CompTIA A+ Core 2 220-1202 (220-1202) — Questions 451525

750 questions total · 10pages · All types, answers revealed

Page 6

Page 7 of 10

Page 8
451
MCQmedium

During a security audit, you discover that a supply closet containing spare hard drives has a door that can be opened with a standard paperclip. What is the most appropriate recommendation to address this vulnerability?

A.Replace the door with a solid-core door and install a deadbolt.
B.Install a privacy filter on the closet door window.
C.Upgrade the lock to a tamper-resistant electronic lock.
D.Place a sign on the door warning of security cameras.
AnswerC

An electronic lock with a secure mechanism prevents bypass with simple tools like a paperclip.

Why this answer

Option C is correct because the vulnerability is a weak physical lock that can be bypassed with a simple tool. Upgrading to a tamper-resistant electronic lock, such as one with a keypad or biometric reader, significantly increases the difficulty of unauthorized entry. This directly addresses the core issue of inadequate access control for sensitive assets like spare hard drives.

Exam trap

CompTIA A+ often tests the distinction between deterrent controls (signs, cameras) and preventive controls (locks, access control systems), leading candidates to choose a visible but ineffective option like a warning sign instead of a technical fix.

How to eliminate wrong answers

Option A is wrong because replacing the door and installing a deadbolt is an over-engineered solution that does not specifically address the lock vulnerability; a deadbolt can still be picked or bypassed with a paperclip if the lock cylinder is weak. Option B is wrong because a privacy filter on the window only prevents visual observation, not physical access, and does nothing to secure the door lock. Option D is wrong because a warning sign is a deterrent, not a physical control; it does not prevent an attacker from using a paperclip to open the door.

452
MCQmedium

After a security incident, a forensic analyst needs to ensure that Windows 10 audit logs capture all successful and failed attempts to access the 'Confidential' folder on a file server. Which audit policy configuration is required?

A.Enable 'Audit account logon events' for success and failure
B.Enable 'Audit object access' and configure the SACL on the folder
C.Enable 'Audit privilege use' for success and failure
D.Enable 'Audit process tracking' for success and failure
AnswerB

Audit object access must be enabled, and a System Access Control List (SACL) must be configured on the folder to specify which access attempts (success/failure) to log.

Why this answer

To audit access attempts to a specific folder, you must enable the 'Audit object access' policy in the Advanced Audit Policy Configuration (or the legacy 'Audit object access' under Local Policies). This policy alone does not audit anything; you must also configure a System Access Control List (SACL) on the 'Confidential' folder itself, specifying which access types (e.g., Read, Write) for which users or groups to audit for success and failure. Without the SACL, no object access events are generated.

Exam trap

CompTIA often tests the misconception that enabling 'Audit object access' alone is sufficient, but candidates forget that a SACL must also be explicitly configured on the target object for any audit events to be generated.

How to eliminate wrong answers

Option A is wrong because 'Audit account logon events' audits authentication events (logon/logoff) on the domain controller or local machine, not file or folder access. Option C is wrong because 'Audit privilege use' tracks the exercise of user rights (e.g., 'SeBackupPrivilege'), not object-level access like reading a folder. Option D is wrong because 'Audit process tracking' monitors process creation and termination events, which is unrelated to auditing file system access.

453
MCQmedium

A user reports that their Windows 10 PC displays a 'Low Disk Space' warning on the C: drive. You want to use a built-in tool to delete temporary files and empty the Recycle Bin. Which Settings page should you open?

A.System > Storage
B.System > About
C.Apps > Apps & features
D.Update & Security > Windows Update
AnswerA

The Storage page shows disk usage and offers options to run Storage Sense or manually delete temporary files.

Why this answer

The 'Low Disk Space' warning on the C: drive can be resolved by using the built-in Storage Sense or the manual 'Free up space now' feature, both accessible under System > Storage. This page provides tools to delete temporary files, empty the Recycle Bin, and remove other unnecessary data to reclaim disk space without third-party software.

Exam trap

The trap here is that candidates may confuse the 'System > About' page (which shows system info) with the 'System > Storage' page (which manages disk space), or think that 'Apps & features' can delete temporary files, when it only uninstalls applications.

How to eliminate wrong answers

Option B (System > About) is wrong because it displays system information such as device specifications, Windows edition, and OS build, but does not include any tools for disk cleanup or file management. Option C (Apps > Apps & features) is wrong because it allows users to uninstall or manage installed applications, but does not provide direct access to delete temporary files or empty the Recycle Bin. Option D (Update & Security > Windows Update) is wrong because it manages Windows updates and recovery options, not temporary file cleanup or Recycle Bin management.

454
MCQhard

A user reports that they cannot access a shared folder on a file server. You suspect the network path is incorrect or the share is unavailable. Which command can you use to test connectivity to the server and the share simultaneously?

A.ping \\ServerName
B.net view \\ServerName
C.net use Z: \\ServerName\Share
D.tracert \\ServerName
AnswerB

This command lists all shared resources on the server, confirming both connectivity and share availability.

Why this answer

The `net view \\ServerName` command lists all shared resources on the specified server, confirming both network connectivity to the server and the availability of shares. If the server is unreachable or has no shares, the command will fail, directly testing the user's reported issue.

Exam trap

The trap here is that candidates often choose `ping` (Option A) because it is the most common connectivity test, but it does not verify SMB share availability or the correct network path to the share.

How to eliminate wrong answers

Option A is wrong because `ping` tests only ICMP-based network layer connectivity to the server's IP address, not the availability of the SMB share or the correct network path. Option C is wrong because `net use` attempts to map a drive to a specific share, which will fail if the share name is incorrect or the server is unreachable, but it does not simultaneously test connectivity to the server and list available shares. Option D is wrong because `tracert` traces the route to the server's IP address, verifying network path hops but not the SMB share availability or the server's NetBIOS name resolution.

455
MCQeasy

A customer reports that after a recent software update, their accounting application crashes every time they try to generate a report. The technician checks the change log and finds no record of any update being approved for that application. What should the technician do first?

A.Restore the application from the last known good backup.
B.Document the unauthorized change and escalate it to the change advisory board.
C.Uninstall the update and reinstall the previous version of the application.
D.Contact the software vendor to request a patch for the crash.
AnswerB

Proper change management requires documenting unauthorized changes and escalating them for review before any corrective action is taken.

Why this answer

The technician found an unauthorized change (the update) with no approval record. The first step in change management is to document and escalate the unauthorized change to the Change Advisory Board (CAB) to assess impact, determine root cause, and authorize remediation. Restoring or reinstalling without CAB approval could violate change control policies and introduce additional risks.

Exam trap

CompTIA often tests the distinction between technical troubleshooting and process compliance, trapping candidates who jump to a technical fix (restore, uninstall, or patch) instead of following the documented change management procedure.

How to eliminate wrong answers

Option A is wrong because restoring from backup without first documenting and escalating the unauthorized change bypasses the change management process and could reintroduce the same issue if the backup also contains the unauthorized update. Option C is wrong because uninstalling the update and reinstalling the previous version is a technical action that should only be performed after the CAB has reviewed and approved the remediation plan, as it may affect other dependencies or compliance. Option D is wrong because contacting the vendor for a patch assumes the crash is a known software defect, but the root cause is an unauthorized change that must be addressed through change management first, not a vendor-supported fix.

456
MCQmedium

A user complains that when they run the command 'find /var/log -name "*.log" -type f', they get a 'Permission denied' error for several directories. They need to see all log files regardless. What is the most appropriate command to use instead?

A.find /var/log -name '*.log' -type f 2>/dev/null
B.sudo find /var/log -name '*.log' -type f
C.find /var/log -name '*.log' -type f -exec ls -l {} \;
D.chmod -R 755 /var/log && find /var/log -name '*.log' -type f
AnswerB

Running find with sudo gives root privileges, allowing access to all directories and files.

Why this answer

Option B is correct because the 'Permission denied' errors indicate that the user lacks read or execute permissions on certain subdirectories under /var/log. Using 'sudo' elevates privileges to root, which has unrestricted access to all files and directories, allowing the find command to traverse and list every log file without encountering permission restrictions.

Exam trap

CompTIA often tests the misconception that suppressing error output (2>/dev/null) solves permission problems, when in fact it only hides the errors without granting access to the restricted directories.

How to eliminate wrong answers

Option A is wrong because redirecting stderr to /dev/null with 2>/dev/null merely suppresses the error messages; it does not grant the user permission to access the restricted directories, so the command still fails to list log files in those directories. Option C is wrong because appending '-exec ls -l {} \;' adds detailed file listings but does not resolve the underlying permission issue; the find command will still encounter 'Permission denied' errors and skip those directories. Option D is wrong because changing permissions recursively with 'chmod -R 755 /var/log' is an insecure and inappropriate solution that modifies system file permissions, potentially breaking services or exposing sensitive logs, and it requires root privileges anyway, making 'sudo find' the simpler and safer approach.

457
MCQeasy

A help desk agent receives a call from a user who receives a 'file not found' error when running a PowerShell script that was working yesterday. The user says they didn't change anything. The script is stored on a network share. Which scripting concept is most likely causing the issue?

A.Execution policy
B.File permissions
C.Script syntax error
D.Network connectivity
AnswerA

Correct. Execution policy settings can block scripts from running, and a change in policy would cause a 'file not found' error if the script is not digitally signed or the policy was set to Restricted.

Why this answer

The most likely cause is the PowerShell execution policy, which controls whether scripts can run on a system. Even though the script worked yesterday, a Group Policy update, a system reboot, or a security change could have reset or tightened the execution policy to 'Restricted' or 'AllSigned' without the user's knowledge. Since the script is on a network share, the execution policy may also block scripts from remote locations (e.g., 'RemoteSigned' requires a trusted publisher for downloaded scripts), causing the 'file not found' error when PowerShell cannot execute the script due to policy restrictions.

Exam trap

While a 'file not found' error is not the standard message for execution policy violations (PowerShell typically says 'cannot be loaded because the execution of scripts is disabled on this system'), the question's scenario implies that the script exists but is blocked from running. The user's assumption that the file is missing is a common trap; the real issue is the execution policy preventing the script from executing, especially from a network share.

How to eliminate wrong answers

Option B (File permissions) is wrong because a permissions issue would typically produce an 'access denied' error, not a 'file not found' error, and the user states the script was working yesterday without changes. Option C (Script syntax error) is wrong because a syntax error would generate a specific parsing or runtime error message, not a 'file not found' error, and the script was working previously. Option D (Network connectivity) is wrong because a connectivity issue would result in a 'network path not found' or 'drive not available' error, not a 'file not found' error, and the user can likely still access the share (the file exists but PowerShell refuses to run it).

458
MCQmedium

A company is upgrading its network switches and has 10 old switches that still work. The local school district has requested donations of working equipment. What should the technician do?

A.Throw the switches in the company dumpster.
B.Donate the switches to the school district.
C.Send the switches to a recycler even though they work.
D.Keep the switches in storage indefinitely.
AnswerB

Donation is the best option because it reuses functional equipment and benefits the community.

Why this answer

Donating the switches to the school district aligns with the principle of reuse, which is the most environmentally responsible option before recycling or disposal. The switches are still functional, so extending their lifecycle reduces e-waste and benefits the community. This practice supports the waste hierarchy: reduce, reuse, recycle.

Exam trap

CompTIA often tests the distinction between recycling and reuse, where candidates mistakenly choose recycling as the 'green' option, but the exam emphasizes that reuse is always preferable for still-functional equipment.

How to eliminate wrong answers

Option A is wrong because throwing functional switches in a dumpster violates environmental regulations and contributes to e-waste, which can leach hazardous materials like lead and mercury into the soil. Option C is wrong because sending working switches directly to a recycler bypasses the preferred option of reuse, which is more environmentally sustainable and energy-efficient than recycling. Option D is wrong because keeping the switches in storage indefinitely wastes potential utility and space, and does not align with responsible asset disposition or environmental stewardship.

459
MCQmedium

During a security audit, a technician discovers that an employee used a hammer to destroy several old hard drives. The drives are now in pieces, but the organization's policy mandates 'secure data destruction' for compliance. Which additional step should the technician take?

A.Document the destruction and consider it complete.
B.Use a degausser on the remaining pieces.
C.Visually inspect the platters for scratches and breaks, then shred any intact platters.
D.Run a data recovery tool on the pieces to see if data remains.
AnswerC

Visual inspection ensures platters are damaged; shredding any intact ones guarantees data destruction and meets compliance.

Why this answer

The correct answer is to verify the destruction by inspecting the platters for visible damage and ensuring they are not intact. Hammering may leave platters partially readable. This question tests the concept of verification in data destruction, as physical methods must be confirmed effective.

460
MCQmedium

A company's security policy mandates that all USB flash drives must be encrypted before use. A user inserts a new USB drive and wants to encrypt it on a Windows 10 Pro workstation. Which built-in tool should be used?

A.Use EFS (Encrypting File System) on the USB drive.
B.Enable BitLocker To Go on the USB drive.
C.Format the drive as exFAT and set a password.
D.Use the cipher command to encrypt the drive.
AnswerB

BitLocker To Go is specifically for encrypting removable drives and is built into Windows Pro/Enterprise.

Why this answer

BitLocker To Go is the built-in Windows 10 Pro feature specifically designed to encrypt removable drives such as USB flash drives. It uses AES encryption to protect the entire volume, and the drive can be accessed only with a password, smart card, or recovery key. This directly satisfies the company's mandate for encrypting USB drives before use.

Exam trap

CompTIA often tests the distinction between EFS (file-level encryption) and BitLocker (full-volume encryption), and the trap here is that candidates mistakenly choose EFS because they associate 'encryption' with file-level protection, not realizing that EFS cannot encrypt an entire removable drive and is not designed for USB flash drives.

How to eliminate wrong answers

Option A is wrong because EFS (Encrypting File System) encrypts individual files and folders on NTFS volumes, but it does not encrypt entire removable drives and is not supported on USB flash drives formatted with FAT32 or exFAT. Option C is wrong because formatting as exFAT and setting a password is not a built-in Windows encryption feature; exFAT does not natively support password-based encryption, and any such password would be implemented by third-party software, not Windows. Option D is wrong because the cipher command is used to manage EFS encryption on NTFS volumes and to overwrite deleted data; it cannot encrypt an entire USB drive or enable BitLocker To Go.

461
MCQeasy

A user reports that their Windows 10 laptop shows a 'Your license will expire soon' watermark on the desktop. They recently replaced the motherboard. Which Control Panel applet should you use to re-activate Windows?

A.Device Manager
B.System
C.User Accounts
D.Network and Sharing Center
AnswerB

The System applet displays Windows edition, activation status, and a link to change the product key or activate.

Why this answer

The System applet (also known as 'System Properties' or 'About' in Settings) is the correct Control Panel location to view and manage Windows activation status. After replacing the motherboard, Windows 10 detects a significant hardware change and may require re-activation. The System applet provides a 'Change product key' or 'Activate Windows' link to enter a new or existing license key, or to use the activation troubleshooter to re-activate with a digital license tied to a Microsoft account.

Exam trap

CompTIA often tests the misconception that Device Manager is used for activation because it deals with hardware changes, but Device Manager only manages drivers, not licensing.

How to eliminate wrong answers

Option A (Device Manager) is wrong because it is used to manage hardware drivers and devices, not to handle Windows licensing or activation. Option C (User Accounts) is wrong because it manages user profiles, passwords, and credentials, not the operating system's license activation. Option D (Network and Sharing Center) is wrong because it configures network adapters, sharing settings, and internet connections, none of which are involved in the Windows activation process.

462
MCQhard

A company's security policy requires that user accounts be disabled after 90 days of inactivity. An administrator needs to implement this automatically. Which feature should they configure?

A.Password expiration policy
B.Account lockout threshold
C.User account expiration
D.Group Policy refresh interval
AnswerC

User account expiration can be set to disable accounts after a specific date or period of inactivity, meeting the requirement.

Why this answer

User account expiration allows an administrator to set a specific date or, in some directory services like Active Directory, a duration after which the account is automatically disabled. By configuring the account to expire after 90 days from the last logon, the policy requirement is met automatically without manual intervention.

Exam trap

CompTIA often tests the distinction between account expiration (which disables an account after a set date) and account lockout (which disables after failed logins), leading candidates to confuse inactivity-based disabling with lockout policies.

How to eliminate wrong answers

Option A is wrong because password expiration policy forces users to change passwords periodically but does not disable accounts after inactivity; it only enforces password age limits. Option B is wrong because account lockout threshold disables an account after a specified number of failed login attempts, not after a period of inactivity. Option D is wrong because Group Policy refresh interval controls how often client computers update Group Policy settings, not the disabling of user accounts based on inactivity.

463
MCQeasy

A small business owner asks you to configure their office computers so that employees cannot install unauthorized browser extensions. Which policy setting should you implement?

A.Disable the browser's developer mode in the settings.
B.Set the browser to always use private browsing mode.
C.Use Group Policy to block extension installation and whitelist approved extensions.
D.Install a pop-up blocker on each computer.
AnswerC

Group Policy allows administrators to centrally control browser settings, including blocking extensions and allowing only approved ones.

Why this answer

Group Policy allows centralized management of browser settings in a domain environment. By configuring the 'Configure the list of force-installed extensions' and 'Block external extensions' policies, an administrator can whitelist approved extensions and prevent users from installing any others. This directly addresses the requirement to block unauthorized browser extensions.

Exam trap

CompTIA often tests the distinction between user-configurable browser settings (like disabling developer mode or enabling private browsing) and centrally enforced Group Policy settings that cannot be overridden by the user.

How to eliminate wrong answers

Option A is wrong because disabling developer mode only prevents access to developer tools and does not block extension installation; extensions can still be installed via the Chrome Web Store or other methods. Option B is wrong because private browsing mode (Incognito) does not restrict extension installation; it only prevents browsing history from being saved locally. Option D is wrong because a pop-up blocker only suppresses unwanted pop-up windows and has no effect on the installation or management of browser extensions.

464
MCQeasy

A user is unable to install a new app on their Android tablet because the device claims there is 'insufficient storage,' even though they have deleted several large files. What is the most likely reason for this error?

A.The device's SD card is corrupted.
B.The app is incompatible with the Android version.
C.The deleted files are still in the recycle bin or trash folder, taking up space.
D.The tablet's battery is too low to complete the installation.
AnswerC

Android devices often move deleted files to a recycle bin; these must be emptied to free up space.

Why this answer

On Android devices, deleted files are moved to a recycle bin or trash folder (e.g., in the Files by Google app or the Gallery app's trash), not permanently erased. The system still counts these files as occupied storage until the trash is emptied, so even after deleting large files, the available space remains unchanged, causing the 'insufficient storage' error during app installation.

Exam trap

CompTIA often tests the misconception that deleting files immediately frees up space, ignoring the recycle bin/trash mechanism that is standard on modern Android devices.

How to eliminate wrong answers

Option A is wrong because a corrupted SD card would typically cause read/write errors or the card to be unmountable, not a specific 'insufficient storage' message; the error is about space, not card integrity. Option B is wrong because app incompatibility with the Android version usually triggers a 'not compatible' or 'app not installed' error, not a storage-related message. Option D is wrong because low battery prevents installation due to power-saving policies, but the error message would be about battery level, not storage space.

465
MCQmedium

A technician is tasked with disposing of a large batch of optical discs (CD-Rs and DVD-Rs) that contain archived customer records. The company policy requires data to be unrecoverable. Which disposal method is most appropriate?

A.Use a degausser to demagnetize the discs.
B.Overwrite the discs with a disk-wiping tool.
C.Shred the discs using an industrial cross-cut shredder.
D.Perform a quick format on the discs.
AnswerC

Shredding physically breaks the discs into small pieces, making data recovery impossible.

Why this answer

Option C is correct because industrial cross-cut shredding physically destroys the optical discs (CD-Rs and DVD-Rs), rendering the data unrecoverable. Unlike magnetic media, optical discs store data as physical pits in a dye layer, so degaussing or overwriting is ineffective. Shredding ensures compliance with data destruction policies requiring unrecoverable data.

Exam trap

The trap here is that candidates confuse optical discs with magnetic media and assume degaussing or overwriting works, but the CompTIA A+ exam tests the fundamental difference that optical storage is physically permanent and requires physical destruction.

How to eliminate wrong answers

Option A is wrong because degaussers work by disrupting magnetic fields on magnetic media (e.g., hard drives, tapes), but optical discs like CD-Rs and DVD-Rs store data optically, not magnetically, so demagnetization has no effect. Option B is wrong because overwriting with a disk-wiping tool is designed for rewritable media (e.g., CD-RW, DVD-RW) and cannot alter the read-only dye layer of CD-Rs or DVD-Rs; the data remains physically intact. Option D is wrong because a quick format only removes the file system index, leaving the actual data on the disc fully recoverable with forensic tools.

466
MCQhard

A security audit reveals that a company's remote access solution uses a VPN with pre-shared keys (PSK) for authentication. The auditor recommends upgrading to certificate-based authentication. Which of the following is the primary security advantage of certificate-based authentication over PSK?

A.Certificates are easier to configure and manage than PSK.
B.Certificates provide mutual authentication and are unique per device, reducing the risk of a single compromised key affecting all users.
C.Certificates eliminate the need for a VPN server.
D.Certificates are faster than PSK for establishing VPN connections.
AnswerB

Each certificate is unique and can be revoked individually. If a device is lost, only that certificate needs to be revoked, unlike PSK where the shared key must be changed for everyone.

Why this answer

Certificate-based authentication provides mutual authentication, meaning both the VPN client and server verify each other's identity using digital certificates issued by a trusted Certificate Authority (CA). Unlike PSK, which is a shared secret that can be leaked and reused across all devices, each certificate is unique per device, so compromise of one certificate does not expose the entire VPN infrastructure. This significantly reduces the blast radius of a security breach and aligns with the principle of least privilege.

Exam trap

CompTIA often tests the misconception that certificates are 'easier' or 'faster' than PSK, when in reality the primary security advantage is mutual authentication and per-device uniqueness, not operational simplicity or performance.

How to eliminate wrong answers

Option A is wrong because certificates are generally more complex to configure and manage than PSK, requiring a PKI infrastructure, CA servers, and certificate lifecycle management, whereas PSK is a simple shared string. Option C is wrong because certificates do not eliminate the need for a VPN server; the VPN server is still required to terminate the tunnel and enforce policies, regardless of the authentication method. Option D is wrong because certificate-based authentication often introduces additional latency due to certificate validation, CRL checks, and OCSP lookups, making it typically slower than PSK for establishing VPN connections.

