333. Heuristic Scanner C Analyzes the instructions in the code being scann e d and deci d e on the basis of statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that malware may be present, that i s p ossibly infec t ed. Heuris t ic scanner tend to generate a high level false positive errors (they indicate that malware m a y be present when, in fac t , no mal w are is present). Scanners examines memory disk- bo o t sector, ex e cutables, data files, and command files for bit pattern that match a known mal w are. Scanne r s, therefore, need to be u pdated p e ri o dically to remain effective.
B. Immuniz e rs C Defend against malware by app en ding sections of themse lv es to f iles C sometime in the same way Malware a pp e nd thems e lves. Immunizers continuously check a file for changes and rep or t changes as possible malware b ehav i or. Other types of Immunizers are focused to a s pecific malware and work by givi n g the malwa r e the impression that the malware h as already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.
C. Behavior Blocker- Focus on de t ecting potential abn o rmal b e havior s uch as writing to the boot s ector or the master boot record, or making changes to executable files. Blockers c an potentially detect malware at an early stage. Most har d ware b ased anti-malwa r e mechanism are based o n this concept.
D. Integrity C RC checker- Compu t e a binary number on a known m a lware free program th a t is then stored in a database file. The number is called Cyclic Redund a n cy Check (CRC). On subsequent scans, when that p r ogram is called to execute, it checks for changes to the file as compare to the database and rep o rt possible infection if c hanges have occurred. A match me a ns no infection; a mism a tch means change in the prog r am has occur r ed. A change in the pr o gram could mean malware wit h in it. These scanners are effective in detecting infection; however, they can do so only a fter infection has occurre d . Also, a CRC checker can only de t ect subsequ e nt chan g es to file s , because they assume files are malware free in the fir s t p l ace. Therefore, they are ineffective a g ainst new files th a t are m a lware infected and that are not recorded in the database. Integrity checker t a ke advantage of the fact t h at executable pro g rams and boot sectors do not ch a nge often, if at all.
The followi n g were incor r ect answers:
Scanners -Look for sequences of bit called signature that are typical malware pro g rams.
Immunizers C Defend against malware by append i ng sections of themselv e s to files C s o metime in t h e same way Malware a pp e nd thems e lves. Immunizers continuously check a file for changes and rep or t changes as possible malware b ehav i or.
Behavior Blocker- Focus on de t ecting potential ab n ormal behav i or such as w riting to the boot sector or the master boot record, or making changes to executable files. Blockers c an potentially detect malware at an early stage. Most har d ware b ased anti-malwa r e mechanism are based o n this concept.
The followi n g reference ( s) were / was used to create this question: CISA review manual 2 0 14 Page num b er 354 a n d 3 55
2 1 19.Which are the two p rimary types of scanner used for prote c ting against Malware? A. Malware mask/signatures and H e uristic Scanner
B. Active and passive Sc a nner
C. Behavior a l Blockers and immunizer Scanner
D. None of the above