















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam focused on vb100 compliance and anti-malware testing. It includes a series of multiple-choice questions covering topics such as trojan horses, polymorphic malware, fileless malware, heuristic scanning, and dynamic analysis. Each question is followed by a detailed explanation of the correct answer, making it a valuable resource for students and professionals seeking to enhance their knowledge in cybersecurity and anti-malware techniques. The exam also covers topics like false positives, signature creation, and machine learning models used in malware detection, offering a comprehensive overview of the field. This practice exam is designed to test and reinforce understanding of key concepts in anti-malware testing and compliance.
Typology: Exams
1 / 87
This page cannot be seen from the preview
Don't miss anything!
















































































Question 1. Which of the following best describes a Trojan horse? A) It self-replicates without user interaction. B) It disguises malicious code as legitimate software. C) It overwrites the boot sector of a hard drive. D) It encrypts user files and demands ransom. Answer: B Explanation: A Trojan presents itself as a benign program while containing hidden malicious functionality, unlike worms (self-replication) or ransomware (encryption). Question 2. A malware sample that modifies its own code each time it infects a new system is known as: A) Polymorphic malware B) Rootkit C) Adware D) Spyware Answer: A Explanation: Polymorphic malware encrypts or mutates its payload with each infection, complicating signature detection. Question 3. Which persistence mechanism stores malicious executables in the Windows “Startup” folder? A) Registry Run key B) Scheduled Task C) Service Installation D) Startup folder shortcut Answer: D
Explanation: Placing a shortcut or executable in the Startup folder causes Windows to launch it each user logon, a common persistence technique. Question 4. Fileless malware primarily operates by: A) Installing a hidden driver. B) Modifying files on disk. C) Executing malicious code directly in memory. D) Dropping encrypted payloads on the filesystem. Answer: C Explanation: Fileless attacks avoid writing malicious files to disk, instead leveraging legitimate system tools (e.g., PowerShell) to run code in memory. Question 5. The WildList organization requires that a sample be: A) Detected by at least 50% of participating AV products. B) Observed “in the wild” on at least three independent networks. C) A zero‑day exploit. D) A proof‑of‑concept only. Answer: B Explanation: WildList inclusion criteria demand that the malware be actively observed in real‑world infections across multiple sources. Question 6. For VB100 compliance, an anti‑virus product must achieve what detection rate on the WildList set? A) 90% B) 95% C) 99% D) 100%
D) Emulation heuristic Answer: B Explanation: Static heuristics examine the code structure, imports, and patterns without running the program, contrasting with dynamic (behavior‑based) heuristics. Question 10. Which hashing algorithm is commonly used to create a unique identifier for a file in signature‑based detection? A) MD B) SHA‑ 1 C) SHA‑ 256 D) CRC Answer: C Explanation: SHA‑256 provides a strong, collision‑resistant hash, making it suitable for reliable file identification. Question 11. Packing a malicious executable primarily aims to: A) Increase its file size. B. Hide its code from static analysis. C) Reduce CPU usage. D) Enable multi‑threading. Answer: B Explanation: Packers compress or encrypt the payload, obscuring malicious code from signature scanners that rely on static patterns. Question 12. In dynamic analysis, which of the following is NOT typically monitored? A) System calls B) Network traffic
C) File system changes D) Source code comments Answer: D Explanation: Source code comments are not present in compiled binaries; dynamic analysis focuses on runtime behavior such as calls, I/O, and network activity. Question 13. A sandbox that isolates malware execution from the host OS is primarily designed to: A) Speed up scanning. B) Prevent the malware from affecting the real system. C) Reduce the size of signature databases. D) Increase the false‑positive rate. Answer: B Explanation: Sandboxes create a controlled environment where malicious behavior can be observed safely without harming the host. Question 14. Host‑based Intrusion Prevention Systems (HIPS) monitor which level of activity? A) Network packets only B) Application source code C) Kernel‑level system behavior D) Cloud reputation scores Answer: C Explanation: HIPS operates at the kernel level, watching low‑level actions like file writes, process creation, and privilege changes. Question 15. CPU instruction set emulation used in anti‑malware products is most useful for:
