This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.

Explanation:
Matching all system processes and executables against a database of known rootkit fingerprints is signature-based detection. This approach relies on precomputed fingerprints—like hashes, unique code patterns, import tables, or specific strings—that uniquely identify known rootkit samples. When a file or process matches one of these fingerprints, it can be flagged immediately as a known threat. It works efficiently because you’re essentially doing a catalog check: if the fingerprint is in the database, you’ve found a known rootkit. The strength here is precision for known threats and speed, since exact fingerprints trigger a direct alert. Its limitation is that it won’t catch new or modified rootkits that don’t yet have a fingerprint in the database, which is why signature databases need to be continuously updated. Other approaches focus on deviations from a trusted baseline (integrity-based), suspicious behavior (behavior-based), or generalized patterns (heuristic-based), rather than exact known signatures, which is why they aren’t the best fit for the scenario described.

Matching all system processes and executables against a database of known rootkit fingerprints is signature-based detection. This approach relies on precomputed fingerprints—like hashes, unique code patterns, import tables, or specific strings—that uniquely identify known rootkit samples. When a file or process matches one of these fingerprints, it can be flagged immediately as a known threat. It works efficiently because you’re essentially doing a catalog check: if the fingerprint is in the database, you’ve found a known rootkit.

The strength here is precision for known threats and speed, since exact fingerprints trigger a direct alert. Its limitation is that it won’t catch new or modified rootkits that don’t yet have a fingerprint in the database, which is why signature databases need to be continuously updated. Other approaches focus on deviations from a trusted baseline (integrity-based), suspicious behavior (behavior-based), or generalized patterns (heuristic-based), rather than exact known signatures, which is why they aren’t the best fit for the scenario described.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy