SY0-701 · topic practice

Malware practice questions

Practise Security+ SY0-701 Malware practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Malware

What the exam tests

What to know about Malware

Malware questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Malware exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Malware questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Read the full Malware explanation →

Based on the exhibit, what is the best immediate action for the SOC or IR team?

A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

Exhibit

Host: finance-lap07
10:22:11  winword.exe spawned powershell.exe -enc <redacted>
10:22:14  powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe
10:24:02  file rename activity: 184 files changed to *.locked
10:24:09  outbound SMB connections to 10.20.4.18 and 10.20.4.19
10:25:01  EDR status: endpoint still connected to corporate VPN
User report: 'My shared files stopped opening and the folder names changed.'
Question 2easymultiple choice
Read the full Malware explanation →

Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?

Exhibit

EDR Alert Summary
Host: FIN-LT-22
Severity: High
Detection: Suspicious PowerShell with encoded command
Parent Process: winword.exe
Network Activity: outbound connection to 203.0.113.77:4444
User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
Question 3mediummultiple choice
Read the full Malware explanation →

Based on the exhibit, what type of malware is the most likely issue on the workstation?

Exhibit

Help desk incident notes:

- User installed a free video converter from an unofficial download site.
- Browser home page changed without permission.
- A new extension appeared named "QuickSearch Helper".
- Outbound traffic to tracking.example-cdn.net increased every few minutes.
- The endpoint security console reports that saved browser cookies were accessed by an unknown process.
Question 4mediummultiple choice
Read the full Malware explanation →

During malware response on a finance workstation, the system is still powered on and connected. The manager asks whether you can just reboot it to stop the issue. What is the best next step?

Question 5hardmulti select
Read the full Malware explanation →

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

Question 6hardmultiple choice
Read the full Malware explanation →

EDR on a workstation shows winword.exe spawning powershell.exe with hidden, no-profile, and encoded arguments. No new executable is written to disk. Minutes later, a scheduled task creation is blocked, but the same host continues making HTTPS requests to a cloud IP address. Which malware category best fits this behavior?

Question 7mediummultiple choice
Read the full Malware explanation →

During triage, you see a legitimate browser process spawning powershell.exe with an encoded command, followed by an outbound connection to a newly registered domain. No new executable is written to disk. Which malware characteristic best fits this behavior?

Question 8hardmulti select
Read the full Malware explanation →

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Question 9easymulti select
Read the full Malware explanation →

A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.

Question 10mediummultiple choice
Read the full Malware explanation →

A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?

Question 11mediummultiple choice
Read the full Malware explanation →

A file server suddenly shows renamed files with a new extension, users see a ransom note demanding cryptocurrency, and shadow copies are deleted from the host. Which malware family is the best match?

Question 12hardmultiple choice
Read the full Malware explanation →

A finance laptop is opened to review an invoice attachment. EDR then shows winword.exe launching powershell.exe with hidden, no-profile, and base64-encoded arguments. No executable is written to disk, network beacons begin from memory, and after a reboot the activity disappears unless the document is opened again. What type of malware behavior is most likely?

Question 13easymultiple choice
Read the full Malware explanation →

A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's direct deposit will be suspended unless they verify their account through a link. What type of attack is this?

Question 14mediummulti select
Read the full Malware explanation →

A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?

Question 16hardmultiple choice
Read the full Malware explanation →

A Linux server is missing expected security-agent processes, but users can still connect to the application. Local command output does not show a suspicious daemon that another monitoring tool says is listening on port 4444. A raw disk scan reveals a kernel module loaded at boot, and several files appear only when viewed outside the normal operating system tools. What malware type is most likely?

Question 17mediummultiple choice
Read the full Malware explanation →

A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?

Question 18easymultiple choice
Read the full Malware explanation →

A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business hours. The device belongs to an employee who is on vacation. What is the best next step for the analyst?

Question 19hardmulti select
Read the full NAT/PAT explanation →

A manufacturing floor uses barcode scanners and a kiosk terminal that cannot support full endpoint agents or frequent manual patching. USB storage has previously introduced malware, and the devices only need to run one approved application and reach a backend system. Which two controls best reduce risk while preserving function? Select two.

Question 20mediummultiple choice
Read the full Malware explanation →

A threat intelligence feed says an adversary rotates domains daily, uses cloud VPS hosting, and reuses the same malware sample across several campaigns. Analysts want the indicator that remains useful even when the domain changes. What should they prioritize?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Malware sessions

Start a Malware only practice session

Every question in these sessions is drawn from the Malware domain — nothing else.

Related practice questions

Related SY0-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SY0-701 exam test about Malware?
Malware questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Malware questions in a focused session?
Yes — the session launcher on this page draws every question from the Malware domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SY0-701 topics?
Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.