ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
After detecting crypto-mining malware on a Linux EC2 instance that hosts a web API, the incident response team has already quarantined the instance by applying a restrictive security group. According to malware eradication best practices, which next step will most effectively remove the malicious code, minimize downtime, and preserve evidence for later analysis?
Remove the quarantine security group, enable Amazon GuardDuty on the account, and continue to monitor the instance for additional malicious behavior before deciding on further action.
Use AWS Systems Manager Run Command to install antivirus on the quarantined instance, delete all detected malicious files, and then place the instance back into the production security group.
Detach the compromised EBS root volume, attach it to a helper instance to manually remove suspicious binaries, reattach it to the original instance, and restart the server.
Create a new instance from a current hardened AMI, update the Auto Scaling group to use it, and snapshot the quarantined instance's EBS volumes for later forensic review before terminating the compromised host.
Re-imaging from a trusted, hardened Amazon Machine Image (AMI) guarantees that any hidden backdoors or altered binaries left by the malware are eliminated, satisfying the eradication goal. Launching a clean replacement instance and updating the Auto Scaling group returns the service to production quickly, meeting recovery objectives. Creating snapshots of the quarantined instance's volumes before termination preserves a point-in-time copy of disk evidence so forensic analysts can examine the original compromise without risking reinfection. Attempting on-box cleaning with antivirus, manually deleting files, or simply monitoring the quarantined instance may leave residual malware or overlook deeper persistence mechanisms, and none of those actions provide a forensically sound copy of the affected system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AMI in AWS?
Open an interactive chat with Bash
What is an EBS snapshot and how is it used for forensics?
Open an interactive chat with Bash
How does a security group quarantine an EC2 instance?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .