Question 1mediummultiple choice
Full question →SY0-701 · topic practice
Malware practice questions
Use this page to practise SY0-701 Malware practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Malware
Malware questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Malware questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A branch office stores nightly backups on a NAS that is joined to the same Active Directory domain as the production servers. After a ransomware incident, management wants a backup design that is much harder for attackers to encrypt or delete. Which approach is the best improvement?
Question 3mediummultiple choice
Full question →A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?
Question 4mediummultiple choice
Full question →A branch office uses a NAS for nightly backups, but the NAS is joined to the same domain as the production servers. After ransomware encrypted both production data and backups, management wants the most effective change to reduce the chance of backup tampering without a major redesign. Which control should be implemented?
Question 5mediummultiple choice
Full question →A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?
Question 6easymultiple choice
Full question →A development team updates a third-party software library used by its web application. After the release, new deployments begin making unexpected outbound connections to an unfamiliar domain. What type of threat is most likely?
Question 7mediummultiple choice
Full question →A file server in the accounting department begins renaming documents and dropping ransom notes. The SOC confirms encryption is still in progress, and the server hosts a share used by several finance teams. What should the incident response team do first?
Question 8easymultiple choice
Full question →A file server suddenly renames documents, creates ransom notes, and users can no longer open their files. Which malware type is most likely involved?
Question 9easymultiple choice
Full question →A file server suddenly renames documents with a new extension and displays a note demanding payment in cryptocurrency to restore access. What type of malware is most likely involved?
Question 10mediummultiple choice
Full question →A file server suddenly shows renamed files with a new extension, users see a ransom note demanding cryptocurrency, and shadow copies are deleted from the host. Which malware family is the best match?
Question 11hardmulti select
Full question →A file server used by a shared service account begins renaming documents, deleting shadow copies, and creating outbound SMB connections to many internal hosts. The SOC suspects the malware may be spreading while also encrypting data. Which two actions are the best immediate containment steps? Select two.
Question 12mediummultiple choice
Full question →A finance application works normally for weeks after a contractor leaves the company. On the first business day of the quarter, a hidden task runs, deletes archived reports, and then removes itself from the scheduled task list. What type of malware behavior is this?
Question 13hardmultiple choice
Full question →A finance laptop is opened to review an invoice attachment. EDR then shows winword.exe launching powershell.exe with hidden, no-profile, and base64-encoded arguments. No executable is written to disk, network beacons begin from memory, and after a reboot the activity disappears unless the document is opened again. What type of malware behavior is most likely?
Question 14mediummultiple choice
Full question →A finance laptop is powered on, the user is still logged in, and it remains connected to Wi-Fi after a malware alert. What should the responder do first to preserve volatile evidence?
Question 15hardmulti select
Full question →A finance workstation begins encrypting local files, and the EDR console shows the process is also enumerating SMB shares on adjacent hosts. The user reports no suspicious email and is still logged in. Management wants the fastest containment step that minimizes spread and the best follow-up action to preserve useful evidence. Which two actions should the SOC take first? Select two.
Question 16mediummulti select
Full question →A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.
Question 17easymultiple choice
Full question →A help desk team wants users to be unable to install unsanctioned browser extensions or freeware on corporate Windows laptops, while approved business apps still run. Which endpoint control is best?
Question 18easymultiple choice
Full question →A help desk technician receives a call from a user who says many of their documents now have strange file extensions and a ransom note appeared on the desktop. The files will not open. What type of malware is the user most likely experiencing?
Question 19easymultiple choice
Full question →A laptop repeatedly starts with an unapproved bootloader, and the security team wants the firmware to refuse boot code that is not signed by a trusted key. Which feature should be used?
Question 20easymultiple choice
Full question →A laptop user reports that many files now have strange extensions, a ransom note appears on the desktop, and the files cannot be opened. Which malware is most likely responsible?
Watch out for
Common Malware exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Malware sessions
Start a Malware only practice session
Every question in these sessions is drawn from the Malware domain — nothing else.
Related practice questions
Related SY0-701 topic practice pages
Move into related areas when this topic feels solid.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Security+ security operations questions
Practise SY0-701 questions linked to Security+ security operations questions.
Security+ zero trust questions
Practise SY0-701 questions linked to Security+ zero trust questions.
Security+ authentication factors questions
Practise SY0-701 questions linked to Security+ authentication factors questions.
Frequently asked questions
- What does the SY0-701 exam test about Malware?
- Malware questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Malware questions in a focused session?
- Yes — the session launcher on this page draws every question from the Malware domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SY0-701 topics?
- Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeExam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.