467
MCQmedium

A technician is replacing the thermal paste on a CPU. After cleaning the old paste, the technician accidentally touches the CPU contacts with bare fingers. What is the primary concern?

A.The CPU may be damaged by electrostatic discharge (ESD).
B.The CPU may overheat due to improper thermal paste application.
C.The CPU contacts may become contaminated with oils from the skin.
D.The CPU may be physically damaged by the pressure of the touch.
AnswerC

This is correct. Skin oils can cause poor contact and corrosion, leading to system instability or failure.

Why this answer

Touching the CPU contacts with bare fingers transfers natural oils and contaminants from the skin onto the gold-plated contact pads. These oils can cause corrosion over time or create an insulating layer that impedes proper electrical connectivity, leading to intermittent failures or permanent damage. The primary concern is contamination, not ESD, overheating, or physical pressure.

Exam trap

CompTIA often tests the distinction between immediate ESD damage and long-term contamination risks, trapping candidates who assume any physical contact with components must be an ESD concern rather than recognizing the specific hazard of skin oils on electrical contacts.

How to eliminate wrong answers

Option A is wrong because while ESD is a general risk when handling components, the question specifies that the technician touched the contacts after cleaning, and the primary concern from skin contact is oil contamination, not ESD (which is mitigated by grounding). Option B is wrong because improper thermal paste application affects heat transfer from the IHS to the cooler, not the CPU contacts; touching contacts does not directly cause overheating. Option D is wrong because the pressure from a light touch is negligible and far below the force required to physically damage the CPU contacts or substrate.

468
MCQeasy

A receptionist at a company receives a call from someone claiming to be from the IT department. The caller says they need her password to perform an urgent server update. The receptionist provides the password. What type of social engineering attack is this?

A.Tailgating
B.Pretexting
C.Phishing
D.Baiting
AnswerB

Pretexting is when an attacker invents a plausible scenario to trick a victim into providing information or access. The caller's false identity as IT staff is a classic pretext.

Why this answer

Pretexting is a social engineering attack where the attacker fabricates a scenario (the pretext) to manipulate the target into divulging sensitive information. In this case, the caller falsely claims to be from the IT department and invokes an urgent server update to trick the receptionist into revealing her password. This is not a technical exploit but a psychological manipulation that relies on the target's trust in authority and urgency.

Exam trap

CompTIA often tests the distinction between pretexting and phishing by emphasizing that pretexting relies on a fabricated scenario (often via phone or in-person) rather than a technical lure or electronic message, so candidates mistakenly choose phishing when the attack vector is a voice call.

How to eliminate wrong answers

Option A is wrong because tailgating involves an unauthorized person physically following an authorized individual into a restricted area, not a phone-based request for credentials. Option C is wrong because phishing typically uses deceptive electronic communications (e.g., email, fake websites) to harvest credentials, not a direct voice call with a fabricated story. Option D is wrong because baiting lures victims with a promise of a reward (e.g., free USB drive) or a digital trap (e.g., infected download), not a false claim of authority and urgency.

469
MCQeasy

A user reports that a scheduled backup script on their Windows 10 workstation runs every day but fails to complete. The script uses PowerShell to copy files to a network share. When the user runs the script manually from an elevated PowerShell prompt, it works. What is the most likely cause of the failure?

A.The script file extension is .ps1 instead of .bat.
B.The scheduled task is not set to run with highest privileges.
C.The network share is mapped as a drive letter, which is not available during system startup.
D.PowerShell execution policy is set to Restricted for the SYSTEM account.
AnswerB

If the script needs admin rights, the task must be configured to run with highest privileges; otherwise it fails.

Why this answer

The scheduled task runs under the SYSTEM account by default, which lacks the necessary permissions to access network resources or perform administrative file operations. Running the script manually from an elevated PowerShell prompt works because the user has the required privileges. Setting the task to 'Run with highest privileges' elevates the SYSTEM account to have the same rights as an administrator, resolving the access issue.

Exam trap

CompTIA A+ often tests the misconception that the SYSTEM account inherently has full administrative rights, when in fact scheduled tasks default to running without elevation unless explicitly configured.

How to eliminate wrong answers

Option A is wrong because the file extension (.ps1 vs .bat) does not affect the ability to run a PowerShell script; the task can be configured to execute PowerShell.exe with the script as an argument. Option C is wrong because the failure occurs even when the script runs daily (not just at startup), and mapped drive letters are available to the SYSTEM account only if the task is configured to run with the user's credentials or the drive is reconnected. Option D is wrong because the PowerShell execution policy for the SYSTEM account is not the issue; the script runs successfully when executed manually from an elevated prompt, indicating the policy is permissive enough for that context, and the scheduled task can be configured to bypass the policy using the -ExecutionPolicy Bypass flag.

470
MCQmedium

A small business has a shared Windows 10 workstation that multiple employees use. They want to ensure that each user's desktop settings, files, and application data are completely isolated and that users cannot access each other's data. Which feature should you configure to achieve this?

A.Enable the built-in Guest account for all users.
B.Create standard local user accounts and set NTFS permissions on each user's profile folder.
C.Join the computer to a domain and use roaming profiles.
D.Enable BitLocker on the system drive.
AnswerB

Standard users have restricted permissions, and NTFS permissions on profile folders prevent other users from accessing the data.

Why this answer

Standard local user accounts with NTFS permissions provide isolation by default; each user has their own profile folder with restricted permissions. The other options either don't enforce isolation (guest account) or are for different purposes (domain, BitLocker).

471
MCQhard

A security incident is reported: an employee's company-issued Android phone is displaying persistent pop-up ads, even when no browser is open. The employee admits to side-loading a game from an unknown website. What is the most likely cause and best immediate action?

A.The phone has a virus; perform a factory reset immediately.
B.The side-loaded app is adware; boot into safe mode and uninstall it.
C.The browser is infected; clear the browser cache and data.
D.The phone's firmware is compromised; reflash the stock ROM.
AnswerB

Safe mode disables third-party apps, allowing the user to remove the malicious app without interference.

Why this answer

The persistent pop-up ads, even without a browser open, indicate adware behavior typical of malicious apps. Since the employee side-loaded a game from an unknown website, the most likely cause is that the side-loaded app contains adware. Booting into safe mode (which disables third-party apps) and uninstalling the suspicious app is the best immediate action because it removes the adware without data loss, unlike a factory reset.

Exam trap

CompTIA often tests the distinction between adware and a general virus, and the trap here is that candidates may jump to a factory reset (Option A) without considering the less destructive safe-mode uninstall, or they may incorrectly attribute the pop-ups to the browser (Option C) when the behavior occurs system-wide.

How to eliminate wrong answers

Option A is wrong because a 'virus' is a broad term; the specific symptom of pop-up ads points to adware, not a general virus, and a factory reset is an overly drastic first step that wipes all data unnecessarily. Option C is wrong because the pop-ups occur even when no browser is open, indicating the issue is not browser-based; clearing browser cache and data would not affect a system-level adware app. Option D is wrong because firmware compromise is rare and typically requires persistent root-level access; side-loading a game does not typically flash firmware, and reflashing the stock ROM is a last-resort measure that would wipe the device and is not the best immediate action.

472
MCQhard

A user's Android phone is running extremely slowly after installing a new launcher app. They want to revert to the default launcher without losing data. What is the correct procedure?

A.Uninstall the new launcher app via the Play Store.
B.Perform a factory reset from Recovery Mode.
C.Go to Settings > Apps > Default apps > Home app and select the default launcher.
D.Clear the cache partition from Recovery Mode.
AnswerC

This changes the active launcher without uninstalling the new one, preserving data and allowing easy switching back.

Why this answer

Option C is correct because Android allows users to change the default home app via Settings > Apps > Default apps > Home app without uninstalling the new launcher or losing any data. This procedure simply reassigns the default launcher to the system's built-in launcher, preserving all installed apps, settings, and user data.

Exam trap

A common misconception is that uninstalling the new launcher is required to revert to the default launcher. In Android, uninstalling a launcher automatically reverts to the system default, but this removes the launcher app. The correct procedure to keep the launcher installed but not active is to change the default home app in Settings.

How to eliminate wrong answers

Option A is wrong because uninstalling the new launcher app via the Play Store will remove the app but does not automatically revert the default home app assignment; the system may still try to use the missing launcher, causing instability or requiring a manual default reset. Option B is wrong because performing a factory reset from Recovery Mode wipes all user data, including apps, settings, and personal files, which is unnecessary and destructive when the goal is only to change the default launcher without data loss. Option D is wrong because clearing the cache partition from Recovery Mode removes temporary system cache files, which does not affect the default launcher assignment or resolve the performance issue caused by the new launcher app.

473
MCQmedium

A technician is troubleshooting an iPhone that fails to activate after a software update. The phone displays 'Activation Error' and the SIM card is known to be working. Which of the following steps should the technician perform FIRST?

A.Replace the SIM card with a new one.
B.Restore the iPhone using iTunes or Finder.
C.Check Apple's System Status page for activation server outages.
D.Reset the iPhone's network settings.
AnswerC

If Apple's activation servers are down, no device can activate; checking this saves time and effort.

Why this answer

The 'Activation Error' after a software update typically indicates that the iPhone cannot reach Apple's activation servers to verify its eligibility. Since the SIM card is known to be working, the most logical first step is to check Apple's System Status page to rule out a server-side outage, which is a common cause of activation failures and can be resolved without any device-side intervention.

Exam trap

CompTIA often tests the candidate's ability to prioritize simple, non-invasive checks (like server status) over more disruptive troubleshooting steps, and the trap here is that many candidates jump to restoring the device or replacing hardware without first verifying external dependencies.

How to eliminate wrong answers

Option A is wrong because the SIM card is already confirmed to be working, so replacing it would be unnecessary and would not address a server-side activation issue. Option B is wrong because restoring the iPhone using iTunes or Finder is a more drastic step that should be taken only after confirming that Apple's activation servers are online; a restore could also fail if the servers are down. Option D is wrong because resetting network settings would not help if the activation servers themselves are unavailable; this step is more appropriate for connectivity issues unrelated to server outages.

474
MCQmedium

A user's laptop running Windows 10 Pro connects to the corporate Wi-Fi but cannot access internal resources. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The laptop's wireless profile is configured correctly. Other users in the same office can access resources. What is the most likely cause?

A.The laptop's wireless adapter is faulty.
B.The user's domain account is locked or the password has expired.
C.The access point is broadcasting on a congested channel.
D.The laptop has an incorrect IP address from DHCP.
AnswerB

PEAP-MSCHAPv2 uses domain credentials; an account issue would prevent successful authentication and network access.

Why this answer

The user can connect to Wi-Fi but cannot access internal resources, and other users are unaffected. Since the wireless profile is correct and WPA2-Enterprise uses PEAP-MSCHAPv2 for authentication, the most likely cause is that the user's domain account is locked or the password has expired. This would prevent successful authentication against the RADIUS server, blocking access to internal resources even though the client associates with the access point.

Exam trap

Cisco often tests the distinction between Layer 2 association and Layer 3 authentication; the trap here is that candidates assume a successful Wi-Fi connection implies full network access, overlooking that WPA2-Enterprise requires valid domain credentials for RADIUS-based authentication to grant access to internal resources.

How to eliminate wrong answers

Option A is wrong because a faulty wireless adapter would typically prevent association or cause intermittent connectivity, not allow a successful connection to the Wi-Fi network while blocking internal resource access. Option C is wrong because a congested channel would affect all users in the area, not just one user, and would manifest as poor performance or disconnections, not a complete inability to access internal resources. Option D is wrong because an incorrect IP address from DHCP would prevent network communication entirely, but the user can connect to the Wi-Fi and likely obtain an IP address; the issue is at the authentication layer, not the IP layer.

475
MCQmedium

A technician is tasked with replacing a faulty power supply in a desktop computer that is part of a critical patient record system at a clinic. Before starting, the technician reviews the change management policy. Which step should the technician perform first?

A.Power off the workstation and disconnect all cables
B.Submit a change request to the change advisory board (CAB)
C.Back up the patient records to an external drive
D.Notify the clinic staff that the system will be offline
AnswerB

Formal approval from the CAB ensures the change is reviewed for risks and scheduled appropriately.

Why this answer

Option B is correct because the change management policy requires that any modification to a system handling critical patient records must first be formally approved via a change request submitted to the Change Advisory Board (CAB). This ensures that risks are assessed, downtime is scheduled, and compliance with healthcare data regulations (e.g., HIPAA) is maintained before any physical work begins.

Exam trap

CompTIA often tests the misconception that immediate physical safety steps (like powering off) or data backup should come first, but the exam emphasizes that change management approval is the mandatory initial step in any planned maintenance on a critical system.

How to eliminate wrong answers

Option A is wrong because powering off and disconnecting cables before obtaining change approval violates the change management process, potentially causing unauthorized downtime and data access risks. Option C is wrong because backing up patient records is a data protection step that should be performed after the change is approved, not before; the technician must first secure authorization to proceed. Option D is wrong because notifying clinic staff of an outage without prior CAB approval could disrupt critical operations and bypass the formal communication and scheduling protocols required by the change management policy.

476
MCQmedium

A small business owner wants to prevent employees from installing any software on their Windows 10 workstations without administrator approval. Which Control Panel or Settings feature should you configure to enforce this restriction?

A.Windows Defender Firewall
B.User Accounts > Change User Account Control settings
C.System > Advanced system settings > Performance
D.Ease of Access > Make the keyboard easier to use
AnswerB

UAC settings can be set to 'Always notify' to prompt for admin credentials whenever a program tries to make changes, effectively blocking unauthorized installations.

Why this answer

User Account Control (UAC) settings, accessed via User Accounts in Control Panel, allow you to control when and how users are prompted for permission before making system changes, including software installations. By setting UAC to the highest level, you ensure that any installation attempt triggers an administrator approval prompt, effectively preventing unauthorized software installations on Windows 10 workstations.

Exam trap

The trap here is that candidates often confuse Windows Defender Firewall with general security controls, mistakenly thinking it can block software installations, when in fact it only filters network traffic and has no mechanism to prevent local software execution.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall is designed to control inbound and outbound network traffic based on rules, not to manage software installation permissions or user privilege elevation. Option C is wrong because System > Advanced system settings > Performance configures visual effects, processor scheduling, and virtual memory, which have no bearing on software installation restrictions. Option D is wrong because Ease of Access > Make the keyboard easier to use provides accessibility features like Sticky Keys and Filter Keys, which do not enforce software installation policies.

477
MCQhard

A user reports that their computer is sending out a large amount of network traffic even when they are not using the internet. The antivirus detects a file named 'expl0rer.exe' in the startup folder. What type of malware is most likely causing this behavior?

A.Spyware
B.Botnet
C.Virus
D.Trojan
AnswerB

Botnet malware uses the infected machine to perform coordinated activities, causing unusual network traffic.

Why this answer

The file name 'expl0rer.exe' mimics the legitimate 'explorer.exe' but uses a zero in place of the 'o', a common obfuscation technique. The symptom of high outbound network traffic without user activity, combined with the file's presence in the startup folder, strongly indicates the computer is part of a botnet. Botnet malware connects to a command-and-control (C2) server to receive instructions, often used for DDoS attacks or spam relays, which generates constant network activity.

Exam trap

The trap here is that candidates may confuse 'botnet' with 'trojan' because both can be installed stealthily, but the question's emphasis on sustained network activity is the key differentiator for botnet behavior.

How to eliminate wrong answers

Option A is wrong because spyware primarily focuses on stealthily collecting personal information (e.g., keystrokes, browsing habits) and typically does not generate large volumes of outbound traffic unless exfiltrating data, which is not the primary symptom here. Option C is wrong because a virus requires a host file to attach to and usually spreads by infecting other files, not by placing a standalone executable in the startup folder; the high network traffic is more characteristic of C2 communication than viral replication. Option D is wrong because a Trojan disguises itself as legitimate software to trick users into installing it, but the key behavior of sustained, high-volume outbound traffic is a hallmark of botnet activity, not a typical Trojan payload.

478
MCQeasy

A small business is upgrading its workstations and needs to dispose of 20 old hard drives that contain confidential payroll records. The company wants the lowest-cost method that ensures data cannot be recovered. Which disposal method should be recommended?

A.Use a degausser on each drive.
B.Perform a standard format on each drive.
C.Drill holes through the platters of each drive.
D.Reformat the drives and install a fresh OS.
AnswerC

Drilling physically damages the platters, making data unrecoverable at very low cost. This is a common low-budget disposal method.

Why this answer

Drilling holes through the platters physically destroys the magnetic surfaces, making data recovery impossible without specialized cleanroom equipment. This is the lowest-cost method that guarantees destruction because it directly damages the storage medium beyond repair, unlike degaussing which may not work on modern SSDs or high-coercivity drives.

Exam trap

CompTIA A+ often tests the misconception that a standard format or OS reinstall permanently erases data, when in fact only a secure wipe (e.g., overwriting with zeros multiple times) or physical destruction ensures data is unrecoverable.

How to eliminate wrong answers

Option A is wrong because degaussers are expensive and may not effectively erase data from modern high-coercivity hard drives or SSDs, and they can damage the drive's electronics without guaranteeing complete data destruction. Option B is wrong because a standard format only removes the file system pointers, leaving the actual data intact on the platters, which can be easily recovered with data recovery software. Option D is wrong because reformatting and installing a fresh OS similarly only overwrites the file system metadata, not the underlying data, and does not prevent recovery using forensic tools.

479
MCQmedium

A customer reports that their browser shows a 'Your connection is not private' warning when visiting their online banking site, but other websites work fine. What is the most likely cause?

A.The user's system date and time are incorrect.
B.The bank's SSL certificate has expired or is misconfigured.
C.The user's browser is infected with a man-in-the-middle proxy.
D.The user's anti-virus is blocking the connection.
AnswerB

A single-site certificate error points to a problem with that site's certificate, not the client.

Why this answer

The 'Your connection is not private' warning indicates a TLS/SSL certificate validation failure. Since only the banking site is affected, the issue is specific to that site's certificate, not a system-wide problem. The most common cause is that the bank's SSL certificate has expired, is self-signed, or does not match the domain name, triggering the browser's certificate trust check.

Exam trap

The CompTIA A+ exam often tests the distinction between a site-specific certificate issue (affecting one site) versus a client-side configuration problem (affecting all sites), leading candidates to incorrectly choose the date/time or proxy options.

How to eliminate wrong answers

Option A is wrong because an incorrect system date/time would cause certificate validation failures for all HTTPS sites, not just the banking site. Option C is wrong because a man-in-the-middle proxy would intercept all HTTPS traffic, causing warnings on multiple sites, not just one. Option D is wrong because anti-virus software typically blocks connections entirely or injects its own certificate, which would affect all HTTPS sites, not a single site.

480
MCQeasy

A technician is tasked with disposing of several old CRT monitors from a client's office. What is the correct disposal method for these monitors?

A.Place them in the regular office trash for pickup.
B.Sell them to a scrap metal dealer.
C.Take them to a certified e-waste recycling facility.
D.Disassemble them and recycle the plastic and metal separately.
AnswerC

This is the correct method. Certified facilities follow regulations to safely handle and recycle hazardous materials from CRT monitors.

Why this answer

CRT monitors contain hazardous materials such as lead, phosphor, and other heavy metals that pose environmental and health risks. Certified e-waste recycling facilities are equipped to safely dismantle and process these components in compliance with environmental regulations like the EPA's Resource Conservation and Recovery Act (RCRA). Option C is the correct disposal method because it ensures legal and environmentally responsible handling of e-waste.

Exam trap

CompTIA often tests the misconception that disassembling e-waste for recycling is acceptable for a technician, but the trap is that without proper training and equipment, disassembly of CRTs is dangerous and non-compliant with safety procedures.

How to eliminate wrong answers

Option A is wrong because placing CRT monitors in regular office trash violates hazardous waste disposal laws and can lead to environmental contamination from lead and other toxins. Option B is wrong because scrap metal dealers typically lack the certification and equipment to safely handle hazardous CRT components, and selling them may result in illegal export or improper disposal. Option D is wrong because disassembling CRT monitors without proper training and equipment can expose the technician to high-voltage capacitors, implosion risks, and toxic dust, and it is not a recommended or compliant disposal method for individuals without specialized certification.

481
MCQeasy

A help desk technician needs to remotely control a user's Windows 10 workstation to install a software update. The user is not technically savvy and needs simple instructions. Which built-in Windows tool should the technician instruct the user to launch to allow remote control?

A.Remote Desktop Connection
B.Windows Remote Assistance
C.Quick Assist
D.Task Manager
AnswerB

Remote Assistance allows a user to invite a technician to view or control their desktop, making it ideal for this scenario.

Why this answer

Windows Remote Assistance (option B) is the correct built-in tool because it allows a user to invite a technician to remotely control their Windows 10 workstation via an invitation file or Easy Connect, using Remote Desktop Protocol (RDP) on TCP port 3389 but with a session-sharing model that requires the user's consent. This is ideal for a non-technical user, as they can launch it from the Start menu and follow simple prompts to generate an invitation or use a Microsoft account to share a code.

Exam trap

The trap here is that candidates often confuse Remote Desktop Connection (option A) with Remote Assistance because both use RDP, but Remote Desktop Connection is designed for direct, unattended remote access, not for an attended, consent-based support session that a non-technical user can easily initiate.

How to eliminate wrong answers

Option A is wrong because Remote Desktop Connection is a client tool used to initiate an outbound RDP session to another computer, not to allow inbound remote control; it requires the target machine to already have Remote Desktop enabled and does not provide a simple invitation mechanism for a non-technical user. Option C is wrong because Quick Assist is a separate tool introduced in Windows 10 version 1607 that uses a different underlying protocol (HTTPS-based) and is not built into earlier versions; while it can be used for remote assistance, the question specifies 'built-in Windows tool' and Windows Remote Assistance is the classic built-in tool available since Windows XP. Option D is wrong because Task Manager is a system utility for monitoring processes, performance, and starting/stopping applications, and it has no capability for remote control or screen sharing.

482
MCQhard

A technician is tasked with migrating a physical server running a legacy OS that does not support virtualization drivers. The technician needs to ensure the OS can boot and run in a virtual machine. Which of the following steps is most critical before performing the physical-to-virtual (P2V) conversion?

A.Increase the physical server's RAM before conversion
B.Ensure the legacy OS has the latest service pack installed
C.Use a P2V tool that can inject the correct HAL and storage drivers for the hypervisor
D.Create a full backup of the physical server
AnswerC

Injecting drivers ensures the legacy OS can recognize the virtual hardware and boot successfully after conversion.

Why this answer

Legacy OSes often lack drivers for virtualized hardware, so using a P2V tool that can inject the necessary HAL and storage drivers during conversion is essential. Without this, the VM will likely blue screen on boot. This tests advanced knowledge of P2V migration challenges and driver injection.

483
MCQmedium

A technician needs to copy a directory tree from /home/user/docs to a backup location /backup/docs, preserving all permissions, ownership, and timestamps. Which command should they use?

A.cp -r /home/user/docs /backup/docs
B.cp -a /home/user/docs /backup/docs
C.cp -p /home/user/docs /backup/docs
D.rsync -r /home/user/docs /backup/docs
AnswerB

The -a (archive) option preserves all attributes including permissions, ownership, and timestamps.

Why this answer

Option B is correct because the `cp -a` (archive) command preserves all file attributes, including permissions, ownership, and timestamps, while recursively copying the entire directory tree. This is the most comprehensive single command for duplicating a directory with full metadata integrity.

Exam trap

CompTIA often tests the distinction between `-p` and `-a` by making candidates think preserving permissions and timestamps is sufficient, while the key requirement to preserve ownership is only met by `-a` (or running `-p` as root).

How to eliminate wrong answers

Option A is wrong because `cp -r` only performs a recursive copy without preserving ownership or timestamps; it may also alter permissions based on the current umask. Option C is wrong because `cp -p` preserves permissions and timestamps but does not preserve ownership (files will be owned by the copying user unless run as root). Option D is wrong because `rsync -r` recursively copies files but does not preserve ownership or timestamps by default; it requires additional flags like `-a` or `--archive` to achieve full preservation.

484
MCQmedium

A technician is documenting a configuration change to a firewall rule that allows remote access for a new employee. The technician must ensure the documentation is clear for future audits. Which of the following is the most critical piece of information to include?

A.The exact date and time the rule was added.
B.The IP address of the new employee's remote location.
C.The business justification for the rule.
D.The name of the technician who made the change.
AnswerC

The justification explains the need for the change and is essential for audit compliance and future review.

Why this answer

Option C is correct because change management documentation must include the business justification to demonstrate that the change was authorized and necessary. Without a clear reason, auditors cannot verify that the firewall rule complies with organizational security policy or regulatory requirements. The business justification provides the context needed to distinguish legitimate changes from unauthorized or malicious modifications.

Exam trap

CompTIA often tests the principle that operational details (who, when, where) are less critical than the business justification in change management documentation, tempting candidates to choose the most concrete or easily recorded detail instead of the most audit-relevant one.

How to eliminate wrong answers

Option A is wrong because while the date and time are useful for tracking, they are not the most critical piece; auditors need the 'why' behind the change, not just the 'when'. Option B is wrong because the remote employee's IP address may be dynamic or subject to change, and including it without the business justification does not prove the rule was authorized; the justification is what validates the rule's purpose. Option D is wrong because the technician's name is secondary to the business justification; knowing who made the change is less important than understanding why the change was made, and auditors focus on authorization and necessity, not just attribution.

485
MCQmedium

A customer reports that their Windows 11 PC is displaying a 'Low Disk Space' warning on the C: drive. You need to quickly free up space by removing temporary files and system cache. Which administrative tool should you use?

A.Defragment and Optimize Drives to consolidate free space.
B.Disk Cleanup to delete temporary files and system cache.
C.Computer Management > Disk Management to shrink the volume.
D.Event Viewer to clear application logs.
AnswerB

Correct. Disk Cleanup safely removes temporary files, recycle bin contents, and other cache to free disk space.

Why this answer

Disk Cleanup (cleanmgr.exe) is the built-in tool for removing temporary files, system cache, and other unnecessary data. Storage Sense can automate this, but Disk Cleanup is the direct tool for manual cleanup. The other options do not clean temporary files.

486
MCQmedium

During a software deployment, you need to create a script that runs automatically every time a user logs into their Windows 10 domain-joined computer. Which tool should you use to configure this task?

A.Task Scheduler
B.Group Policy Management Console
C.Local Group Policy Editor
D.Windows PowerShell ISE
AnswerA

Task Scheduler can create a task that triggers 'At log on' for any user, running the script automatically.

Why this answer

Task Scheduler is the correct tool because it allows you to create a task that triggers on a specific event, such as user logon. You can set the trigger to 'At log on' for any user or a specific user, and the task will run automatically each time the user logs into the Windows 10 domain-joined computer. This is the native Windows mechanism for scheduling scripts or programs to run at logon without requiring additional configuration.

Exam trap

CompTIA often tests the distinction between tools that configure local machine behavior (Task Scheduler) versus tools that manage domain-wide policies (Group Policy Management Console), leading candidates to mistakenly choose GPMC for a local logon script task.

How to eliminate wrong answers

Option B (Group Policy Management Console) is wrong because it is used to manage Group Policy Objects (GPOs) across an Active Directory domain, not to schedule a local script to run at user logon; while you could deploy a logon script via GPO, the question specifies configuring the task directly on the computer, not centrally deploying it. Option C (Local Group Policy Editor) is wrong because it edits local Group Policy settings on a single machine, but it does not provide a direct way to schedule a script to run at logon; you would need to assign a logon script via the 'Scripts (Logon/Logoff)' policy, which is less flexible than Task Scheduler and does not allow event-based triggers like 'At logon' with specific conditions. Option D (Windows PowerShell ISE) is wrong because it is an integrated scripting environment for writing and debugging PowerShell scripts, not a tool for scheduling tasks; you would still need to use Task Scheduler or another scheduler to run the script automatically at logon.

487
MCQmedium

A technician is troubleshooting a computer that displays a fake security alert claiming the system is infected and urging the user to call a toll-free number. The alert cannot be closed and appears on top of all other windows. What is the best removal approach?

A.End the process 'svchost.exe' in Task Manager.
B.Restart the computer and press F8 to boot into Safe Mode with Networking, then run a malware scan.
C.Call the toll-free number to get help removing the alert.
D.Use System Restore to revert to a previous restore point.
AnswerB

Safe Mode loads minimal drivers and services, preventing the scareware from running and allowing removal.

Why this answer

This is a tech support scam, a form of scareware that uses a persistent pop-up. Booting into Safe Mode with Networking allows the technician to run an anti-malware scan without the rogue process interfering. Safe Mode loads only essential drivers, preventing the scareware from starting.

488
MCQhard

A company's security policy requires that all laptops returned by employees be sanitized before redeployment. A technician uses a degausser on a laptop's SSD. What is the likely outcome?

A.The SSD is completely erased and ready for reuse.
B.The SSD is physically destroyed and unusable.
C.The SSD is unaffected and still contains data.
D.The laptop's BIOS is reset.
AnswerB

Degaussing can damage the SSD's controller and make the drive inoperable, but it does not guarantee data erasure.

Why this answer

A degausser generates a powerful magnetic field to erase data from magnetic media. SSDs (Solid State Drives) store data in NAND flash memory cells, which are not magnetic. The intense magnetic field from a degausser induces high currents in the SSD's internal circuitry, physically destroying the controller and memory chips, rendering the drive completely unusable.

Exam trap

The trap here is that candidates assume degaussing works on all storage devices, but CompTIA tests the distinction between magnetic media (HDDs) and solid-state media (SSDs), where degaussing physically destroys SSDs rather than erasing them.

