220-1102 Practice Question: A security technician has reimaged a user's…

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

Answer analysis

Why the other options are wrong

Understanding why incorrect options are tempting is as important as knowing the correct answer.

• ✗

  The rootkit is hidden in the user's profile, which was restored from backup

  If the user profile was restored, it could reintroduce malware, but a standard reimage typically does not include restoring user data unless explicitly done. The scenario does not mention a backup being restored.

• ✗

  The rootkit is on an external USB drive that is always connected

  An external drive could reinfect the system, but the technician would likely check and remove external media during troubleshooting. The question states the symptoms persist after reimage, implying the source is internal.

• ✗

  The rootkit is stored in the Windows registry, which is not erased during reimage

  A proper reimage reformats the system partition, wiping the registry and all OS files. The registry is on the hard drive and would be destroyed.

Technical deep dive

How to think about this question

This scenario highlights the insidious nature of firmware-based rootkits, which represent a significant challenge in malware remediation. Unlike traditional malware that resides within the operating system or user files on the hard drive, a firmware rootkit embeds itself directly into the Unified Extensible Firmware Interface (UEFI) or Basic Input/Output System (BIOS) chip on the motherboard. This means it operates at a layer below the operating system, initializing even before Windows starts to load. When a technician performs a standard reimage, they are typically formatting and reinstalling the operating system on the hard drive. This process completely wipes the hard drive's contents, including the Windows registry, user profiles, and all OS files. However, because the firmware is stored on a separate, non-volatile memory chip on the motherboard, reimaging the hard drive has no effect on a rootkit residing in the UEFI/BIOS. The rootkit persists through the reimage and can reinfect the newly installed operating system as soon as it boots, explaining the recurring symptoms. Remediation for such an infection typically involves flashing the firmware, which is a more complex and potentially risky procedure than a simple OS reinstallation, as it involves overwriting the contents of the UEFI/BIOS chip itself. This distinction is crucial because it bypasses all the other potential locations for malware that would be eradicated by a full hard drive reformat and OS reinstall.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

FAQ

Questions learners often ask

Keep practising

More 220-1102 practice questions

• →A change advisory board (CAB) approved a standard change to update antivirus definitions on all servers. The technician…
• →A company's change management policy requires all server changes to be approved by the Change Advisory Board (CAB). A te…
• →A company is implementing a bring-your-own-device (BYOD) policy and needs to ensure that corporate data on employee mobi…
• →A company requires employees to present both a smart card and a PIN to log into their workstations. Which authentication…
• →A company requires all Windows 10 workstations to be able to join an Active Directory domain. Which edition of Windows 1…
• →A company wants to allow employees to securely access internal resources from home via the internet. Which method provid…