Malware Types & Threat Mitigation
Key Takeaways
- Know the spread mechanism, not just the name: viruses need a host file and user action, worms self-replicate across networks with no user action, and trojans rely on the user installing disguised software.
- Ransomware response is disconnect first, never pay, restore from offline/immutable backups, and check nomoreransom.org — paying funds crime and does not guarantee recovery.
- CompTIA's best-practice malware removal sequence is the seven-step procedure: identify symptoms, quarantine, disable System Restore, remediate (update + scan), schedule scans, re-enable System Restore, then educate the user.
- Rootkits and boot-sector infections hide below the OS, so standard antimalware may miss them; remediate with offline/bootable scanners or, in severe cases, a clean OS reinstall.
- Phishing scales from broad blasts to spear phishing (specific person) to whaling (executives); voice (vishing) and SMS (smishing) variants are tested heavily.
Malware Taxonomy
The 220-1202 exam rewards knowing how each malware spreads and what makes it distinct, because scenario questions describe symptoms rather than naming the threat.
| Type | Distinguishing trait | Spread |
|---|---|---|
| Virus | Attaches to a host file; runs when the file is opened | Requires user action |
| Worm | Self-replicates and propagates on its own | Network exploit, no user action |
| Trojan | Disguised as useful software (a 'free' utility) | User installs it willingly |
| Ransomware | Encrypts files, demands payment for a key | Phishing, exploit kits, RDP |
| Spyware | Silently collects browsing/credentials | Bundled installers |
| Keylogger | Records every keystroke | Trojan or physical USB inline device |
| Rootkit | Hides in OS/firmware below detection | Bundled with other malware |
| Cryptominer | Steals CPU/GPU cycles to mine coin | Malicious sites, bundles |
| Botnet zombie | Remote-controlled host in an army | Worms, trojans |
| Fileless | Lives in memory via PowerShell/macros | No file on disk to scan |
Symptom-to-type mapping the exam loves: fans spinning and CPU pinned at 100% on an idle machine = cryptominer; files renamed with a strange extension plus a ransom note = ransomware; the machine emails contacts on its own and spreads with no clicks = worm.
Social Engineering
People are the cheapest exploit. Match the attack to its channel:
| Attack | Description |
|---|---|
| Phishing | Mass fake email impersonating a trusted brand |
| Spear phishing | Phishing aimed at one named individual |
| Whaling | Spear phishing targeting executives (CEO/CFO fraud) |
| Vishing | Voice/phone phishing |
| Smishing | SMS/text phishing |
| Shoulder surfing | Watching a screen/keypad as someone types |
| Tailgating / piggybacking | Following someone through a secure door |
| Dumpster diving | Mining trash for sensitive paper/media |
| Evil twin | Rogue Wi-Fi AP cloning a real SSID |
| Pretexting | Inventing a believable cover story |
| Impersonation | Posing as IT, vendor, or executive |
| Baiting | Dropping malware-laden USB drives to be found |
Exam tip: "CEO emails accounting at 4:55 pm demanding an urgent wire transfer" is whaling/business email compromise, not generic phishing, because it targets a high-value role.
Detection Tools and the Seven-Step Removal Procedure
| Tool | Use |
|---|---|
| Windows Security (Defender) | Built-in real-time protection and scans |
| Autoruns (Sysinternals) | Lists every auto-start entry, beyond msconfig |
| Process Explorer | Inspect processes with VirusTotal lookups |
| Task Manager / Resource Monitor | Spot runaway CPU/network use |
| Recovery Environment (WinRE) | Offline scanning/repair |
CompTIA tests its canonical best-practice malware removal procedure, and order matters on the exam:
- Investigate and verify malware symptoms.
- Quarantine the infected system — disconnect from the network.
- Disable System Restore (Windows) so malware cannot hide in restore points.
- Remediate — update antimalware definitions, then scan and remove (Safe Mode or bootable media if needed).
- Schedule scans and run updates to confirm the system is clean.
- Re-enable System Restore and create a fresh, clean restore point.
- Educate the end user about how the infection happened.
Ransomware Special Case
- Disconnect from the network first to stop encryption of mapped shares.
- Do NOT pay — payment is unreliable and funds criminals; report to the FBI IC3 in the US.
- Restore from offline/immutable backups; check nomoreransom.org for free decryptors.
Rootkit / Boot-Sector Special Case
Standard scanners run inside the compromised OS and may be blinded. Use a bootable rescue/offline scanner or WinRE; if integrity cannot be verified, wipe and reinstall the OS from trusted media. After any reinstall, restore data from backup and reapply patches before reconnecting.
Anti-Malware Best Practices and Browser Hardening
Prevention beats remediation, and the exam expects you to recommend layered defenses rather than a single product. The pillars are: keep definitions and the engine auto-updating, leave real-time protection enabled, run scheduled full scans, patch the OS and applications promptly, and back up to offline or immutable storage so ransomware cannot reach it.
Browsers are a primary infection channel, so know these threats and their fixes:
| Browser threat | Symptom | Fix |
|---|---|---|
| Malicious extension | Injected ads, hijacked search, data theft | Install only from official stores; review permissions |
| Pop-up / redirect | Endless tabs to scam pages | Enable the pop-up blocker; keep the browser updated |
| Drive-by download | File downloads just from visiting a site | Patch the browser and plugins; use a content blocker |
| Browser hijack | Homepage/search changed without consent | Reset browser settings; run antimalware |
| Rogue certificate prompt | Constant TLS warnings | Do not proceed; investigate the site |
Two end-user habits prevent most browser infections: only install software from trusted, official sources, and never disable security warnings to make a download work. On managed fleets, technicians push these as policy — forced auto-update, an allow-list of extensions, and SmartScreen/reputation filtering turned on.
Spam and rogue antivirus trap: a pop-up screaming "Your PC is infected — call this number" is itself the attack (scareware/rogue antivirus). The correct response is to close it without clicking, never call the number, and scan with the legitimate, already-installed antimalware tool.
Document the incident in the ticketing system, note the root cause, and feed it back into user training — the seventh removal step exists because the same user clicking the same kind of link is the most common cause of reinfection.
Which malware type self-replicates and spreads across a network with NO user interaction?
Following CompTIA's best-practice malware removal procedure, what should you do immediately AFTER quarantining the infected system?
A workstation is idle yet its fans run at full speed and the GPU sits at 100% utilization. Which threat best fits these symptoms?
Match each social engineering attack to its description:
Match each item on the left with the correct item on the right