Practice Exam ยท Chapters 40โ€“43

Exam: Malware Overview, Viruses & Worms, Spyware & Bloatware, Other Malware

Malware Types & Detection ยท Viruses, Worms & Propagation ยท Spyware, Adware & PUPs ยท Keyloggers, Logic Bombs & Rootkits โ€” 20 scored questions + 2 scenario questions.

Chapters 40โ€“43 Practice Exam
๐Ÿ“ 20 scored questions โฑ๏ธ 25-minute target ๐ŸŽฏ Pass threshold: 80% (16/20)
Time remaining
25:00
Part A โ€” Multiple Choice (Questions 1โ€“20)
Ch 40 ยท Malware Overview
Question 1 of 20
A user downloads what appears to be a free video editing program from a third-party website. After installation, the program functions as advertised. Two weeks later, IT discovers the workstation is secretly mining cryptocurrency, sending results to an external server, while the editing program continues to run normally. What type of malware BEST describes the installed software?
โœ… C. A Trojan horse is malware that disguises itself as a legitimate, useful application to deceive the user into installing it. The defining characteristics are present: the software performs its advertised function (video editing works), concealing the malicious payload (cryptocurrency miner) running in the background. Unlike a virus (A), a Trojan does not self-replicate or attach to other files. Unlike a worm (B), it doesn't propagate autonomously across a network. The "horse" in the name refers to the deceptive container โ€” just as the Trojan horse concealed soldiers inside a gift, this software conceals malware inside a functional program.
Ch 40 ยท Malware Overview
Question 2 of 20
An antivirus tool flags a previously unknown file as suspicious even though no signature for it exists in any threat database. The tool's determination was based on observing that the file, when executed in a sandbox, attempted to disable other security tools, write to the system registry's startup keys, and establish outbound connections to external IP addresses. Which detection method identified this threat?
โœ… C. Behavioral or heuristic detection identifies threats by what they do rather than by matching known signatures. The key phrase is "previously unknown file" with "no signature in any threat database" โ€” this immediately rules out signature-based detection (A), which requires a pre-existing pattern match. The tool used sandbox execution to observe behavior: disabling security tools, modifying startup registry keys (persistence mechanism), and establishing outbound C2 connections are all behaviors associated with malware regardless of whether the specific file has been catalogued. This is the detection method that identifies novel threats, zero-days, and custom malware that signature databases haven't yet captured.
Ch 40 ยท Malware Overview
Question 3 of 20
What is the PRIMARY technical characteristic that distinguishes ransomware from other malware categories?
โœ… B. Ransomware's defining technical characteristic is file encryption combined with a ransom demand for the decryption key. The victim's files are rendered inaccessible โ€” the data still exists but is unreadable without the key the attacker holds. This is fundamentally different from spyware (which silently exfiltrates data without disruption), viruses (which damage or replicate files), and rootkits (which hide in the kernel). The business model of ransomware โ€” direct extortion of the victim โ€” is what makes it distinct. Some ransomware does spread via worm mechanisms (WannaCry), but self-replication is not a defining characteristic; a ransomware payload can be deployed by any delivery method including phishing email.
Ch 40 ยท Malware Overview
Question 4 of 20
An organization discovers that hundreds of its employee workstations are sending small periodic data packets to an external server despite no user-initiated activity. The traffic pattern shows all workstations check in at staggered 15-minute intervals and received identical inbound instructions shortly before a large spam campaign originating from these same workstations was detected. What term BEST describes this group of compromised systems?
โœ… C. A botnet is a network of compromised ("zombie") devices under an attacker's remote control via command-and-control (C2) infrastructure. The scenario describes the classic botnet pattern: periodic C2 check-ins (staggered 15-minute intervals), receipt of instructions from the C2 server, and coordinated execution of a malicious task (spam campaign). Device owners are unaware โ€” normal from their perspective. The Zeus botnet (3.6 million PCs at peak) is the course's primary example. Botnets enable DDoS attacks, spam campaigns, credential theft, and more โ€” all without consuming the attacker's own resources, since the botnet devices supply the infrastructure.
Ch 40 ยท Malware Overview
Question 5 of 20
A malware analyst discovers a piece of malware that installs silently via a phishing attachment, makes no network connections, displays no symptoms, and triggers no alerts for 45 days โ€” then suddenly encrypts all accessible file shares and sends an extortion demand. Which statement BEST explains the strategic value of the dormancy period from the attacker's perspective?
โœ… B. The dormancy period in ransomware serves a critical strategic purpose: it gives the malware time to spread laterally across the network and infiltrate backup systems before activating. If ransomware immediately encrypted files upon installation, the victim could restore from yesterday's backup. After 45 days of silent spreading, the ransomware has likely been backed up repeatedly โ€” when it activates, encrypted versions of files are now present in backups as well, eliminating the clean-backup restoration option. This is why modern backup strategies include offline/air-gapped backups and regular recovery testing โ€” to ensure a clean restore point exists before malware's dormancy window expires. Dormancy also delays detection and response, giving the attacker more time to establish persistence.
Ch 41 ยท Viruses & Worms
Question 6 of 20
Which characteristic MOST clearly distinguishes a worm from a virus?
โœ… C. The defining distinction is autonomy and host dependency. A virus is parasitic โ€” it cannot spread on its own; it attaches to a legitimate host file (executable, document, boot sector) and propagates when a human executes that infected file. A worm is self-contained โ€” it does not need a host file. It exploits network vulnerabilities (open ports, unpatched services) or uses its own propagation mechanisms to spread directly from system to system without any human interaction. WannaCry demonstrated this: it used the EternalBlue SMB exploit to self-replicate across networks, infecting systems that were simply connected to the same network โ€” no user needed to open a file.
Ch 41 ยท Viruses & Worms
Question 7 of 20
Antivirus vendors write a signature for a virus after capturing a sample and distribute it to all customers. Two weeks later, the same virus is spreading at the same rate despite 95% of systems having the updated signature. Analysis shows the virus's code structure is different in every copy โ€” mutating automatically on each replication โ€” while the malicious payload remains functionally identical. What type of virus is this?
โœ… D. A polymorphic virus changes its code signature on every replication while keeping its functional payload intact. The antivirus signature written for the first captured sample describes the code pattern of that specific variant โ€” but every subsequent copy has a different code pattern. The signature never matches again. This is why polymorphic viruses are specifically designed as an anti-detection technique. Detecting them requires behavioral or heuristic methods that observe what the code does rather than what it looks like. Armored viruses (C) obfuscate to slow analysis, not to change signatures on replication.
Ch 41 ยท Viruses & Worms
Question 8 of 20
A technician investigates a workstation where malicious code executes before the operating system loads, redirects disk read/write operations, and persists even after the operating system is completely reinstalled from a clean image. The malware has no presence in any OS-level directory that forensic tools can identify. Where has this malware installed itself?
โœ… B. A boot sector virus installs in the Master Boot Record (MBR) or Volume Boot Record (VBR) โ€” the first sector read from storage during system power-on, executed before any operating system code loads. Two defining properties match the scenario: (1) executes before the OS โ€” because it runs before the OS loader, no OS-level security tool is yet running to detect it; (2) survives OS reinstallation โ€” because OS imaging tools write to the OS partition, not to the boot sector. Secure Boot (UEFI) is designed specifically to defend against this: it validates cryptographic signatures of boot components before allowing execution, blocking unsigned code in the boot sector.
Ch 41 ยท Viruses & Worms
Question 9 of 20
Which of the following scenarios MOST accurately describes a macro virus infection?
โœ… C. A macro virus uses the scripting capabilities built into productivity applications (primarily Microsoft Office) to embed malicious code inside document files. When the document is opened, the macro executes automatically (especially if the user clicks "Enable Macros"). The macro can download additional malware, exfiltrate data, and โ€” crucially โ€” replicate itself into new documents, spreading when those documents are shared. This is why the standard advice for unexpected Office documents from unknown senders is to not enable macros. Scenario A describes a Trojan (standalone executable), B describes a worm, and D describes a persistence mechanism, not a macro virus.
Ch 41 ยท Viruses & Worms
Question 10 of 20
A network worm outbreak infects 18 workstations in the accounting department within 2 hours. The worm also reached the engineering segment, but only infected 2 of 47 engineering workstations before being contained. Investigation shows the worm exploited a specific SMB vulnerability. Which explanation BEST accounts for the dramatically different infection rate between segments?
โœ… B. The most direct explanation for immunity to a worm that exploits a specific vulnerability is patching that vulnerability. If engineering workstations had the patch for the SMB vulnerability and accounting workstations did not, the worm could not exploit the patched systems. The 2 infected engineering workstations represent the unpatched outliers in an otherwise patched segment. This scenario illustrates the fundamental value of patch management against worm propagation: a worm that exploits vulnerability X simply cannot infect a system that is patched for X, regardless of network connectivity. WannaCry spread primarily to systems that had not applied the MS17-010 patch for EternalBlue โ€” the same pattern on a global scale.
Ch 42 ยท Spyware & Bloatware
Question 11 of 20
An employee's laptop shows persistent slowness. Forensic investigation reveals a process capturing screenshots every 30 seconds, logging all keystrokes, and periodically transmitting compressed archives of this data to an external IP address. The process was installed as a component of a "free system optimizer" downloaded from the internet 3 months ago. What malware category BEST describes the installed component?
โœ… C. Spyware is defined by covert surveillance and data exfiltration without user awareness or consent. The three defining elements are all present: (1) covert monitoring โ€” screenshots and keystrokes captured without user knowledge; (2) data exfiltration โ€” compressed archives sent to an external IP; (3) deceptive installation โ€” bundled inside a "free system optimizer" the user deliberately downloaded but did not realize contained a surveillance component. This is a standard spyware delivery mechanism: useful-sounding freeware that bundles a hidden monitoring payload. Adware (B) would display advertisements, not silently capture and transmit activity data. Ransomware (A) would encrypt files and demand payment.
Ch 42 ยท Spyware & Bloatware
Question 12 of 20
What is the PRIMARY distinction between adware and spyware?
โœ… B. Adware and spyware both fall under the broader "potentially unwanted software" category, but their mechanisms and goals differ. Adware's business model is advertising: it displays pop-ups, injects ads into browser sessions, or redirects searches to generate impression or click revenue โ€” the user is aware something is wrong because they see the intrusive ads. Spyware's goal is surveillance: it operates silently, collecting credentials, monitoring browsing behavior, logging keystrokes, and transmitting this data to a third party. The user has no visible indication. Adware is annoying and visible; spyware is dangerous and covert. Both can be distributed via the same freeware bundling mechanisms.
Ch 42 ยท Spyware & Bloatware
Question 13 of 20
A user purchases a new laptop. After the initial setup, they notice 11 pre-installed applications they did not knowingly request โ€” including a trial antivirus, a browser toolbar, a coupon-finding plugin, a music streaming app, and a system optimizer. None of these apps are classified as malicious malware by definition, but they collectively consume significant RAM, slow boot time, and generate recurring notification pop-ups. What category do these applications represent?
โœ… C. Bloatware or PUPs (Potentially Unwanted Programs) are pre-installed or bundled software that users did not knowingly request. Manufacturers include them under OEM (original equipment manufacturer) revenue-sharing agreements โ€” software vendors pay manufacturers to pre-install trial versions. The security concern is twofold: (1) resource consumption โ€” RAM, CPU, and storage consumed by unused programs; (2) attack surface expansion โ€” each additional installed program is a potential vulnerability. The Lenovo Superfish incident (2015) demonstrated how pre-installed OEM software can create serious security vulnerabilities โ€” a browser optimization tool installed on Lenovo laptops actually intercepted HTTPS sessions. Removing bloatware is a standard new-system hardening step.
Ch 42 ยท Spyware & Bloatware
Question 14 of 20
A user reports that after installing a free PDF converter tool, their browser's default search engine changed to an unfamiliar site, their homepage now shows an ad-heavy page they cannot dismiss, new toolbars appeared that cannot be removed through browser settings, and all search results are intermixed with sponsored links that were not present before. Which type of malware is MOST likely responsible?
โœ… B. A browser hijacker is a specific category of adware that targets browser settings โ€” homepage, default search engine, new tab page, and installed extensions/toolbars. The goals are monetization: redirecting searches generates advertising revenue, and modified homepages generate impression revenue. The classic delivery mechanism is bundleware: the PDF converter is real and functional, but it installs the browser hijacker as a bundled component during setup, often with permission buried in fine-print terms or pre-checked installation options. The inability to remove through normal browser settings is also a classic indicator โ€” browser hijackers often write settings to protected registry locations or install persistent extension modules that restore themselves when deleted.
Ch 42 ยท Spyware & Bloatware
Question 15 of 20
A security manager wants to reduce spyware infections from drive-by downloads on corporate workstations. Employees frequently browse the internet for work research. Which combination of controls would MOST effectively prevent spyware delivered via malicious or compromised websites?
โœ… B. Drive-by download spyware requires two things to succeed: (1) the user navigates to a malicious or compromised website; (2) the exploit code on that site successfully exploits a vulnerability in the browser or a plugin. The correct two-layer defense addresses both: a web content filter prevents navigation to sites known to host drive-by exploits (blocking the delivery path), and patching closes the vulnerabilities those exploits need (blocking the execution path). Full-disk encryption (C) protects data at rest but doesn't prevent running malware from reading files in memory. USB restrictions (D) address a different vector. Strong passwords (A) prevent credential attacks, not drive-by downloads. The combination of content filtering plus patching is the standard defense-in-depth approach for this threat.
Ch 43 ยท Other Malware Types
Question 16 of 20
A targeted attack victim used full-disk encryption on their laptop and always accessed their bank via HTTPS. Despite both protections, the attacker obtained their banking credentials. A forensic investigation confirms a keylogger was installed. How did the keylogger succeed despite full-disk encryption and HTTPS?
โœ… B. This is the fundamental "encryption gap" that makes keyloggers so dangerous. There is a moment โ€” after the user presses a key and before the application encrypts the data โ€” when the plaintext character exists in memory or an input buffer. A keylogger intercepts at that moment, capturing credentials in plaintext before they ever reach the encryption layer. Full-disk encryption (BitLocker, FileVault) encrypts data written to storage โ€” it has no effect on active keyboard input. HTTPS encrypts the network transport โ€” but the data is already encrypted by the time it enters the HTTPS stack; the keylogger captured it before that. Neither technology was designed to protect keyboard input, which is why keyloggers remain effective against both.
Ch 43 ยท Other Malware Types
Question 17 of 20
Which of the following MOST accurately describes a logic bomb?
โœ… C. A logic bomb has three defining characteristics: (1) it is embedded within legitimate code โ€” making it invisible to antivirus tools because the surrounding code is genuine and familiar; (2) it remains dormant until triggered โ€” generating no suspicious activity while waiting; (3) its payload executes when a specific condition is met โ€” a time (time bomb), a user event (specific login), a data event (file deletion), or any other programmable condition. Because logic bombs are custom-written for their target environment, they have no known signatures for antivirus to match. Detection relies on file integrity monitoring, code review, and separation of duties to prevent insiders from placing them.
Ch 43 ยท Other Malware Types
Question 18 of 20
On March 20, 2013, at exactly 2:00 PM local time, thousands of computers across South Korea simultaneously became unbootable, displaying "Boot device not found." Investigation revealed the Master Boot Records had been deleted. The destruction occurred simultaneously on systems that had no network connectivity to each other at the time. What type of logic bomb trigger does this incident illustrate?
โœ… C. A time bomb is a logic bomb variant triggered by a specific date and time condition. The key evidence in this scenario is "simultaneous activation on systems that had no network connectivity to each other" โ€” this rules out a C2 command (D), which would require network connectivity. A purely chronological trigger explains simultaneous activation across isolated systems: each infected system independently checked the date/time, and when all reached March 20, 2013, 2:00 PM, each independently executed the payload. The payload was MBR deletion, rendering systems unbootable. The response displayed ("Boot device not found") occurs because without the MBR, the system cannot locate or load the operating system.
Ch 43 ยท Other Malware Types
Question 19 of 20
What makes rootkits uniquely difficult to detect compared to most other malware types?
โœ… B. The rootkit's key advantage is its position in the OS hierarchy. Normal security tools (Task Manager, antivirus, file system scanners) operate at the user-space or application layer and rely on the kernel for information about the system's state. A rootkit operates at the kernel layer โ€” the most privileged layer โ€” and can intercept and modify the responses to system queries. When Task Manager asks the kernel "list all processes," the rootkit removes itself from that list before the answer is returned. When antivirus asks "list all files in C:\Windows\System32," the rootkit removes itself before the list is returned. The security tool is not broken โ€” it accurately reports what the kernel tells it; the kernel is lying. This is why detecting rootkits often requires booting from external trusted media, where the infected OS kernel is not running and cannot manipulate query responses.
Ch 43 ยท Other Malware Types
Question 20 of 20
UEFI Secure Boot is specifically designed to prevent which category of threat, and how does it accomplish this?
โœ… C. Secure Boot is a UEFI firmware feature that establishes a chain of trust starting from the firmware itself. Before allowing any code to execute during the boot process, Secure Boot checks its cryptographic digital signature against a trusted certificate database in the firmware. Bootloaders and OS components signed by trusted authorities (Microsoft, Linux distribution maintainers) pass and are executed. Any code lacking a valid signature โ€” including a boot sector rootkit that inserted itself โ€” fails the check and is blocked before it can load. This directly addresses the rootkit threat vector of pre-OS execution: the rootkit can't load if the firmware won't run unsigned boot code. Note: Secure Boot only protects the boot chain; a rootkit installed after OS load, or one that somehow obtains a valid signing certificate, is not blocked by Secure Boot.
Part B โ€” Scenario Analysis (Unscored โ€” for practice)
Ch 40โ€“41 ยท Scenario
Scenario A โ€” Malware Outbreak Analysis

A healthcare organization's security team responds to a malware outbreak affecting 31 workstations across two clinic locations. The incident timeline shows: (1) A receptionist at the main clinic opened a Word document attached to an email purporting to be a patient referral form โ€” the document asked her to "Enable Content" to view the form. (2) Within 45 minutes, 14 other workstations on the same LAN segment were infected, without any user interaction on those systems. (3) After 48 hours of apparent inactivity, all infected workstations simultaneously encrypted their files and displayed a ransom demand. (4) The organization's backup system was also encrypted โ€” the backup agent runs on the same network segment. Classify the malware type(s) involved, explain the role of each infection vector and propagation mechanism, describe why the backup system was compromised, and outline a defense strategy that addresses each weakness this incident exposed.

Malware Classification:
This is a multi-stage attack combining at least two malware types. Stage 1: a macro virus or Trojan delivered via the Word document attachment. The "Enable Content" prompt is the standard mechanism for activating embedded macros โ€” a classic social engineering step that bypasses macro security. Stage 2: worm behavior โ€” the lateral spread to 14 workstations without user interaction suggests the initial infection used a network vulnerability (e.g., an unpatched SMB service) or a worm module to propagate autonomously. Stage 3: dormancy followed by ransomware payload โ€” the 48-hour waiting period before encryption is consistent with ransomware that includes a propagation-first dormancy window to maximize reach (including into backups).

Infection Vector Analysis:
(1) Initial delivery โ€” the Word macro was the entry point. The receptionist was the human link in the chain; the social engineering was the fake patient referral and the "Enable Content" request. Defense failure: no policy or technical control blocked the macro execution (e.g., Protected View was overridden, or Group Policy did not disable macros in documents from external sources). (2) Lateral propagation โ€” the autonomous spread to 14 LAN workstations without user action indicates a network-based propagation module (worm behavior). The 45-minute timeframe to infect 14 systems is consistent with automated SMB or RPC scanning. Defense failure: lack of network segmentation and unpatched workstations allowed the worm to spread freely within the segment. (3) Dormancy window โ€” the 48-hour delay before encryption allowed the malware to replicate into backup agents and network shares. Defense failure: backup agents running on the same network segment as infected workstations are accessible to the malware.

Why the Backup System Was Compromised:
The backup agent was accessible from the infected network segment. During the 48-hour dormancy window, the malware spread to or encrypted the data accessible to the backup agent โ€” meaning the most recent backups now contain encrypted versions of the files. This is a deliberate design feature of sophisticated ransomware: eliminate the clean-backup recovery path to increase pressure to pay. The defense is offline or air-gapped backups โ€” backups not continuously accessible from the production network โ€” and immutable backup storage that cannot be modified or deleted by ransomware.

Defense Strategy:
(1) Block macro execution from external documents: configure Group Policy to disable macros in Office documents originating from the internet; require approval for trusted document sources. This prevents the initial infection vector. (2) Patch all workstations for known network vulnerabilities: the worm's autonomous spread relied on an exploitable network service. Patching would have contained the outbreak to the single initially infected machine. (3) Network segmentation: workstations should not be able to reach each other directly over SMB or RPC; microsegmentation or VLAN isolation limits worm propagation radius. (4) Air-gapped or immutable backups: backup media not continuously connected to the production network cannot be reached during the dormancy window. The 3-2-1 backup rule (3 copies, 2 different media types, 1 offsite/offline) ensures a clean recovery point always exists. (5) Email filtering and attachment sandboxing: detonate Office attachments in a sandbox before delivery; block documents that attempt to call out to external URLs or execute macros on sandbox analysis. (6) EDR behavioral monitoring: would detect the anomalous process chain (Word spawning network-scanning processes, then lateral movement) and alert on the worm behavior before the ransomware activates.
Ch 42โ€“43 ยท Scenario
Scenario B โ€” Insider Threat and Detection Failure

An IT administrator at a financial firm has been managing the company's database servers for six years. Following a negative performance review, he begins planning a retaliatory act. He writes a script that will delete all database transaction logs if his employee ID is deactivated in the Active Directory. He embeds this script into a legitimate database maintenance job that runs nightly, testing that the script remains invisible to the monitoring tools. Eight months later, his employment is terminated. Two hours after his AD account is disabled, all transaction logs from the past 90 days are permanently deleted. The deletion was not detected until the next morning's audit. Part 1: Classify this attack and explain why the standard malware detection tools failed to prevent or detect it. Part 2: Identify the three administrative controls that, if in place, would have had the greatest probability of preventing this outcome.

Part 1 โ€” Classification and Detection Failure:

Classification: Logic bomb (specifically, a user-event triggered logic bomb). The trigger is the deactivation of a specific employee ID in Active Directory โ€” a user event. The script was embedded in a legitimate maintenance job (the "host"), remained completely dormant until the trigger fired, and executed a destructive payload (log deletion) when the condition was met.

Why antivirus and signature-based tools failed: Logic bombs by design have no known malware signature. The script is custom-written for this specific organization and this specific target. There is no database of previously seen logic bombs to compare it against โ€” it doesn't look like malware because it is embedded inside a legitimate scheduled job that runs authorized database operations. Antivirus tools match known malware patterns; this script has never been seen before and will never appear in a threat feed.

Why behavioral monitoring failed: The script was embedded in a maintenance job that legitimately had database access. When it ran (after the AD trigger), it performed database operations (deletion of logs) that the maintenance job was already authorized to perform. The behavior was indistinguishable from normal maintenance operations โ€” legitimate process, legitimate permissions, legitimate operation type. The only anomaly was that the deletion occurred at an unexpected time (hours after account termination) and targeted 90 days of data rather than a normal maintenance window's logs โ€” but this required log analysis, not real-time behavioral detection.

Why the script remained hidden for 8 months: The administrator had both the access to embed the script and the administrative permissions to obscure it. He could modify the maintenance job, test the script, and ensure monitoring dashboards showed nothing unusual. This illustrates the insider threat's advantage: they operate within the trust boundary that security tools protect rather than attack.

Part 2 โ€” Three Controls That Would Have Helped Most:

Control 1: Separation of Duties for Production Database Changes. No single administrator should have both the ability to write scheduled maintenance jobs AND the ability to deploy them to production without review. If a second person (DBA supervisor, change management board) must approve any change to scheduled database jobs, the malicious script would have been discovered during the approval process. The administrator can write what he wants โ€” but he cannot deploy it without another set of eyes. This is the highest-impact control for insider logic bomb threats.

Control 2: File Integrity Monitoring (FIM) on Scheduled Job Definitions. FIM tools (Tripwire, AIDE) maintain cryptographic hashes of files and configurations. If the database maintenance job definition changed โ€” even slightly โ€” FIM would alert on the unexpected modification. When the administrator embedded the script, that was a file system or database configuration change. FIM would have flagged "maintenance job #14 was modified at [time] by [user]" and generated an alert requiring review. The change occurred 8 months before the incident โ€” an alert at that time would have caught the logic bomb immediately.

Control 3: Immediate Access Revocation Protocol for Terminations โ€” with Pre-Termination Log Review. The AD account deactivation was the trigger. An improved termination procedure would include: (1) HR notifies security the morning before termination (not after the fact); (2) security reviews all scheduled jobs, scripts, and code modifications the employee made in the last N days before deactivation; (3) the account is not deactivated until review is complete; (4) if suspicious code is found, it is removed before the account is disabled. This protocol specifically targets the trigger condition: if the account is never disabled abruptly, a trigger on account deactivation never fires โ€” or if the trigger is discovered during the pre-termination review, it is removed before it can execute.
โ† Exam: Ch 36โ€“39 All Chapters
โ€”
Pass threshold: 80% (16 / 20 correct)
โ† Ch 36โ€“39 Exam All Chapters