Question 18. Concept drift in ML‑based malware detection refers to: A) The gradual increase in file sizes. B) Changes in the distribution of malware characteristics over time. C) The shift from signatures to heuristics. D. The migration of AV products to the cloud. Answer: B Explanation: As attackers evolve techniques, the statistical properties of malicious samples shift, requiring periodic model retraining. Question 19. The official VB100 testing environment typically includes which operating system configuration? A) Windows 10 with all optional security features disabled. B) Windows 7 SP1 with default (out‑of‑the‑box) settings. C) Windows Server 2019 with custom group policies. D) Windows XP with third‑party firewalls removed. Answer: B Explanation: VB100 tests are run on a clean Windows 7 SP1 installation using default settings to reflect typical end‑user environments. Question 20. When designing internal test cases, which source is most appropriate for acquiring fresh malware samples? A) Official vendor marketing brochures. B) Publicly available malware feeds and honeypots. C) System logs of a clean workstation. D. Open‑source office suites. Answer: B
Explanation: Malware feeds and honeypots collect real‑world malicious samples, providing a realistic base for testing detection capabilities. Question 21. To ensure a test set reflects WildList criteria, the collected samples must be: A) Exclusively zero‑day exploits. B) Verified as “in‑the‑wild” infections. C) Only polymorphic variants. D. All encrypted payloads. Answer: B Explanation: WildList inclusion requires that the sample has been observed in real infections, not merely theoretical or proof‑of‑concept code. Question 22. Which of the following test case designs specifically targets evasive malware techniques? A) Scanning a static list of known hashes. B) Executing samples inside a hardened sandbox with API monitoring. C) Running only signature‑based scans on archived files. D. Verifying that all files are correctly indexed in the AV database. Answer: B Explanation: Evasive malware often checks for analysis environments; a sandbox that monitors APIs can reveal such behavior. Question 23. A “clean set” used for false‑positive testing should include: A) Only executable files. B) A diverse collection of legitimate software, documents, and archives. C) Samples that are already flagged by other AV engines. D. Encrypted ransomware payloads.
D. Loss of compression efficiency. Answer: B Explanation: Deeply nested or highly compressed archives can expand exponentially, exhausting resources; limiting recursion mitigates this risk. Question 27. Which of the following best describes a “zip bomb”? A) A malicious script hidden inside a ZIP file. B) A compressed archive that expands to an enormous size when decompressed. C) An archive that contains a self‑extracting executable. D) A password‑protected ZIP file used for ransomware distribution. Answer: B Explanation: Zip bombs exploit decompression to consume memory and CPU, potentially crashing scanners that attempt full extraction. Question 28. Robust error handling in an anti‑malware engine ensures that: A) The engine crashes on malformed files. B) Scans continue even when encountering corrupted or unsupported files. C. All corrupted files are automatically deleted. D. The engine ignores all unknown file types. Answer: B Explanation: Proper error handling prevents the scanning process from terminating unexpectedly when encountering bad files. Question 29. A quarantine mechanism must guarantee which of the following? A) Immediate deletion of the threat. B) Isolation of the malicious file from the operating system. C. Automatic execution of the file in safe mode.
D. Transfer of the file to the cloud without user consent. Answer: B Explanation: Quarantine isolates the suspect file, preventing execution while preserving it for analysis or restoration. Question 30. When removing malware that has altered registry keys, the AV product should: A. Only delete the executable file. B. Restore the original registry values to their pre‑infection state. C. Leave the registry untouched to avoid system instability. D. Disable the Windows Registry service. Answer: B Explanation: Proper remediation includes reversing registry modifications to fully restore system integrity. Question 31. Telemetry data collected by an AV solution is most useful for: A. Increasing the file size of the product. B. Tracking the effectiveness of new signatures in the field. C. Disabling cloud lookups. D. Preventing all false positives. Answer: B Explanation: Telemetry provides real‑world feedback on detection rates, enabling vendors to refine signatures and heuristics. Question 32. Which of the following is a primary advantage of cloud‑based reputation lookups? A. No need for local signatures.
A. Hybrid heuristic analysis B. Pure signature matching C. Cloud‑only detection D. Archive‑only scanning Answer: A Explanation: Combining static code analysis with runtime behavior monitoring creates a hybrid approach that improves detection of obfuscated threats. Question 36. The primary purpose of a “clean set” regression test after a major engine rewrite is to: A. Increase the number of detected malware samples. B. Confirm that no legitimate files are now flagged. C. Add new file types to the signature database. D. Remove outdated signatures. Answer: B Explanation: Regression testing ensures that changes have not introduced new false positives on legitimate software. Question 37. Which of the following is a common indicator of a rootkit’s presence? A. Unusual network traffic to known C&C servers. B. Hidden processes that do not appear in standard task lists. C. Large numbers of temporary files in %TEMP%. D. Frequent pop‑up advertisements. Answer: B Explanation: Rootkits hide their processes and files from standard system utilities, making them difficult to detect.
Question 38. In the context of anti‑malware, “entropy” is used to measure: A. The randomness of a file’s data, indicating possible encryption or packing. B. The number of API calls made by a process. C. The speed of the scanning engine. D. The frequency of user‑initiated scans. Answer: A Explanation: High entropy suggests compressed or encrypted content, a typical characteristic of packed malware. Question 39. Which of the following best describes “adware”? A. Malware that encrypts files for ransom. B. Software that displays unwanted advertisements, often bundled with legitimate programs. C. A type of rootkit that modifies the boot sector. D. Spyware that records keystrokes. Answer: B Explanation: Adware’s primary function is to deliver ads, sometimes without user consent, and is generally less destructive than other malware types. Question 40. A sandbox that records API calls, file modifications, and network connections is primarily used for: A. Generating static signatures. B. Dynamic behavioral analysis. C. Accelerating real‑time scanning. D. Creating hash databases. Answer: B Explanation: Monitoring these runtime actions provides insight into malicious behavior, enabling detection of previously unknown threats.
Explanation: Recursive extraction allows detection of malicious payloads hidden within layers while depth limits prevent resource abuse. Question 44. Which of the following best describes a “zero‑day” exploit? A. A vulnerability that is publicly disclosed and patched. B. An attack that uses a previously unknown vulnerability. C. Malware that only targets outdated operating systems. D. A signature that expires after a day. Answer: B Explanation: Zero‑day exploits target vulnerabilities that have not yet been addressed by vendors, making them especially dangerous. Question 45. The “out‑of‑the‑box” configuration requirement for VB100 testing ensures that: A. The product is evaluated with custom user settings. B. Default settings are used, reflecting typical end‑user deployments. C. All optional components are disabled. D. The OS is pre‑patched with the latest updates. Answer: B Explanation: Testing with default settings guarantees that the product works correctly without additional tuning. Question 46. Which of the following is a common side effect of aggressive heuristic scanning? A. Improved scan speed. B. Increased false positive rate. C. Reduced memory usage.
D. Elimination of all unknown malware. Answer: B Explanation: Aggressive heuristics may flag benign behavior as suspicious, leading to more false positives. Question 47. A “sandbox escape” refers to: A. A malware sample that fails to run inside the sandbox. B. Malware that detects the sandbox and terminates. C. Malware that breaks out of the isolated environment and impacts the host system. D. An AV feature that disables sandboxing. Answer: C Explanation: Sandbox escape techniques allow malicious code to bypass isolation and affect the real operating system. Question 48. Which of the following is a primary benefit of using a “trust cache” in an AV engine? A. Storing known malicious hashes for quick lookup. B. Remembering files that have been previously scanned and found clean, reducing re‑scanning. C. Encrypting all scanned files. D. Blocking all network connections during a scan. Answer: B Explanation: A trust cache speeds up subsequent scans by skipping files already verified as safe. Question 49. The term “adversarial attack” in the context of ML‑based malware detection means: A. An attacker physically damages the AV hardware. B. Manipulating malware features to cause the model to misclassify it as benign.
A. Software that displays unwanted advertisements. B. Software that records user activity and transmits it to a remote server. C. Software that encrypts files for ransom. D. Software that modifies the boot sector. Answer: B Explanation: Spyware covertly gathers information such as keystrokes, browsing habits, or credentials and sends them to attackers. Question 53. In the context of AV testing, a “false negative” is defined as: A. A legitimate file flagged as malicious. B. A malware sample that is not detected. C. A detection that occurs only in the cloud. D. An alert that is suppressed by the user. Answer: B Explanation: False negatives represent missed detections, allowing malware to remain undetected. Question 54. Which of the following is a typical characteristic of “fileless” attacks that makes them hard to detect with traditional signature scanners? A. They use encrypted payloads stored on disk. B. They execute code directly from memory using legitimate system tools. C. They rely on large executable files. D. They embed malicious code in image files. Answer: B Explanation: Fileless attacks avoid writing malicious files, leveraging tools like PowerShell to run code in memory, bypassing file‑based signatures.
Question 55. The primary purpose of “behavioral whitelisting” in an AV product is to: A. Block all unknown processes. B. Allow known good applications to run without monitoring, reducing false positives. C. Delete all unknown files automatically. D. Encrypt all network traffic. Answer: B Explanation: Whitelisting trusted applications reduces unnecessary alerts and performance overhead. Question 56. When an AV engine encounters an unsupported file format during scanning, the best practice is to: A. Delete the file immediately. B. Mark the file as “unknown” and continue scanning other files. C. Crash the scanning process. D. Convert the file to a supported format automatically. Answer: B Explanation: Gracefully handling unsupported files prevents crashes and ensures the rest of the system is still scanned. Question 57. Which of the following is a common technique used by malware to evade sandbox detection? A. Checking for the presence of a debugger. B. Increasing CPU usage. C. Downloading updates from a trusted server. D. Writing logs to the event viewer. Answer: A