Remove malicious startup entries.
- Remove suspicious apps/extensions.
- Repair changed settings.
Goal:
- Remove the infection or reduce damage.
## Step 5: Update Anti-Virus/Anti-Malware
Actions:
- Update signatures/definitions.
- Update scanning engine.
- If malware blocks updates, use a trusted clean system or offline media.
Goal:
- Make sure tools recognize current threats.
## Step 6: Scan and Remove
Techniques:
- Normal scan
- Safe Mode scan
- Offline/preinstallation environment scan
- Bootable rescue media
Goal:
- Detect and remove malware using updated tools.
## Step 7: Reimage/Reinstall If Needed
When:
- Rootkit/persistent infection.
- Cleanup fails.
- System integrity is not trusted.
- Time-sensitive business recovery needs a known-good image.
Goal:
- Return to a clean known-good state.
## Step 8: Schedule Scans and Run Updates
Actions:
- Enable scheduled scans.
- Enable automatic definition updates.
- Run OS updates.
- Run application updates.
Goal:
- Reduce reinfection risk.
## Step 9: Enable System Protection
Actions:
- Re-enable System Protection/System Restore.
- Create a clean restore point.
Goal:
- Restore recovery capability after the system is clean.
## Step 10: Educate The End User
Topics:
- Avoid suspicious links.
- Avoid unknown downloads.
- Report symptoms early.
- Validate pop-ups and security alerts.
- Use approved software sources.
Goal:
- Reduce repeat infection.
## Commands To Enter
Windows inspection commands:
```powershell
windowsdefender:
```
What it does:
- Opens Windows Security.
```powershell
taskmgr
```
What it does:
- Opens Task Manager for process/resource review.
```powershell
resmon
```
What it does:
- Opens Resource Monitor for detailed activity.
```powershell
rstrui.exe
```
What it does:
- Opens System Restore.
- For this lab, view only. Do not restore.
```powershell
SystemPropertiesProtection
```
What it does:
- Opens System Protection settings.
- For this lab, view only. Do not disable protection unless working a real guided incident.
```powershell
shutdown /r /o /t 0
```
What it does:
- Restarts into Advanced Startup options.
- This is how you can reach recovery tools.
- Do not run unless you are ready to reboot.
Linux/macOS comparison:
```bash
top
ps aux
```
What it does:
- Shows running processes and resource usage.
## Mini Lab
Goal:
- Practice the process order and safe inspection.
Windows:
1. Open Windows Security with `windowsdefender:`.
2. Open Task Manager with `taskmgr`.
3. Open Resource Monitor with `resmon`.
4. Open System Protection with `SystemPropertiesProtection`.
5. Do not disable System Protection during practice.
6. Record:
- Defender status:
- Highest CPU process:
- System Protection state:
- Where Advanced Startup is located:
Tabletop:
For each scenario, write the next step:
1. User reports fake antivirus pop-ups and slow performance.
2. You confirm malware symptoms.
3. The system is disconnected from the network.
4. System Restore is disabled.
5. Malicious files are removed.
6. Anti-malware signatures are updated.
7. Scan fails to remove a suspected rootkit.
8. Clean image is restored.
9. Updates and scheduled scans are configured.
10. Clean restore point is created.
## Quick Check Before Quiz
You are ready for the SEC-6 quiz when you can answer these without looking:
- What is step 1?
- What comes after verifying symptoms?
- When do you disable System Restore?
- When do you re-enable System Protection?
- Why educate the user?
- When should you reimage/reinstall?
Reference in a new issue View git blame Copy permalink