A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?
To determine if a document is malicious without executing any code, the best approach is to search for matching file hashes on malware websites. This method allows analysts to compare the hash of the suspicious document against a database of known malicious file hashes, helping to identify it without opening or running the file, thereby avoiding the risk of executing any potential malicious code. Viewing the document's metadata might offer clues about its origin, but it does not confirm whether the document is malicious. Opening the document, even on an air-gapped network, or detonating it in a sandbox involves executing the code, which is specifically ruled out by the requirement.
Another senseless question...
Everyone can change the metadata of a file. B is wrong. I choose C.
Exactly. I agree with C.
I will go for D. Options A and B do not involve executing the document, and thus might not reveal all the malicious activities it is designed to perform. Option C, searching for matching file hashes on malware websites, can be helpful but might not provide conclusive results if the document is a new or unknown variant of malware.
The question clearly said "without executing any code", so sandbox can't be an option. Match the hash is the way.
Option C appears to be the only one that can allow the security analyst to gather information and confirm it is a malicious document without expecting any code it may contain to execute.
answer is D . cisco use AMP and other's use cuckoo
D is correct, attacker can change only one letter in document and the hashes never log before
WITHOUT executing any code - Cannot be A or D must be either B or C - Bad question all around, but B seems to be the best answer to me
The question said "without executing any code" So A - no D - Detonate - no C - Search on malware websites? maybe - lot's of fake info - it's a malware site after all. best answer is view doc metadata for clues - like when you turn on your location service on your iphone and take a picture - the picture includes metadata - you can't see it but it contains tags of what the picture is, and your location.
Metadata can be spoofed Best answer is C
A. Open the document on an air-gapped network.--->wrong because it involves executing B. View the document's metadata for origin clues.-->best of the worst C. Search for matching file hashes on malware websites.--> we assume hash is published D. Detonate the document in an analysis sandbox.--->involves executing
Bootcamp notes to a question similar to this: Detonation/execution of a file in a sandbox would give you the ability to analyze its behavior in a controlled environment, making it a good answer. The question specifically mentions not executing any code so C is much safer
D. Detonate the document in an analysis sandbox. An analysis sandbox is a controlled environment where potentially malicious files can be executed or opened safely, allowing security analysts to observe their behavior and effects without risking damage to the organization's network or systems. This method enables the extraction of valuable information about the document's behavior and potential threats without exposing the organization's infrastructure to risk.
This wouldnt meet the requirement of "without executing any code it may contain". Yes, you are correct and this is a valid choice. However, it is compTIA. The most correct answer would be B, that way you can still gather information over the file without executing it.
D. Detonate the document in an analysis sandbox. An analysis sandbox is a controlled environment where potentially malicious files can be executed or opened safely, allowing security analysts to observe their behavior and effects without risking damage to the organization's network or systems. This method enables the extraction of valuable information about the document's behavior and potential threats without exposing the organization's infrastructure to risk.
B. View the document's metadata for origin clues. Here's why: Metadata examination: Document metadata often contains information about its origin, author, creation date, and editing history. By examining the metadata, a security analyst can gain insights into the document's source and potentially identify any suspicious attributes or discrepancies. Non-execution: Viewing the metadata does not involve executing any code contained within the document, thus minimizing the risk of inadvertently triggering malicious behavior.
Option A, opening the document on an air-gapped network, might mitigate the risk of spreading malware to other systems, but it still carries the risk of triggering malicious code within the document. Option C, searching for matching file hashes on malware websites, could be useful for identifying known malicious documents but may not be effective against new or customized threats. Option D, detonating the document in an analysis sandbox, involves executing the document in a controlled environment to observe its behavior. While this can provide valuable insights, it also carries the risk of inadvertently activating malicious code and spreading malware. Therefore, option B is the best choice as it allows the security analyst to gather information about the document's potential malicious nature without executing any code.
Analyzing the metadata can offer insights into the author of the document, its creation date, and additional information. This analysis can aid in verifying the legitimacy of the document or identifying potential malicious content without the necessity of running any code.
It's B, no code execution
It's B, you are not executing the code like you are in option D.