CompTIA A+ Exam 220-902 sub-objective 4.2 – Given a scenario, troubleshoot common PC security issues with appropriate tools and best practices – Part 1

This is Part 1, Part 2 – Will cover everything from “Tools” and on

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 4.2

4.2 Given a scenario, troubleshoot common PC security issues with appropriate tools and best practices.

Common symptoms
Pop-ups
Browser redirection
Security alerts
Slow performance
Internet connectivity issues
PC/OS lock up
Application crash
OS updates failures
Rogue antivirus
Spam
Renamed system files
Files disappearing
File permission changes
Hijacked email

Responses from users regarding email
Automated replies from unknown sent email
Access denied
Invalid certificate (trusted root CA)

Tools
Antivirus software
Antimalware software
Recovery console
Terminal
System restore/Snapshot
Pre-installation environments
Event viewer
Refresh/restore
MSCONFIG/Safe boot

Best practice procedure for malware removal

  1. Identify malware symptoms
  2. Quarantine infected system
  3. Disable system restore (in Windows)
  4. Remediate infected systems
  5. Update antimalware software
  6. Scan and removal techniques (safe mode, pre-installation environment)
  7. Schedule scans and run updates
  8. Enable system restore and create restore point (in Windows)
  9. Educate end user

Welcome to Exam Notes by CertBlaster! If you are following these in order we hope you came through 4.1 intact!  Here in 4.2 we will use some of the same tools from 4.1 while paying closer attention to the security aspects of our situations and actions. Enjoy!!

Common symptoms

Here we will look at some of the indicators that the system is infected with malware or a virus. The term malware and virus can will be used interchangeably on an infected system.

Pop-ups

Most users block browser pop-ups in their system. Many sites use pop-ups to generate revenue and some are targeted based on your behavior.  As a rule your first real indication that your system is infected is the appearance of pop-up ads which can appear inside or outside the browser window. The presentation of pop-up ads in the browser while popups are disabled is a potential sign of problems, essentially the tip of the iceberg. The condition can be accompanied by unwanted browser toolbars. Many infections change your browser homepage to redirect traffic to a malicious site. Pop-ups outside the browser window leaves little doubt, you have a problem. We will cover the techniques for dealing with this problem in detail later is “Best practice procedure for malware removal”. Just be sure that when you see a random message that your PC may already be infected don’t click the link in the pop-up, this is a classic infection attempt.

Screenshot of Browser Pop-up Blocker On
Browser Pop-up Blocker On

Browser redirection

As mentioned earlier malware programs can change your homepage or in the stealthiest cases route the traffic through a malicious site and then display your correct homepage. All traffic handled on or through a malicious site should be considered compromised. Watch the address line in the browser for indications of this problem.

Security alerts

False security alerts are a very common way to get novice users to click on links to malware and install it. User education is the best prevention method. The ability to discriminate between valid and invalid errors is essential. For example a PC tool that does not exist on your computer cannot legitimately display an error.

Slow performance

Slow performance can be attributed to a number of real system issues, too many programs and underpowered equipment being the most common non-malware issues. In the case of malware you will find the offending programs consuming processor cycles, email, network resources and local disk and memory.  Use the steps outlined in “Best Practices” below to resolve.

Internet connectivity issues

When you experience issues connecting to a site it is important to be able to discriminate between actual problems and those written by older outdated malware. Use the command line to ping the local gateway. Use Ipconfig /all to check your settings. If necessary reboot to Safe mode with networking and access the command prompt.  If you are successful at the command prompt you have an infection and you should see the steps outlined in “Best Practices” further down this post.

PC/OS lock up

Infected systems exhibit slow performance and system errors caused by manipulation or deletion of system files. In the worst case the system locks up or Blue screens. Reboot and take the steps necessary listed in best practices.  Look at the Task manager and Event Viewer along with update log files for your anti-malware programs and system update logs.

Application crash

Applications that behaved normally before then suddenly crash could very likely be exhibiting signs of an infection. Changes made by malware to shared support files commonly lead to program failures for example if malware infects a shared file like a .DLL or .OCX file any program that attempts to use it will fail with the potential for infection. Take the steps necessary listed in best practices.

OS updates failures

Any self-respecting virus author will set his product to block internet access for all known antivirus and antimalware websites they will also prevent system protections like updates for Windows defender and any system updates to prevent detection. Here is a look at a blocked AV/malware program update.

Screenshot of Antivirus Fails to Connect to Server
Antivirus Fails to Connect to Server

Rogue antivirus

Let’s use an example here. Your customer was presented with a popup that warned of an infection and offered a fix using their free tool. They click ok and allow the program to install.  Now not only are they infected their basic system safeguards may be compromised allowing other infections. It is not unusual to find malware that disables windows protections like the Windows firewall or defender. Here is a Firewall that has been taken over.

Screenshot of Compromised Firewall
Compromised Firewall

Spam

Undoubtedly a familiar term to most SPAM is the term we use for unsolicited email messages. These messages are often simple commercial ads sent to your email address because you inadvertently shared it. On the other hand valid email address lists are prizes for malware perpetrators. They can be used to send you malicious payloads disguised as images or web links.  It is important that you handle unsolicited emails especially those with attachments with caution. Do not open them under any circumstance. Here is a typical attempt to get you to open an infected document. It is disguised as an electronic receipt from a business. The user may or may not have made a purchase so there are a percentage of the recipients will click the attachment and become infected.

Screenshot of Spam-Phishing Malware
Example of Spam-Phishing Malware

Renamed system files

System errors related to the filesystem can be attributed to malware. The malicious payload can rename system files making them unusable by the system. This can cause errors up to and including the dreaded BSOD.

Files disappearing

Certain malware can create a backdoor allowing hackers to do any number of things. One tactic set the file attributes to hidden and although the files are actually present the user cannot see them. While this will not impact system files the user will have difficulty accessing the content.

File permission changes

Another malware tactic is to alter the users file permissions to make files seemingly disappear and or become inaccessible.

Hijacked email

Your email account can be compromised in cases where you have clicked a phishing email, use a weak password or if you communicate with your email server in plaintext (unencrypted). Unencrypted communications can be intercepted in wireless hotspots and your credentials can be used to send malware email blasts of spam through your server. This will appear as legitimate traffic until it is detected by either your administrative staff or by you as you begin to receive bounced back emails from failed attempts to reach bad email addresses. There is a difference between hijacking and spoofing as we will see next.

Responses from users regarding email

You can consider your account hijacked if you begin to get replies from people you know about strange emails that you did not send. This is a sign that the malware has access to your contacts. Hopefully the recipients have enough sense to recognize spammed communications. If your account is spoofed it does not use your email credentials only your email address as the “From” address and you will receive anything that bounces back.

Automated replies from unknown sent email

If you receive “Out of Office” type replies from people you don’t know this is another sign of malware. The recipient’s automated response is sent to anyone attempting to send email to that person. Interestingly this automated reply can be used to validate email addresses and return server information.

Access denied

As we noted earlier a sure sign that you have a malware issue is the inability to access your files. Hackers with administrative access to your system can wreak irreversible damage. You will notice this when you get an access denied message while attempting to access a file or folder that you created. This indicates a permission change on your account or the content itself. Either situation is bad. In the worst case of ransomware a covertly installed program encrypts the Master File Table and holds it for ransom. The user is accused of everything from terrorism to pornography and is locked out of their system until a ransom is paid and decryption key is issued.  You may or may not get the decryption key but that is the only practical way to recover your data. One infected user actually turned themselves in to the FBI as a result of this attack as he was guilty of some of the charges. Long story short be careful what you open and click on.

screenshot of Ransomware error message
Ransomware

Invalid certificate (trusted root CA)

Security is often handled behind the scenes. When accessing a secure website (HTTPS) for example its SSL Certificate is examined. There is a main Certificate Authority (CA) that issues root certificates which are downloaded to the clients validating the server authenticity. The certificate is examined upon access and compared to the stored list. First we will look in the Internet Properties Content tab to see the Trusted Certificates installed and look at a bit of the Microsoft Trusted CA’s 4096 bit Public key.

screenshot of Microsoft Root CA
Microsoft Root CA

If there is a problem you will have to bypass a warning to continue. The errors could be an expiration of the certificate, a certificate issued to a host other than the one being accessed, issued by an untrusted root, revoked and more. Here is a sample of an untrusted root. The recommendation is that you close the page. You have the option to continue or get more information as shown. Examine these messages carefully before you decide to continue.

screenshot of Bad SSL Certificate
Bad SSL Certificate

Well, that’s everything for objective 4.2 – Part 1! Hope you enjoyed it! Don’t just sit there! Look for 4.2 – Part 2! This stuff doesn’t learn itself! Back to the main 902 ExamNotes page

Good luck on the test!

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics