CCNA Pc Security Issue Remediation Questions

30 questions · Pc Security Issue Remediation topic · All types, answers revealed

1
MCQeasy

A user calls the help desk saying they cannot log into their Windows 10 workstation because a message claims their files are encrypted and they must pay a ransom. What is the most effective remediation approach?

A.Pay the ransom to get the decryption key
B.Reboot into Safe Mode and run a malware scan
C.Disconnect from the network and restore files from a verified backup
D.Run System Restore to a point before the attack
AnswerC

This isolates the infection and recovers the data without paying, following best practices for ransomware remediation.

Why this answer

Option C is correct because ransomware encrypts files with a key known only to the attacker, making decryption without the key impossible. Disconnecting from the network prevents the ransomware from spreading to other systems, and restoring from a verified backup is the only reliable way to recover the original files without paying the ransom.

Exam trap

CompTIA often tests the misconception that removing the malware (via Safe Mode or System Restore) will undo the encryption, when in fact encryption is a cryptographic operation that persists after the malware is gone.

How to eliminate wrong answers

Option A is wrong because paying the ransom does not guarantee the attacker will provide a working decryption key, and it encourages further criminal activity. Option B is wrong because rebooting into Safe Mode and running a malware scan can remove the ransomware executable but cannot decrypt files that are already encrypted; the encryption persists. Option D is wrong because System Restore does not affect user files; it only restores system files and registry settings, leaving the encrypted files unchanged.

2
MCQeasy

A user calls the help desk saying their PC suddenly displays a ransom note demanding payment in Bitcoin to unlock their files. They cannot open any documents or images. What is the first action you should take?

A.Pay the ransom to get the decryption key.
B.Run a full antivirus scan immediately.
C.Disconnect the PC from the network.
D.Restore files from a recent backup without disconnecting.
AnswerC

Disconnecting stops the ransomware from encrypting network drives and contacting its command server, limiting damage.

Why this answer

The correct first action is to disconnect the PC from the network (Option C). This immediately isolates the infected system, preventing the ransomware from communicating with its command-and-control (C2) server to exfiltrate data or encrypt additional network shares. It also stops the ransomware from spreading laterally to other devices on the same LAN, which is critical for containment before any remediation steps are taken.

Exam trap

CompTIA often tests the principle of 'containment before eradication' — the trap here is that candidates may jump to scanning (Option B) or backup restoration (Option D) without first isolating the system, which would allow the ransomware to continue spreading or re-encrypting files during those actions.

How to eliminate wrong answers

Option A is wrong because paying the ransom does not guarantee you will receive a working decryption key, and it encourages further criminal activity; law enforcement and security best practices strongly advise against paying. Option B is wrong because running a full antivirus scan while the PC is still connected to the network allows the ransomware to continue communicating with its C2 server and potentially encrypt more files or spread to other systems; containment must come first. Option D is wrong because restoring files from a backup without first disconnecting the network risks re-infection if the backup media is still accessible over the network or if the ransomware is still active and can immediately re-encrypt the restored files.

3
MCQhard

A company's security policy requires that all USB storage devices be blocked on company workstations to prevent data exfiltration. A manager needs to temporarily use a USB drive for a presentation. What is the best way to remediate this while maintaining security?

A.Disable the USB blocking Group Policy for the entire domain
B.Use a Group Policy to allow only the specific USB device by hardware ID, then remove the allowance after use
C.Give the manager a company-approved USB drive and tell them to use it only once
D.Create a local admin account on the manager's workstation and disable the USB block locally
AnswerB

This maintains security by only allowing a known device, and you can revert the policy afterward.

Why this answer

Group Policy can be used to block all USB storage by default, but you can create an exception by allowing specific devices via device ID or by using a more granular policy. The best approach is to temporarily grant access to the specific device, then reapply the block.

4
MCQmedium

During a routine security audit, you find that several workstations have the same local administrator password. The company policy requires unique passwords for each machine. Which tool or method should you use to enforce unique local administrator passwords across the domain?

A.Use Group Policy to set a standard local admin password.
B.Enable BitLocker on each workstation.
C.Deploy Microsoft LAPS (Local Administrator Password Solution).
D.Disable the local administrator account on all workstations.
AnswerC

LAPS automatically manages unique local admin passwords and stores them securely in AD, meeting the policy requirement.

Why this answer

Microsoft LAPS (Local Administrator Password Solution) is the correct tool because it automatically manages local administrator passwords on domain-joined computers, storing them in Active Directory and rotating them to unique values per machine. This directly enforces the policy of unique local admin passwords without manual intervention, using the `AdmPwd` extension and Group Policy to configure password complexity and rotation intervals.

Exam trap

CompTIA often tests the misconception that Group Policy can enforce unique passwords, but candidates must remember that Group Policy applies the same setting to all objects in its scope, making it unsuitable for uniqueness; LAPS is the specific Microsoft solution designed for this exact requirement.

How to eliminate wrong answers

Option A is wrong because using Group Policy to set a standard local admin password would enforce the same password on all workstations, directly violating the requirement for unique passwords per machine. Option B is wrong because BitLocker is a full-disk encryption technology that protects data at rest, not a mechanism for managing or rotating local administrator passwords. Option D is wrong because disabling the local administrator account is a security hardening measure but does not address the requirement for unique passwords; it avoids the password uniqueness issue rather than solving it, and some applications or scenarios may require the local admin account to remain enabled.

5
MCQhard

A company's security policy requires that all workstations use a host-based firewall to block incoming connections except for specific allowed applications. A technician needs to configure this on a Windows 10 PC. Which tool should they use?

A.Windows Defender Antivirus settings
B.Windows Defender Firewall with Advanced Security
C.Group Policy Editor
D.Network and Sharing Center
AnswerB

This MMC snap-in allows creating inbound and outbound rules to block or allow traffic based on application, port, or IP address, meeting the policy requirement.

Why this answer

The Windows Defender Firewall with Advanced Security (wf.msc) is the correct tool because it provides granular control over inbound rules, allowing the technician to block all incoming connections by default and then create explicit allow rules for specific applications. This meets the security policy requirement for a host-based firewall that blocks incoming traffic except for permitted applications.

Exam trap

CompTIA often tests the distinction between basic firewall settings (accessible via Control Panel) and the Advanced Security console, where candidates mistakenly choose the simpler interface or confuse firewall management with antivirus or group policy tools.

How to eliminate wrong answers

Option A is wrong because Windows Defender Antivirus settings manage malware protection, not firewall rules; it cannot create or modify inbound connection rules. Option C is wrong because Group Policy Editor (gpedit.msc) is used to configure system-wide policies across a domain, not for per-workstation firewall rule management on a standalone Windows 10 PC. Option D is wrong because Network and Sharing Center is a network status and troubleshooting interface; it does not provide the advanced inbound rule configuration needed to block all incoming connections except specific applications.

6
MCQmedium

A small business owner wants to ensure that if a laptop is stolen, the data on the drive cannot be read. The laptop runs Windows 11 Pro. What is the most appropriate remediation?

A.Set a strong BIOS password
B.Enable BitLocker on the system drive
C.Install an antivirus with anti-theft features
D.Use a cloud backup service
AnswerB

BitLocker encrypts the entire drive, rendering data inaccessible without the key, even if the drive is removed.

Why this answer

BitLocker is the native full-disk encryption feature in Windows 11 Pro that encrypts the entire system drive, including the operating system, applications, and all user data. If the laptop is stolen, the data on the drive remains unreadable without the recovery key or TPM authentication, even if the drive is removed and attached to another computer. This directly addresses the requirement to prevent data access after theft.

Exam trap

The trap here is that candidates often confuse a BIOS password with drive encryption, thinking it secures the data, but BIOS passwords only control boot access and do not protect against physical drive removal and forensic analysis.

How to eliminate wrong answers

Option A is wrong because a BIOS password only prevents unauthorized booting or BIOS changes but does not encrypt the drive; the data can still be read by removing the drive and connecting it to another system. Option C is wrong because antivirus with anti-theft features typically provides location tracking, remote lock, or wipe capabilities, but it does not encrypt the drive at rest, so data remains accessible if the drive is removed. Option D is wrong because a cloud backup service protects against data loss but does not prevent an attacker from reading data already stored on the laptop's drive.

7
MCQmedium

A company has a policy that all workstations must automatically lock after 10 minutes of inactivity. A user complains that their computer does not lock automatically. Which setting should you check and remediate?

A.Check the power plan settings for sleep timeout
B.Verify that the screen saver is enabled and set to 'On resume, display logon screen' with a 10-minute wait
C.Ensure Windows Update is fully installed
D.Disable the Fast Startup feature
AnswerB

This setting locks the workstation after the specified inactivity period, meeting the policy.

Why this answer

Option B is correct because the automatic lock behavior in Windows is controlled by the screen saver settings. When 'On resume, display logon screen' is enabled with a 10-minute wait, the screen saver triggers after inactivity and locks the workstation by requiring authentication upon resume. This is the standard mechanism for enforcing a lock timeout, not the power plan sleep timeout.

Exam trap

CompTIA often tests the distinction between sleep/screen saver/lock settings, and the trap here is that candidates confuse the power plan sleep timeout with the screen saver lock timeout, assuming sleep automatically locks the workstation.

How to eliminate wrong answers

Option A is wrong because the power plan sleep timeout controls when the system enters a low-power sleep state, not the lock screen; a computer can be idle and unlocked without sleeping. Option C is wrong because Windows Update installation status does not affect the screen saver or lock timeout behavior; missing updates would not prevent automatic locking. Option D is wrong because Fast Startup is a boot optimization feature that affects shutdown and startup, not idle-time locking; disabling it has no impact on the lock timeout.

8
MCQhard

A company's network was breached, and forensic analysis reveals that an attacker used a pass-the-hash attack to move laterally. Which security measure would most effectively prevent this type of attack in the future?

A.Require all users to change passwords every 30 days.
B.Implement network segmentation and firewall rules.
C.Enable Windows Defender Credential Guard.
D.Disable NTLM authentication entirely.
AnswerC

Credential Guard protects credential hashes by storing them in a virtualized container, preventing pass-the-hash attacks.

Why this answer

Windows Defender Credential Guard uses virtualization-based security (VBS) to isolate and protect NTLM password hashes and Kerberos tickets in a secure container, preventing attackers from extracting them from LSASS memory even if they have administrative access. This directly stops pass-the-hash attacks because the hashes are never accessible to the operating system or tools like Mimikatz.

Exam trap

CompTIA often tests the misconception that network segmentation or disabling NTLM alone stops pass-the-hash, but the core issue is protecting the hash in memory, which only Credential Guard (or equivalent) addresses.

How to eliminate wrong answers

Option A is wrong because frequent password changes do not prevent pass-the-hash attacks; the attacker uses the hash of the current password, and changing passwords every 30 days does not protect the hash stored in memory during an active session. Option B is wrong because network segmentation and firewall rules can limit lateral movement but do not prevent the extraction or reuse of password hashes from a compromised host; the attacker can still move within the allowed segment. Option D is wrong because disabling NTLM authentication entirely is often impractical due to legacy application dependencies, and pass-the-hash attacks can also target Kerberos tickets (pass-the-ticket), so this measure is not comprehensive and may break critical services.

9
MCQhard

A technician discovers that a Windows 10 workstation has been infected with a fileless malware that resides in memory. Traditional antivirus scans have not detected it. Which approach should the technician use to remove this type of malware?

A.Run a full antivirus scan in normal mode.
B.Use the Windows Malicious Software Removal Tool (MSRT) in Safe Mode.
C.Boot from a rescue disk and perform an offline scan.
D.Restore the system from a backup taken before the infection.
AnswerC

Booting from a rescue disk (e.g., Windows Defender Offline) runs the scan outside the infected Windows environment, allowing detection of fileless malware that resides only in memory or registry.

Why this answer

Fileless malware resides entirely in memory (RAM) and does not write persistent files to disk, so traditional antivirus scans that rely on file signatures cannot detect it. Booting from a rescue disk (e.g., a bootable USB or CD with an offline scanner) loads a clean operating system that bypasses the infected Windows environment, allowing the scanner to inspect memory and terminate the malware without the malware being able to hide or protect itself. This offline approach ensures the malware's process cannot interfere with the scan, making it the correct remediation method.

Exam trap

The trap here is that candidates often assume Safe Mode or a signature-based removal tool like MSRT can handle all malware types, but fileless malware specifically evades these by not writing to disk and by running within trusted system processes.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan in normal mode still operates within the compromised Windows environment, where the fileless malware can actively hide its processes or memory artifacts from the scanner. Option B is wrong because the Windows Malicious Software Removal Tool (MSRT) is a signature-based tool that targets persistent malware on disk, not memory-resident fileless threats, and Safe Mode does not prevent the malware from running if it loads via a legitimate service or driver. Option D is wrong because restoring from a backup taken before the infection would remove the malware only if the backup predates the infection, but this approach is reactive and may not be feasible if no clean backup exists; it also does not address the immediate need to remove the active memory-resident malware without data loss.

10
MCQmedium

A technician is troubleshooting a Windows 10 PC that was infected with a rootkit. After booting from a rescue disk and running a scan, the rootkit is removed, but the system is still unstable. What should the technician do next to ensure the system is fully remediated?

A.Reinstall the operating system from scratch.
B.Run the System File Checker (SFC) tool to repair corrupted files.
C.Disable System Restore and delete all restore points.
D.Perform a disk cleanup to remove temporary files.
AnswerB

SFC scans and repairs protected system files that may have been damaged by the rootkit, addressing the instability without a full reinstall.

Why this answer

After removing a rootkit, the system may have corrupted system files that cause instability. Running the System File Checker (SFC) tool with the 'sfc /scannow' command scans protected system files and replaces corrupted versions with cached copies from the Windows side-by-side store, directly addressing file integrity issues left by the rootkit.

Exam trap

The trap here is that candidates may choose to reinstall the OS (Option A) because they assume any rootkit infection requires a full wipe, but the question specifies the rootkit is already removed and the remaining issue is instability from file corruption, making SFC the targeted remediation step.

How to eliminate wrong answers

Option A is wrong because reinstalling the OS from scratch is an overly drastic step that is unnecessary when the rootkit has already been removed and the issue is limited to file corruption; it would also waste time and user data. Option C is wrong because disabling System Restore and deleting restore points removes potentially useful recovery snapshots but does not repair the corrupted system files causing instability. Option D is wrong because disk cleanup only removes temporary files and frees disk space, which has no effect on corrupted system files or system stability.

11
MCQmedium

During a security audit, you find that several employees have been using the same weak password for their domain accounts. Which remediation should you implement first?

A.Disable the user accounts and require a manager to re-enable them
B.Configure a password policy in Group Policy requiring complexity and minimum length
C.Send a company-wide email reminding users to choose strong passwords
D.Install a third-party password manager for all employees
AnswerB

A Group Policy password policy enforces strong passwords domain-wide, preventing future weak passwords.

Why this answer

Option B is correct because the most effective first step to prevent weak passwords is to enforce a strong password policy via Group Policy. This centrally mandates complexity requirements (e.g., uppercase, lowercase, digits, special characters) and a minimum length (typically 8–14 characters), which directly blocks the use of simple, common passwords at the domain level. Unlike awareness campaigns or reactive measures, this technical control proactively enforces security standards across all domain accounts.

Exam trap

CompTIA often tests the distinction between administrative controls (like emails or account disabling) and technical controls (like Group Policy), where candidates mistakenly choose a non-technical, awareness-based option (C) over a policy-enforced technical solution (B).

How to eliminate wrong answers

Option A is wrong because disabling accounts and requiring manager re-enablement is a reactive, disruptive measure that does not address the root cause—employees will likely continue using weak passwords once re-enabled. Option C is wrong because a company-wide email is a non-technical, awareness-only approach that relies on voluntary compliance and does not prevent users from choosing weak passwords; it lacks enforcement. Option D is wrong because installing a third-party password manager, while helpful for password storage and generation, does not enforce a minimum password complexity or length policy on the domain accounts themselves and is a secondary measure, not the first remediation step.

12
MCQhard

A security analyst discovers that a user's workstation has been compromised by a rootkit that hides its processes from Task Manager. The rootkit is not detected by the installed antivirus. Which step is most effective for remediation?

A.Run a full antivirus scan in Safe Mode.
B.Use System Restore to revert to a previous state.
C.Boot from a rescue disk and perform an offline antivirus scan.
D.Reinstall the operating system from the recovery partition.
AnswerC

An offline scan from a rescue disk runs outside the infected OS, preventing the rootkit from hiding and allowing detection.

Why this answer

Option C is correct because a rootkit that hides its processes from Task Manager and evades the installed antivirus operates at a deep level within the operating system, often in kernel mode. Booting from a rescue disk (e.g., a live CD/USB with an offline scanner) loads a clean operating system environment, preventing the rootkit from loading and allowing the antivirus to scan the infected system's files without interference. This offline approach is the most effective remediation step when the rootkit is actively hiding from the installed AV in the normal OS context.

Exam trap

The trap here is that candidates often assume Safe Mode or System Restore can bypass rootkit persistence, but Cisco tests the understanding that rootkits operate below the OS layer and require a clean, offline environment to be reliably detected and removed.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan in Safe Mode may still allow some rootkits to load if they hook into kernel drivers that are loaded even in Safe Mode, and the rootkit's evasion techniques can persist, leading to a missed detection. Option B is wrong because System Restore does not remove rootkits; it only reverts system files and registry settings to a previous state, while the rootkit's files and persistence mechanisms (e.g., in boot sectors or kernel drivers) often remain intact and can re-infect the system. Option D is wrong because reinstalling from the recovery partition may not fully remove a rootkit if it has infected the Master Boot Record (MBR) or firmware, as the recovery partition itself could be compromised or the rootkit may persist across a standard reinstall that does not wipe all partitions.

13
MCQmedium

A company's security policy mandates that all USB flash drives must be encrypted before use. A user inserts a new USB drive and wants to encrypt it on a Windows 10 Pro workstation. Which built-in tool should be used?

A.Use EFS (Encrypting File System) on the USB drive.
B.Enable BitLocker To Go on the USB drive.
C.Format the drive as exFAT and set a password.
D.Use the cipher command to encrypt the drive.
AnswerB

BitLocker To Go is specifically for encrypting removable drives and is built into Windows Pro/Enterprise.

Why this answer

BitLocker To Go is the built-in Windows 10 Pro feature specifically designed to encrypt removable drives such as USB flash drives. It uses AES encryption to protect the entire volume, and the drive can be accessed only with a password, smart card, or recovery key. This directly satisfies the company's mandate for encrypting USB drives before use.

Exam trap

CompTIA often tests the distinction between EFS (file-level encryption) and BitLocker (full-volume encryption), and the trap here is that candidates mistakenly choose EFS because they associate 'encryption' with file-level protection, not realizing that EFS cannot encrypt an entire removable drive and is not designed for USB flash drives.

How to eliminate wrong answers

Option A is wrong because EFS (Encrypting File System) encrypts individual files and folders on NTFS volumes, but it does not encrypt entire removable drives and is not supported on USB flash drives formatted with FAT32 or exFAT. Option C is wrong because formatting as exFAT and setting a password is not a built-in Windows encryption feature; exFAT does not natively support password-based encryption, and any such password would be implemented by third-party software, not Windows. Option D is wrong because the cipher command is used to manage EFS encryption on NTFS volumes and to overwrite deleted data; it cannot encrypt an entire USB drive or enable BitLocker To Go.

14
MCQeasy

A technician is configuring a new Windows 10 workstation for a remote employee who will handle sensitive customer data. Which security feature should be enabled to ensure that if the laptop is lost, the data remains protected?

A.Windows Defender Firewall
B.User Account Control (UAC)
C.BitLocker Drive Encryption
D.Windows Hello for Business
AnswerC

BitLocker encrypts the drive, making data unreadable without the key, ideal for lost or stolen devices.

Why this answer

BitLocker Drive Encryption (C) is the correct choice because it provides full-disk encryption using AES encryption algorithms, ensuring that if the laptop is lost or stolen, the sensitive customer data remains inaccessible without the recovery key or TPM authentication. This directly addresses the requirement to protect data at rest on a lost device.

Exam trap

CompTIA often tests the distinction between authentication/access control features (like UAC or Windows Hello) and data-at-rest encryption (BitLocker), leading candidates to choose a security feature that protects the system while running rather than protecting data when the device is physically compromised.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall is a network security feature that monitors and controls incoming/outgoing traffic based on rules, but it does not encrypt data on the drive, so it cannot protect data if the laptop is physically lost. Option B is wrong because User Account Control (UAC) prompts for permission before allowing system-level changes to prevent unauthorized software from making modifications, but it does not encrypt the drive or protect data when the device is offline. Option D is wrong because Windows Hello for Business provides biometric or PIN-based authentication for user sign-in, but it does not encrypt the storage volume, so data remains readable if the drive is removed or the device is accessed via other means.

15
MCQhard

During a routine check, a technician finds that a user's Windows 10 computer has an outdated antivirus that hasn't updated in 3 months. The user claims they never saw any update prompts. What is the most likely reason and the appropriate remediation?

A.The antivirus subscription has expired; renew it
B.The Windows Update service is disabled; re-enable it and set to automatic
C.The user has manually set the antivirus to manual update mode
D.The computer is infected with a virus that blocks updates
AnswerB

If the Windows Update service is disabled, the antivirus cannot receive updates, and the user would not see prompts. Enabling it resolves the issue.

Why this answer

Outdated antivirus often results from the update service being disabled or misconfigured. Checking the Windows Update or antivirus update service ensures that automatic updates can run, preventing future lapses.

16
MCQeasy

A user calls the help desk because their workstation is running very slowly and they notice unusual network activity. You suspect ransomware. What should you do first to contain the threat?

A.Run a full antivirus scan on the affected workstation.
B.Disconnect the workstation from the network immediately.
C.Back up all files to an external drive before taking action.
D.Restart the computer and boot into Safe Mode.
AnswerB

Disconnecting the network cable or disabling the wireless adapter stops the ransomware from spreading and communicating externally, containing the incident.

Why this answer

The immediate priority is containment to prevent the ransomware from spreading to other systems on the network. Isolating the workstation by disconnecting it from the network is the first step, followed by notifying the security team.

17
MCQeasy

A company policy requires that all USB flash drives be encrypted before use. A technician needs to configure a new drive for a manager who will store confidential client data. Which built-in Windows tool should the technician use?

A.EFS (Encrypting File System)
B.BitLocker To Go
C.Windows Defender Firewall
D.Device Manager
AnswerB

BitLocker To Go is specifically for encrypting removable drives, providing full-disk encryption with password or smart card authentication.

Why this answer

BitLocker To Go is the correct built-in Windows tool for encrypting removable drives like USB flash drives. It provides full-disk encryption specifically designed for portable storage, ensuring that the confidential client data on the drive is protected if the drive is lost or stolen.

Exam trap

CompTIA often tests the distinction between EFS (file-level encryption) and BitLocker (full-disk encryption), and the trap here is that candidates may confuse EFS with BitLocker To Go because both involve encryption, but EFS cannot encrypt entire removable drives for portable use.

How to eliminate wrong answers

Option A is wrong because EFS (Encrypting File System) encrypts individual files and folders on NTFS volumes, not entire removable drives, and it does not support encrypting USB flash drives for use on other systems without additional configuration. Option C is wrong because Windows Defender Firewall is a network security tool that filters incoming and outgoing traffic based on rules; it does not provide any data-at-rest encryption for storage devices. Option D is wrong because Device Manager is used to manage hardware drivers and device settings, not to perform encryption or security configurations on storage media.

18
MCQmedium

A technician is configuring a new Windows 10 workstation for a remote employee. The employee will use the laptop to access company resources via VPN. Which security setting should be configured to ensure the VPN connection is always used when accessing the internet?

A.Enable split tunneling to improve performance.
B.Disable split tunneling to force all traffic through the VPN.
C.Configure the VPN to use PPTP protocol.
D.Set the VPN to connect only when accessing internal websites.
AnswerB

Disabling split tunneling ensures all internet traffic goes through the corporate VPN, maintaining security policies.

Why this answer

Disabling split tunneling ensures that all network traffic, including internet-bound traffic, is routed through the VPN tunnel. This forces the VPN connection to be always used when accessing the internet, which is essential for enforcing security policies and ensuring that company resources are protected even when the remote employee accesses external websites.

Exam trap

CompTIA often tests the misconception that enabling split tunneling improves security by reducing VPN load, when in fact it creates a security risk by allowing non-VPN traffic to bypass corporate security controls.

How to eliminate wrong answers

Option A is wrong because enabling split tunneling would allow internet-bound traffic to bypass the VPN, directly contradicting the requirement to always use the VPN for internet access. Option C is wrong because PPTP is an outdated and insecure protocol; the question asks about a security setting to force traffic through the VPN, not about the protocol choice. Option D is wrong because setting the VPN to connect only when accessing internal websites would not force all internet traffic through the VPN; it would only trigger the VPN for internal resource requests, leaving other internet traffic unprotected.

19
MCQeasy

A customer reports that their computer is running slowly and they see pop-up ads even when no browser is open. They suspect malware. Which of the following should you perform first to remediate this issue?

A.Run a full antivirus scan
B.Disconnect the computer from the network
C.Reboot the computer in Safe Mode
D.Restore from a recent backup
AnswerB

Disconnecting stops active malware from communicating or spreading, making it the priority first step.

Why this answer

Disconnecting the computer from the network is the first step because it immediately stops the malware from communicating with its command-and-control (C2) server, preventing further data exfiltration, additional payload downloads, or remote control. This containment step is critical before any remediation (like scanning or rebooting) to avoid the malware spreading or causing more damage.

Exam trap

The trap here is that candidates often jump to running an antivirus scan (Option A) as the immediate action, but CompTIA emphasizes containment first to prevent further damage or data loss, especially when active C2 communication is suspected.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan while the computer is still connected to the network allows active malware to continue communicating with its C2 server, potentially downloading more malicious code or exfiltrating data during the scan. Option C is wrong because rebooting into Safe Mode does not immediately stop network-based threats; the malware may still have network access in Safe Mode with networking, and the reboot itself could trigger destructive payloads. Option D is wrong because restoring from a recent backup should only be performed after confirming the backup is clean and the current infection is contained; doing it first risks reinfecting the system from the backup or missing active malware still on the network.

20
MCQeasy

A customer reports that their Windows 10 PC is slow and displays pop-up ads even when no browser is open. They suspect malware. After running a full antivirus scan, the symptoms persist. Which step should you take next to remediate the issue?

A.Reinstall the operating system.
B.Run a scan with a dedicated anti-malware tool like Malwarebytes.
C.Disable Windows Defender permanently.
D.Clear the browser cache and cookies.
AnswerB

Adware and PUPs often evade standard antivirus; a dedicated anti-malware tool is designed to detect and remove them.

Why this answer

Option B is correct because standard antivirus software often misses potentially unwanted programs (PUPs) and adware that inject pop-ups into the system. A dedicated anti-malware tool like Malwarebytes uses heuristic analysis and signature databases specifically tuned to detect and remove adware, browser hijackers, and other low-level threats that traditional AV engines may overlook.

Exam trap

CompTIA often tests the distinction between standard antivirus and specialized anti-malware tools, trapping candidates who assume that a full antivirus scan is sufficient to remove all types of malware, especially adware and PUPs.

How to eliminate wrong answers

Option A is wrong because reinstalling the operating system is an extreme, time-consuming step that should only be taken after all other remediation methods have failed, and it does not address the root cause of the infection. Option C is wrong because disabling Windows Defender permanently would remove a critical layer of real-time protection, leaving the system vulnerable to further infections and violating best practices for security. Option D is wrong because clearing browser cache and cookies only removes temporary web data and cannot eliminate adware or malware that is running as a background process or service on the system.

21
MCQmedium

A small business owner wants to ensure that all company laptops are protected in case of theft. They need a solution that encrypts the entire hard drive and requires a pre-boot PIN. Which security feature should you implement?

A.Enable EFS (Encrypting File System) on the Documents folder.
B.Set a BIOS password.
C.Enable BitLocker with a TPM + startup PIN.
D.Install a third-party antivirus with encryption.
AnswerC

BitLocker with TPM + PIN provides full disk encryption and requires a PIN before Windows loads, meeting the requirement.

Why this answer

BitLocker with a TPM + startup PIN provides full-disk encryption and requires a pre-boot authentication PIN, meeting the requirement to protect the entire hard drive in case of theft. The TPM validates system integrity, and the PIN must be entered before the OS loads, preventing unauthorized access even if the drive is removed.

Exam trap

The trap here is that candidates often confuse EFS with full-disk encryption or assume a BIOS password alone secures data, but only BitLocker with TPM + startup PIN provides the required pre-boot authentication and full-drive encryption.

How to eliminate wrong answers

Option A is wrong because EFS encrypts individual files or folders, not the entire hard drive, and does not require a pre-boot PIN; it operates at the file system level after the OS loads. Option B is wrong because a BIOS password only prevents unauthorized users from changing BIOS settings or booting the system, but it does not encrypt the hard drive, leaving data accessible if the drive is removed. Option D is wrong because third-party antivirus with encryption typically offers file-level or folder-level encryption, not full-disk encryption with pre-boot authentication, and antivirus software focuses on malware detection, not drive encryption.

22
MCQhard

A technician is responding to a security incident where an employee's credentials were used to access a server without authorization. The employee claims they did not perform the action. Which of the following should the technician do first to remediate the compromised account?

A.Reset the account password and enable MFA.
B.Disable the account to prevent further access.
C.Review the server logs to determine the extent of the breach.
D.Notify the employee's manager and HR department.
AnswerB

Disabling the account is the first containment step; it stops the attacker from using the credentials while the investigation and remediation proceed.

Why this answer

The immediate step is to disable the compromised account to prevent further unauthorized access. Then the technician should force a password reset and enable multi-factor authentication (MFA) to secure the account. Logging and investigation follow containment.

23
MCQmedium

A user reports that their Windows 10 computer is infected with a virus that keeps reinstalling itself after removal. What should you do to remediate this persistent infection?

A.Run a system restore to a previous restore point
B.Boot from a rescue disc or USB and run an antivirus scan
C.Disable System Restore and then run an antivirus scan in normal mode
D.Reinstall Windows from the recovery partition
AnswerB

Booting from trusted media bypasses the infected OS, enabling thorough removal without the virus interfering.

Why this answer

A virus that reinstalls itself likely has a rootkit or persistent mechanism. Booting from trusted media and scanning the offline system ensures the malware cannot run, allowing complete removal.

24
MCQmedium

A technician is configuring a new Windows 10 workstation for a user who handles sensitive financial data. The company policy mandates that the screen lock after 5 minutes of inactivity and require a password on wake. Which settings should the technician configure?

A.Set the power plan to turn off the display after 5 minutes.
B.Configure the screen saver to start after 5 minutes and check 'On resume, display logon screen.'
C.Enable the 'Require password on wakeup' setting in the power plan only.
D.Set the computer to sleep after 5 minutes and require a password on wake.
AnswerB

This combination locks the workstation after 5 minutes of inactivity and requires the user to log in again, meeting the policy.

Why this answer

The screen saver settings in Windows include an option to 'On resume, display logon screen,' which locks the workstation after the screen saver activates. Setting the screen saver timeout to 5 minutes and enabling the logon screen requirement meets the policy.

25
MCQmedium

A small business owner wants to ensure that all company laptops have their hard drives encrypted in case of theft. The laptops run Windows 10 Pro. Which technology should the technician enable to meet this requirement?

A.EFS (Encrypting File System)
B.Windows Defender Antivirus
C.BitLocker Drive Encryption
D.TPM (Trusted Platform Module)
AnswerC

BitLocker provides full-disk encryption for Windows 10 Pro and Enterprise, meeting the requirement for data protection on lost or stolen laptops.

Why this answer

BitLocker Drive Encryption (option C) is the correct technology because it provides full-disk encryption for Windows 10 Pro, ensuring that all data on the laptop's hard drive is encrypted at rest. This protects against data exposure if the device is stolen, as the drive cannot be accessed without the decryption key (e.g., a PIN, USB key, or TPM-based authentication). BitLocker is built into Windows 10 Pro and is specifically designed for whole-drive encryption, meeting the requirement for all company laptops.

Exam trap

The trap here is that candidates often confuse EFS (file-level encryption) with full-disk encryption, or they mistakenly think TPM alone provides encryption, when in fact TPM is merely a key storage and attestation component that requires BitLocker to enable drive encryption.

How to eliminate wrong answers

Option A is wrong because EFS (Encrypting File System) encrypts individual files or folders at the file system level, not the entire hard drive, and it does not protect system files or the operating system from offline access after theft. Option B is wrong because Windows Defender Antivirus is a malware protection tool that detects and removes malicious software; it does not provide any encryption or data protection for the hard drive. Option D is wrong because TPM (Trusted Platform Module) is a hardware security chip that can store encryption keys and support BitLocker, but it is not an encryption technology itself—it must be combined with BitLocker to achieve full-disk encryption.

26
MCQeasy

A customer reports that their Windows 10 laptop is displaying pop-up ads even when no browser is open. They suspect a malware infection. Which of the following should you do first to remediate this issue?

A.Run a full antivirus scan while the system is connected to the internet.
B.Disconnect the network cable, boot into Safe Mode, then run a full antivirus scan.
C.Perform a System Restore to a point before the pop-ups started.
D.Immediately reinstall Windows 10 to ensure complete removal.
AnswerB

This is the correct sequence: disconnecting the network stops remote communication, Safe Mode limits malware activity, and scanning identifies and removes the threat.

Why this answer

The first step in malware remediation is to disconnect from the network to prevent further communication with command-and-control servers. Then boot into Safe Mode to prevent malicious processes from loading, and run a full antivirus scan. This isolates the threat before attempting removal.

27
MCQmedium

A user reports that their Windows 10 PC is infected with a virus that changes the desktop background to a ransom note. After removing the virus with antivirus software, the desktop background remains unchanged. What should you do to restore the original background?

A.Reinstall the graphics driver.
B.Run System File Checker (sfc /scannow).
C.Check Group Policy settings for desktop wallpaper enforcement and reset them.
D.Perform a system restore to a point before the infection.
AnswerC

Malware often sets a Group Policy to lock the wallpaper; resetting this policy allows the user to change it.

Why this answer

Option C is correct because the virus likely modified the Group Policy setting that enforces a specific desktop wallpaper. Even after the virus is removed, the Group Policy setting persists and overrides any user attempts to change the background. Resetting the Group Policy wallpaper enforcement restores the user's ability to change the background normally.

Exam trap

The trap here is that candidates assume a virus removal or system file repair will fix all remnants of the infection, but they overlook that malware can modify persistent system policies like Group Policy, which require explicit reversal.

How to eliminate wrong answers

Option A is wrong because the graphics driver is not involved in displaying a static desktop background; the issue is a policy enforcement, not a rendering or driver problem. Option B is wrong because System File Checker (sfc /scannow) repairs corrupted system files, but the wallpaper change is due to a Group Policy setting, not file corruption. Option D is wrong because a system restore might revert the Group Policy change, but it is not the most direct or efficient fix; the problem is specifically a persistent policy setting that can be reset without affecting other system changes.

28
MCQmedium

A user reports that their external hard drive is no longer recognized by Windows. They suspect it might be infected with malware from a previous connection. You run a security scan and find no threats. What is the most likely cause of the drive not being recognized?

A.The drive is permanently damaged by malware.
B.The USB controller driver is corrupted or outdated.
C.The user needs to format the drive to remove malware.
D.Windows Firewall is blocking the external drive.
AnswerB

Corrupted drivers can prevent device recognition; reinstalling or updating the driver in Device Manager often fixes the problem.

Why this answer

When a drive is not recognized after a suspected malware incident, the issue is often driver-related or due to a corrupted file system, not necessarily malware. Reinstalling or updating the USB controller driver in Device Manager can resolve recognition issues. The correct answer is to check Device Manager for driver issues.

29
MCQmedium

A user reports that their Windows 10 PC is infected with a virus that keeps reappearing after removal. The technician boots into Safe Mode, runs a full antivirus scan, and removes the threat. However, after rebooting normally, the virus returns. What is the most likely reason?

A.The antivirus definitions are outdated.
B.The virus has a persistence mechanism, such as a scheduled task or registry run key.
C.The user is re-downloading the virus from the same source.
D.The virus is a polymorphic variant that changes its signature.
AnswerB

Persistence mechanisms allow malware to reinstall itself after removal. The technician must identify and delete these triggers in Task Scheduler, registry, or startup folders.

Why this answer

Option B is correct because the virus likely uses a persistence mechanism such as a scheduled task (via schtasks.exe) or a registry Run key (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to re-infect the system after boot. Safe Mode may bypass some of these mechanisms, but a normal boot re-triggers them, allowing the virus to reinstall itself even after the initial removal.

Exam trap

CompTIA often tests the distinction between detection failure (outdated definitions or polymorphism) and re-infection due to persistence mechanisms, so the trap here is assuming the antivirus failed to detect the virus rather than recognizing that the virus is being re-introduced after removal.

How to eliminate wrong answers

Option A is wrong because outdated antivirus definitions would prevent detection, not cause the virus to reappear after removal; the scan already removed the threat. Option C is wrong because the user re-downloading the virus would require active user action each time, but the problem states the virus 'keeps reappearing' automatically after reboot, indicating a persistence mechanism rather than repeated user downloads. Option D is wrong because a polymorphic virus changes its signature to evade detection, but the antivirus already detected and removed it; the issue is re-infection after reboot, not evasion of the scan.

30
MCQeasy

A user's computer is infected with adware that changes the browser homepage and displays constant pop-ups. After removing the adware with an antivirus, the homepage remains changed. What additional remediation step should you take?

A.Reinstall the operating system
B.Reset the browser settings to default
C.Run a disk cleanup utility
D.Update the antivirus definitions and scan again
AnswerB

Resetting the browser clears all adware-induced changes, restoring the homepage and removing unwanted extensions.

Why this answer

After adware removal, the browser's homepage and settings are often stored in the browser's configuration files or registry keys that the antivirus does not reset. Resetting the browser settings to default restores the homepage, search engine, and new tab page to their original state, clearing any persistent malicious configurations left behind by the adware.

Exam trap

CompTIA often tests the misconception that a full OS reinstall is required for any persistent malware symptom, but the trap here is that the issue is a configuration change, not an active infection, so a targeted browser reset is sufficient.

How to eliminate wrong answers

Option A is wrong because reinstalling the operating system is an extreme measure that is unnecessary when the issue is isolated to the browser's settings; it would also delete user data and applications. Option C is wrong because a disk cleanup utility only removes temporary files and frees up disk space, it does not modify browser configuration settings or registry entries that control the homepage. Option D is wrong because updating antivirus definitions and scanning again would only detect and remove remaining malware files, but the adware has already been removed; the persistent homepage change is a configuration artifact, not an active infection.

Ready to test yourself?

Try a timed practice session using only Pc Security Issue Remediation questions.