kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-6-malware-removal-process.md

5.2 KiB
Raw Blame History

SEC-6: Malware Removal Process

Status: not started

Domain:

  • 2.0 Security

Objective alignment:

  • 2.6 Malware removal process

What You Need To Know

The exam expects the malware removal process in order. Do not just know the steps individually; know what comes next.

Important idea:

  • Full wipe/reimage from known-good media is the cleanest answer for severe malware.
  • Remediation is sometimes done to recover data or restore enough function to continue business.

Memory Trick

Use I-Q-D-R-U-S-R-S-E-E:

  1. Investigate and verify symptoms
  2. Quarantine infected systems
  3. Disable System Restore/System Protection
  4. Remediate infected systems
  5. Update anti-virus/anti-malware
  6. Scan and remove
  7. Reimage/reinstall if needed
  8. Schedule scans and run updates
  9. Enable System Protection and create restore point
  10. Educate the end user

Short phrase:

  • Investigate, Quarantine, Disable, Remediate, Update, Scan, Reimage, Schedule, Enable, Educate.

Step 1: Investigate and Verify Symptoms

Look for:

  • Odd error messages
  • Fake security alerts
  • Application failures
  • Slow boot
  • Slow applications
  • Browser redirects
  • Files encrypted/renamed/missing
  • Unknown processes

Goal:

  • Confirm there is a real problem before changing anything.

Step 2: Quarantine Infected Systems

Actions:

  • Disconnect from network.
  • Disable Wi-Fi/Bluetooth if needed.
  • Isolate removable media.
  • Prevent file transfer from the infected system.

Goal:

  • Stop spread.

Step 3: Disable System Restore/System Protection

Why:

  • Malware can hide in restore points.
  • Restoring later could bring the infection back.

Exam clue:

  • Disable before remediation, re-enable after cleanup.

Step 4: Remediate Infected Systems

Actions:

  • Remove/quarantine malicious files.
  • Remove malicious startup entries.
  • Remove suspicious apps/extensions.
  • Repair changed settings.

Goal:

  • Remove the infection or reduce damage.

Step 5: Update Anti-Virus/Anti-Malware

Actions:

  • Update signatures/definitions.
  • Update scanning engine.
  • If malware blocks updates, use a trusted clean system or offline media.

Goal:

  • Make sure tools recognize current threats.

Step 6: Scan and Remove

Techniques:

  • Normal scan
  • Safe Mode scan
  • Offline/preinstallation environment scan
  • Bootable rescue media

Goal:

  • Detect and remove malware using updated tools.

Step 7: Reimage/Reinstall If Needed

When:

  • Rootkit/persistent infection.
  • Cleanup fails.
  • System integrity is not trusted.
  • Time-sensitive business recovery needs a known-good image.

Goal:

  • Return to a clean known-good state.

Step 8: Schedule Scans and Run Updates

Actions:

  • Enable scheduled scans.
  • Enable automatic definition updates.
  • Run OS updates.
  • Run application updates.

Goal:

  • Reduce reinfection risk.

Step 9: Enable System Protection

Actions:

  • Re-enable System Protection/System Restore.
  • Create a clean restore point.

Goal:

  • Restore recovery capability after the system is clean.

Step 10: Educate The End User

Topics:

  • Avoid suspicious links.
  • Avoid unknown downloads.
  • Report symptoms early.
  • Validate pop-ups and security alerts.
  • Use approved software sources.

Goal:

  • Reduce repeat infection.

Commands To Enter

Windows inspection commands:

windowsdefender:

What it does:

  • Opens Windows Security.
taskmgr

What it does:

  • Opens Task Manager for process/resource review.
resmon

What it does:

  • Opens Resource Monitor for detailed activity.
rstrui.exe

What it does:

  • Opens System Restore.
  • For this lab, view only. Do not restore.
SystemPropertiesProtection

What it does:

  • Opens System Protection settings.
  • For this lab, view only. Do not disable protection unless working a real guided incident.
shutdown /r /o /t 0

What it does:

  • Restarts into Advanced Startup options.
  • This is how you can reach recovery tools.
  • Do not run unless you are ready to reboot.

Linux/macOS comparison:

top
ps aux

What it does:

  • Shows running processes and resource usage.

Mini Lab

Goal:

  • Practice the process order and safe inspection.

Windows:

  1. Open Windows Security with windowsdefender:.
  2. Open Task Manager with taskmgr.
  3. Open Resource Monitor with resmon.
  4. Open System Protection with SystemPropertiesProtection.
  5. Do not disable System Protection during practice.
  6. Record:
    • Defender status:
    • Highest CPU process:
    • System Protection state:
    • Where Advanced Startup is located:

Tabletop: For each scenario, write the next step:

  1. User reports fake antivirus pop-ups and slow performance.
  2. You confirm malware symptoms.
  3. The system is disconnected from the network.
  4. System Restore is disabled.
  5. Malicious files are removed.
  6. Anti-malware signatures are updated.
  7. Scan fails to remove a suspected rootkit.
  8. Clean image is restored.
  9. Updates and scheduled scans are configured.
  10. Clean restore point is created.

Quick Check Before Quiz

You are ready for the SEC-6 quiz when you can answer these without looking:

  • What is step 1?
  • What comes after verifying symptoms?
  • When do you disable System Restore?
  • When do you re-enable System Protection?
  • Why educate the user?
  • When should you reimage/reinstall?