CompTIA A+ Exam 220-902 sub-objective 4.2 – Given a scenario, troubleshoot common PC security issues with appropriate tools and best practices – Part 2

Part 1 – Covers “Common Symptoms” up until “Tools”

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 4.2

4.2 Given a scenario, troubleshoot common PC security issues with appropriate tools and best practices.

Common symptoms
Pop-ups
Browser redirection
Security alerts
Slow performance
Internet connectivity issues
PC/OS lock up
Application crash
OS updates failures
Rogue antivirus
Spam
Renamed system files
Files disappearing
File permission changes
Hijacked email

Responses from users regarding email
Automated replies from unknown sent email
Access denied
Invalid certificate (trusted root CA)

Tools
Antivirus software
Antimalware software
Recovery console
Terminal
System restore/Snapshot
Pre-installation environments
Event viewer
Refresh/restore
MSCONFIG/Safe boot

Best practice procedure for malware removal

  1. Identify malware symptoms
  2. Quarantine infected system
  3. Disable system restore (in Windows)
  4. Remediate infected systems
  5. Update antimalware software
  6. Scan and removal techniques (safe mode, pre-installation environment)
  7. Schedule scans and run updates
  8. Enable system restore and create restore point (in Windows)
  9. Educate end user

Welcome to Exam Notes by CertBlaster! If you are following these in order we hope you came through 4.1 intact!  Here in 4.2 we will use some of the same tools from 4.1 while paying closer attention to the security aspects of our situations and actions. Enjoy!

Tools

Antivirus software / Antivirus software

When an infection is suspected your first course of action is to run your antivirus/antimalware program. Most packages are comprehensive in nature and combine both programs as a “suite”. When you activate the program check for updates. If the program connects to the server that is a good sign. Perform an update if necessary and scan the system thoroughly. It is often helpful to run you’re a/V program from Safe Mode to have access to more system files.

Recovery console

The Recovery Console is a command line interpreter introduced with Windows XP and exists in later Windows versions with different names and some additional features. Fundamentally the Recovery Console is accessed from the installation media. The console provides access to a set of commands that can be used to examine the hard disk, repair the MBR, fix the boot process and much more.  This will help you get into your system as long as your first step is not partitioning the drives. The recovery console requires the administrator password.

Terminal

We refer to the command interface in Windows as the Command Prompt. With OS X installations it is called the Terminal. In Linux it is called Terminal and often referred to as the Console. Commonalities in the programming of OS X and Linux exist due their foundation on UNIX. A good example is the Linux Terminal. It can be accessed through the GUI or at boot by setting the Linux runlevel to 1 and starting the system as a superuser without networking or a GUI. This enables you to diagnose and repair the system.

System restore/Snapshot

As we discussed in earlier posts the Windows System Restore utility provides the ability to restore your computer to a previous point in time using a Snapshot of the system taken at a time when it was operating properly. This is a great tool for repairing registry problems bad program installations and resolving new system conflicts. In the case of a malware infection you must exercise care to avoid restoring contaminated files. Use a restore point that was created before any issues developed. The system restore is not always effective against malware since the infection may be in your personal files. It is not a reliable malware solution. Restoring from a snapshot will delete any programs installed after the snapshot was taken and will restore programs that were deleted.

Pre-installation environments

When dealing with malware one of the key concepts is to access the computing environment before the malware has a chance to begin its processes. To that end pre-installation environments offer a robust set of tools in a stripped down environment. The most effective way to access the pre-installation environment is from bootable installation media. This method does not use the hard drive and therefor can launch your tools before the malware can deploy its measures. May antimalware products allow you to create bootable rescue CDs that contain virus and malware definitions. Create the CD on a known clean machine with updated definitions.

Event viewer

In many cases surrounding system and application crashes you will find Microsoft Event Viewer a useful tool in determining whether you have a malware or software issue. As failed updates can be a sign of infections, random program crashes can be a sign of a bad piece of memory. Investigate the details of any errors and think before you do anything drastic.

Refresh/restore

At this point we will assume you are at a point where all is lost and nothing has worked repairing your system. The Refresh method available in Windows 8 and above provides the capability of refreshing your system without affecting your personal files. You can also reinstall Windows. This is recommended in extreme cases where you want to obliterate all remnants. Your success here depends in great part on the reliability of your personal data backups.  Here is a look at your Refresh/restore options in Windows 8.1.

Screenshot of Windows 8 Update and Recovery
Windows 8 Update and Recovery

MSCONFIG/Safe boot

As we have emphasized in this submission, Malware is designed to take advantage of every conceivable flaw in systems and people. “Click here for a free Yacht!” Hey, why not? Well if you’ve been listening it’s the hacker that gets the Yacht. By turning your machine into a bot, selling your personal data or just holding it hostage until you pay.  During your engagement you may want to use MSConfig setting the safeboot option here keeps you from having to sit and press the F8 key and boots you directly to Safe Mode as config

Screenshot MSConfig with Safeboot
MSConfig with Safeboot

 

Best practice procedure for malware removal

OK! Here is your counterattack plan laid out. This is a step by step process so do it all.

Identify malware symptoms

Every different type of malware has exhibits different behavior. Observe and record anything odd. Is it pop-ups? Inaccessible websites for updates? Everything you can observe will help you research the type of malware you are trying to remove.

Quarantine infected system

Once you suspect an infection unplug the NIC and/or disable wireless connectivity. Remember this malware got into your system somehow and it’s fair that it hasn’t stopped trying to infect others locally or globally. Cut the cord (not literally)

Disable system restore (in Windows)

While system restore points and snapshots are useful tools, once you have an infection it is reasonably certain that the malware has tucked itself away in the restore files waiting to come back rested and fresh after you have spent hours removing it. Disable system restore (System Protection) which will remove all restore points.

Remediate infected systems

Now it’s time to deal with your bug. First we know you don’t trust the system, so create bootable Rescue media with updated definitions from another clean machine for use on the infected system.

Update antimalware software

If possible try to update your existing AV software after remediation. Success here will provide hope that you’ve resolved the issue.

Scan and removal techniques (safe mode, pre-installation environment)

Now while booting directly to the system try scanning in safe mode, the pre-installation environment then hopefully you’ll come out clean.

Schedule scans and run updates

Once you are satisfied the condition is resolved, complete any and all OS updates and those of other programs especially malware. Set these programs to update automatically.

Enable system restore and create restore point (in Windows)

Once all of your updating is complete re-enable System Protection and create a restore point. Label it to allow you to be sure this is the clean baseline.

Educate end user

Now, all along we touched on do’s and don’ts when it comes to running your system safely. So DON’T Click it! Seriously when you have to fight an infection of any sort you will immediately become proactive regarding defense. User education is the tip of the spear in malware defense. Take the time to inform the user tell them what happened, why, what the consequences are and then let them see the aggravation, I mean the steps necessary to eradicate the threat. Engage them in the solution – help them grow.

Well, that’s everything for objective 4.2! Hope you enjoyed it! Don’t just sit there! Look for 4.3! This stuff doesn’t learn itself!

Back to the main 902 ExamNotes page

Good luck on the test!

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics