A plus 1002 Sub-objective 3.2 – Given a scenario, troubleshoot and resolve PC security issues
Welcome to ExamNotes by CertBlaster! If you are following these in order we hope you came through 3.1 intact! Here in A plus 1002 Sub-objective 3.2, we will use some of the same tools from 3.1 while paying closer attention to the security aspects of our situations and actions. Enjoy!!
Here we will look at some of the indicators that the system is infected with malware or a virus. The terms malware and virus will be used interchangeably on an infected system.
Most users block browser pop-ups in their system. Many sites use pop-ups to generate revenue and some are targeted based on your behavior. As a rule, your first real indication that your system is infected is the appearance of pop-up ads which can appear inside or outside the browser window. The presentation of pop-up ads in the browser while popups are disabled is a potential sign of problems, essentially the tip of the iceberg. The condition can be accompanied by unwanted browser toolbars. Many infections change your browser homepage to redirect traffic to a malicious site. Pop-ups outside the browser window leave little doubt, you have a problem. We will cover the techniques for dealing with this problem in detail later is “Best practice procedure for malware removal”. Just be sure that when you see a random message that your PC may already be infected don’t click the link in the pop-up, this is a classic infection attempt.
Browser Pop-up Blocker On
As mentioned earlier malware programs can change your homepage or in the stealthiest cases route the traffic through a malicious site and then display your correct homepage. All traffic handled on or through a malicious site should be considered compromised. Watch the address line in the browser for indications of this problem.
False security alerts are a very common way to get novice users to click on links to malware and install it. User education is the best prevention method. The ability to discriminate between valid and invalid errors is essential. For example, a PC tool that does not exist on your computer cannot legitimately display an error.
Slow performance can be attributed to a number of real system issues, too many programs, and underpowered equipment being the most common non-malware issues. In the case of malware, you will find the offending programs consuming processor cycles, email, network resources, and local disk and memory. Use the steps outlined in “Best Practices” below to resolve.
Internet connectivity issues
When you experience issues connecting to a site it is important to be able to discriminate between actual problems and those written by older outdated malware. Use the command line to ping the local gateway. Use Ipconfig /all to check your settings. If necessary reboot to Safe mode with networking and access the command prompt. If you are successful at the command prompt you have an infection and you should see the steps outlined in “Best Practices” further down this post.
PC/OS lock up
Infected systems exhibit slow performance and system errors caused by the manipulation or deletion of system files. In the worst case, the system locks up or Blue screens. Reboot and take the steps necessary listed in best practices. Look at the Task Manager and Event Viewer along with updated log files for your anti-malware programs and system update logs.
Applications that behaved normally before then suddenly crash could very likely be exhibiting signs of an infection. Changes made by malware to shared support files commonly lead to program failures for example if malware infects a shared file like a. DLL or. OCX file any program that attempts to use it will fail with the potential for infection. Take the steps necessary listed in best practices.
OS updates failures
Any self-respecting virus author will set his product to block internet access for all known antivirus and antimalware websites they will also prevent system protections like updates for Windows Defender and any system updates to prevent detection. Here is a look at a blocked AV/malware program update.
Antivirus Fails to Connect to Server
Let’s use an example here. Your customer was presented with a popup that warned of infection and offered a fix using their free tool. They click ok and allow the program to install. Now not only are they infected their basic system safeguards may be compromised allowing other infections. It is not unusual to find malware that disables windows protections like the Windows firewall or defender. Here is a Firewall that has been taken over.
Undoubtedly a familiar term to most SPAM is the term we use for unsolicited email messages. These messages are often simple commercial ads sent to your email address because you inadvertently shared them. On the other hand, valid email address lists are prizes for malware perpetrators. They can be used to send you malicious payloads disguised as images or web links. It is important that you handle unsolicited emails especially those with attachments with caution. Do not open them under any circumstance. Here is a typical attempt to get you to open an infected document. It is disguised as an electronic receipt from a business. The user may or may not have made a purchase so there is a percentage of the recipients that will click the attachment and become infected.
Example of Spam-Phishing Malware
Renamed system files
System errors related to the filesystem can be attributed to malware. The malicious payload can rename system files making them unusable by the system. This can cause errors up to and including the dreaded BSOD.
Certain malware can create a backdoor allowing hackers to do any number of things. One tactic sets the file attributes to hidden and although the files are actually present the user cannot see them. While this will not impact system files the user will have difficulty accessing the content.
File permission changes
Another malware tactic is to alter the user’s file permissions to make files seemingly disappear and or become inaccessible.
Your email account can be compromised in cases where you have clicked a phishing email, use a weak password, or if you communicate with your email server in plaintext (unencrypted). Unencrypted communications can be intercepted in wireless hotspots and your credentials can be used to send malware email blasts of spam through your server. This will appear as legitimate traffic until it is detected by either your administrative staff or by you as you begin to receive bounced back emails from failed attempts to reach bad email addresses. There is a difference between hijacking and spoofing as we will see next.
Responses from users regarding email
You can consider your account hijacked if you begin to get replies from people you know about strange emails that you did not send. This is a sign that the malware has access to your contacts. Hopefully, the recipients have enough sense to recognize spammed communications. If your account is spoofed it does not use your email credentials only your email address as the “From” address and you will receive anything that bounces back.
Automated replies from unknown sent email
If you receive “Out of Office” type replies from people you don’t know this is another sign of malware. The recipient’s automated response is sent to anyone attempting to send emails to that person. Interestingly this automated reply can be used to validate email addresses and return server information.
As we noted earlier a sure sign that you have a malware issue is the inability to access your files. Hackers with administrative access to your system can wreak irreversible damage. You will notice this when you get an access denied message while attempting to access a file or folder that you created. This indicates a permission change on your account or the content itself. Either situation is bad. In the worst case of ransomware, a covertly installed program encrypts the Master File Table and holds it for ransom. The user is accused of everything from terrorism to pornography and is locked out of their system until a ransom is paid and a decryption key is issued. You may or may not get the decryption key but that is the only practical way to recover your data. One infected user actually turned themselves into the FBI as a result of this attack as he was guilty of some of the charges. Long story short be careful what you open and click on.
Invalid certificate (trusted root CA)
Security is often handled behind the scenes. When accessing a secure website (HTTPS) for example its SSL Certificate is examined. There is a main Certificate Authority (CA) that issues root certificates that are downloaded to the clients validating the server authenticity. The certificate is examined upon access and compared to the stored list. First, we will look in the Internet Properties Content tab to see the Trusted Certificates installed and look at a bit of the Microsoft Trusted CA’s 4096-bit Public key.
Microsoft Root CA
If there is a problem you will have to bypass a warning to continue. The errors could be an expiration of the certificate, a certificate issued to a host other than the one being accessed, issued by an untrusted root, revoked, and more. Here is a sample of an untrusted root. The recommendation is that you close the page. You have the option to continue or get more information as shown. Examine these messages carefully before you decide to continue. Well, that’s everything for A plus 1002 Sub-objective 3.2. Hope you enjoyed it! Don’t just sit there! Look for A plus 1002 Sub-objective 3.3! This stuff doesn’t learn itself!