CompTIA CySA+ Exam: Preventing Malware Infections | Rule Creation Guide

Preventing Malware Infections

Question

A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/a.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the __________.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

The best answer to the given question is C. proxy to block all connections to <malwaresource>.

Explanation: In this scenario, a user was tricked into clicking on a link in a phishing email, leading them to download malware from a malicious website. The security analyst's goal is to prevent other computers from being infected by the same malware variation. To achieve this, the analyst needs to stop the malware from being downloaded from the same malicious source.

Option A, creating a rule on the email server that automatically deletes attached executables, may be a good idea to prevent users from inadvertently executing malicious files. However, it won't prevent the user from accessing the malicious website again and downloading the malware.

Option B, creating an IDS rule to match the malware sample, can detect and alert the analyst when the same malware is detected in the future. However, it won't prevent the malware from being downloaded from the same malicious source.

Option D, creating a firewall rule to block connection attempts to dynamic DNS hosts, can prevent connections to known malicious sites or dynamic DNS hosts used by attackers. However, it may not be effective in preventing the user from accessing new, unknown malicious websites.

Therefore, the best option is C, creating a rule on the proxy to block all connections to <malwaresource>. This will prevent any user from accessing the malicious website and downloading the malware. The proxy can be configured to block all connections to the specific domain or IP address associated with the malicious source. Additionally, the proxy can be configured to block similar domains or IP addresses to prevent users from accessing similar malicious sites.