While reviewing a Windows Server 2022 file server that had been operating normally, you observe the following:
Microsoft Defender Antivirus service is stopped and records event ID 5010 "The service terminated unexpectedly" every few minutes; attempts to restart the service fail.
Resource Monitor shows an instance of svchost.exe establishing hundreds of outbound TCP connections on port 445 to IP addresses in several countries, even though no clients are currently connected.
Executable files with random eight-character names (for example, a8f9.tmp.exe) appear in C:\ProgramData\Temp every few minutes.
Hardware diagnostics, memory tests, disk checks, and NIC driver/firmware versions all report healthy and current.
Based on this evidence, which of the following is the MOST likely root cause of the problem?
A faulty or incompatible NIC driver is generating phantom network connections.
A virus infection is actively running on the server and attempting to spread.
Corruption in the NTFS filesystem is causing orphan temporary files to be created repeatedly.
DNS cache poisoning on the domain controller is redirecting outbound traffic to malicious hosts.
The combination of a security service that will not stay running, the creation of randomly named executables in a temporary system folder, and unsolicited outbound network activity are classic indicators that malware is active on the host. Modern viruses frequently attempt to disable antivirus defenses, drop or modify files to maintain persistence, and open outbound sessions to propagate or contact command-and-control infrastructure. NIC driver issues, filesystem corruption, or DNS cache poisoning could cause isolated symptoms, but they would not simultaneously explain the disabled antivirus service and the continuous creation of suspicious executables and outbound connections. Therefore, an active virus infection is the most probable cause.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is port 445 used for, and why is it significant in this context?
Open an interactive chat with Bash
How does malware disable antivirus services like Microsoft Defender?
Open an interactive chat with Bash
What is the purpose of randomly named executables, and how do they aid malware persistence?