220-1102 Practice Question: A technician suspects that a malware infection on…

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

Answer analysis

Why the other options are wrong

Understanding why incorrect options are tempting is as important as knowing the correct answer.

• ✗

  Task Manager

  Task Manager displays network usage per process but does not show specific remote addresses or connection states, which are necessary to identify C2 communication.

• ✗

  Performance Monitor

  Performance Monitor is used for logging performance counters over time, not for real-time per-process network connection details.

• ✗

  Event Viewer

  Event Viewer logs events such as security or system errors, but it does not provide a live view of current network connections per process.

Technical deep dive

How to think about this question

Resource Monitor is the optimal built-in Windows tool for this scenario because its Network tab provides a granular, real-time view of active network connections, broken down by process. When a technician suspects a malware infection is communicating with a command-and-control (C2) server, they need to see not just that a process is using the network, but specifically which remote IP address and port it's connecting to. Resource Monitor excels here by listing each process with an active TCP connection, displaying the local and remote addresses, the port numbers, and the connection state. This level of detail allows the technician to quickly identify unusual outbound connections to unknown or suspicious remote hosts, which is a hallmark of C2 communication. For instance, if 'svchost.exe' is making an unexpected outbound connection to a public IP address on an unusual port, Resource Monitor would immediately highlight this, enabling further investigation. While Task Manager shows network activity per process, it lacks the critical detail of remote IP addresses and ports, making it insufficient for pinpointing C2 traffic. It might show high network usage for a process, but without knowing the destination, it's difficult to determine if it's malicious. Performance Monitor, on the other hand, is designed for collecting and analyzing system performance data over time using counters, not for displaying live, per-process connection details. It can track network interface statistics but won't attribute specific connections to individual processes in the way Resource Monitor does. Event Viewer logs system events and security audits, which might contain clues about a malware infection after the fact (e.g., failed login attempts, service installations), but it does not offer a real-time, active view of network connections, making it unsuitable for immediate identification of outbound C2 communication.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

FAQ

Questions learners often ask

Keep practising

More 220-1102 practice questions

• →A change advisory board (CAB) approved a standard change to update antivirus definitions on all servers. The technician…
• →A company's change management policy requires all server changes to be approved by the Change Advisory Board (CAB). A te…
• →A company is implementing a bring-your-own-device (BYOD) policy and needs to ensure that corporate data on employee mobi…
• →A company requires employees to present both a smart card and a PIN to log into their workstations. Which authentication…
• →A company requires all Windows 10 workstations to be able to join an Active Directory domain. Which edition of Windows 1…
• →A company wants to allow employees to securely access internal resources from home via the internet. Which method provid…