During an investigation, a cybersecurity analyst needs to verify if a suspicious executable is a piece of known malware. The file does not trigger any antivirus alerts, and initial scans return no conclusive results. Which of the following methods should the analyst use to determine if the file is malicious?
Compare the file's hash against known malicious hashes in threat intelligence databases.
Ensure the file is code signed to confirm its legitimacy.
Apply the latest security patches to the host system and then re-scan the file to see if it is detected as malicious.
Check the file creation date to see if it corresponds with the date of any known malware release dates.
Comparing the hash of the file with known malicious hashes from trusted databases such as the National Software Reference Library (NSRL) or other reputable sources is an effective method to determine if the file is a piece of known malware. This is reliable because hashes are unique to each file, and a match would indicate that the file is definitively the same as one in the database, which contains hashes of known malicious files. Incorrect answers would either not provide conclusive evidence (looking at file creation date) or are related to other security practices (code signing, applying the latest security patches) that do not directly relate to file analysis for malware identification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.