Which technique is described as enumerating key elements in the computer system and comparing them to a baseline dataset that is generated without relying on common APIs, with discrepancies indicating rootkit presence?

• A. Heuristic/Behavior-Based Detection
• B. Cross View-Based Detection
• C. Runtime Execution Path Profiling
• D. Alternative Trusted Medium

Answer: (C)

Runtime Execution Path Profiling focuses on how code actually runs in real time and how that run-time behavior compares to a trusted baseline. In the context of rootkit detection, the approach starts by enumerating key elements of the system—such as processes, loaded modules, files, and other critical objects—and then collecting a baseline of their state or behavior using methods that do not rely on common APIs. Rootkits commonly tamper with or hide behind those APIs, making their presence hard to spot if you rely on the same API surface that the malware is manipulating.

By generating a baseline with a method that avoids those potentially compromised APIs, you establish a ground truth that is harder for a rootkit to fake. Later, you observe the system’s current execution paths and states, compare them to that baseline, and look for discrepancies. Any significant deviation—such as hidden processes, missing modules, or altered control flows—can indicate rootkit activity because the actual run-time behavior diverges from what the trusted baseline predicts.

This method is especially valuable because it targets the actual flow of execution rather than static fingerprints or single-point checks. It differs from purely heuristic or behavior-based detection, which looks for suspicious patterns, and from cross-view techniques, which compare multiple data sources for inconsistencies. It’s not about using an alternate trusted medium, but about profiling how the system executes and spotting abnormal deviations from a trusted, non-tamperable baseline.