How to eliminate wrong answers

Option A is wrong because degaussing an SSD does not perform a logical erase; it physically destroys the drive's electronics, making it impossible to reuse. Option C is wrong because the degausser's magnetic field induces destructive currents in the SSD's non-magnetic NAND flash, physically damaging the components and making data retrieval impossible. Option D is wrong because degaussing targets the storage drive, not the motherboard or BIOS chip; the BIOS remains unaffected unless the degausser is strong enough to damage other nearby components, but the primary outcome is SSD destruction.

489
MCQmedium

A company uses a Remote Desktop Gateway to allow employees to access internal desktops from the internet. Users report that they can connect to the gateway but cannot see any available desktops in the list. Which of the following is the most likely cause?

A.The Remote Desktop Gateway service is not running on the server.
B.The users are not members of the correct Active Directory group that is allowed to access specific desktops.
C.The desktops are powered off or disconnected from the network.
D.The user's RDP client is outdated and cannot display the list.
AnswerB

RD Gateway uses connection authorization policies (CAP) and resource authorization policies (RAP). If users are not in the allowed group, they can connect to the gateway but see no resources.

Why this answer

The Remote Desktop Gateway (RD Gateway) acts as a proxy, allowing external RDP connections to internal desktops. When users can connect to the gateway itself but see no desktops, it typically indicates an authorization failure: the RD Gateway uses Resource Authorization Policies (RAPs) to control which desktops a user can access. If the user is not a member of the Active Directory group specified in the RAP, the gateway will deny the list of available desktops, even though the gateway connection succeeds.

Exam trap

CompTIA often tests the distinction between gateway connectivity (CAP) and resource visibility (RAP), tempting candidates to choose generic network or client issues when the real problem is authorization policy misconfiguration.

How to eliminate wrong answers

Option A is wrong because if the RD Gateway service were not running, users would not be able to connect to the gateway at all; the symptom here is a successful connection but no desktop list. Option C is wrong because powered-off or disconnected desktops would still appear in the list (though they might show as unavailable); the RD Gateway does not filter the list based on desktop power state. Option D is wrong because an outdated RDP client might cause display or feature issues, but it would not prevent the gateway from returning the list of desktops; the list is generated server-side based on RAPs.

490
MCQhard

A technician is writing a Python script to automate the cleanup of user profiles on a Windows server. The script must iterate through all user profile folders in 'C:\Users', check the last modified date, and delete profiles older than 90 days. Which scripting concept is essential for this task?

A.Error handling with try-except
B.A for loop to iterate over folders
C.A while loop with a counter
D.A function to calculate date difference
AnswerB

Correct. A for loop allows the script to process each folder in the directory one by one, which is fundamental to this task.

Why this answer

This question tests understanding of loops, conditionals, and file system operations in a scripting language. A 'for' loop is needed to iterate through each folder, combined with an 'if' statement to check the date condition. Without a loop, the script would only process one folder.

Error handling is important but not the core concept for iteration.

491
MCQmedium

During a security audit, it is discovered that a former employee's user account is still active and has been used to log in remotely three times in the past month. Which logical security principle has been violated?

A.Separation of duties
B.Least privilege
C.Defense in depth
D.Mandatory access control
AnswerB

The former employee no longer needs any access, so the account violates least privilege by still having permissions.

Why this answer

The correct answer is B, least privilege. The principle of least privilege requires that users be granted only the minimum access rights necessary to perform their job functions. A former employee's account remaining active and being used for remote logins violates this principle because the account should have been disabled or deleted upon termination, removing all access privileges.

Exam trap

CompTIA often tests least privilege by presenting a scenario involving account termination or excessive permissions, and the trap here is confusing it with separation of duties, which focuses on task division rather than access minimization.

How to eliminate wrong answers

Option A is wrong because separation of duties involves dividing critical tasks among multiple users to prevent fraud or error, not managing account lifecycles. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption), not a principle about individual user access rights. Option D is wrong because mandatory access control (MAC) is a system-enforced policy based on labels and clearances (e.g., in SELinux or classified systems), not about disabling accounts after employment ends.

492
MCQmedium

A user reports that a script they run daily now fails with 'Permission denied' even though they haven't changed any permissions. The script is located in /usr/local/bin/script.sh and has permissions -rwxr-xr-x. The user is in the 'users' group. What is the most likely issue?

A.The script's shebang line is incorrect.
B.The /usr/local/bin partition is mounted with the noexec option.
C.The user does not have read permission on the script.
D.The script has been replaced with a directory.
AnswerB

If the filesystem is mounted with noexec, no binaries or scripts can be executed, even if permissions are correct.

Why this answer

The script has execute permissions for the user (rwxr-xr-x), so the 'Permission denied' error is not due to missing execute bits. The most likely cause is that the /usr/local/bin filesystem is mounted with the 'noexec' option, which prevents execution of any binary or script regardless of its permission bits. This is a common administrative security measure that blocks execution from specific partitions, and it would cause the script to fail with 'Permission denied' even though the file permissions appear correct.

Exam trap

This question tests the distinction between file permission bits and filesystem mount options, trapping candidates who focus only on chmod or ownership changes when the real issue is a system-wide execution restriction like 'noexec'.

How to eliminate wrong answers

Option A is wrong because an incorrect shebang line would typically cause a 'command not found' or 'bad interpreter' error, not a 'Permission denied' error. Option C is wrong because the script's permissions are -rwxr-xr-x, which grants read permission to the owner, group, and others, so the user in the 'users' group does have read access. Option D is wrong because if the script were replaced with a directory, the error would be 'Is a directory' or similar, not 'Permission denied'.

493
MCQmedium

A technician is configuring a new workstation for a customer who is concerned about energy consumption. Which setting should the technician enable to reduce power usage when the computer is idle?

A.Disable the screensaver and set the display to turn off after 30 minutes.
B.Enable hibernation mode after 1 hour of inactivity.
C.Enable sleep mode after 15 minutes of inactivity.
D.Set the power plan to 'High performance' to reduce power draw.
AnswerC

This is correct because sleep mode reduces power consumption significantly while allowing quick wake-up, making it ideal for typical idle periods.

Why this answer

Option C is correct because enabling sleep mode after 15 minutes of inactivity places the computer into a low-power state (S3 sleep, Suspend-to-RAM) where the CPU is powered down but RAM retains data, allowing a quick wake-up. This directly reduces energy consumption during idle periods more effectively than simply turning off the display, as it cuts power to the processor, drives, and most peripherals.

Exam trap

The trap here is that candidates often confuse 'turning off the display' with full system power saving, or they assume that a longer idle timer (like 1 hour for hibernation) is better than a shorter one (15 minutes for sleep), not realizing that sleep mode engages much sooner and thus saves more energy over typical idle periods.

How to eliminate wrong answers

Option A is wrong because disabling the screensaver and setting the display to turn off only reduces power to the monitor; the rest of the system (CPU, RAM, drives) remains fully active, consuming significant power. Option B is wrong because hibernation mode (S4 state) saves the system state to disk and completely powers off, but after 1 hour it is less aggressive than sleep after 15 minutes, meaning the system wastes more energy during the first 45 minutes of idle time. Option D is wrong because the 'High performance' power plan maximizes CPU speed and prevents power-saving features, actually increasing power draw rather than reducing it.

494
MCQmedium

A user is concerned about privacy because a recently installed application is accessing their webcam and microphone without clear permission. They want to review and revoke permissions for specific apps. Which Control Panel path should you use?

A.Control Panel > System and Security > Security and Maintenance
B.Settings > Privacy > Camera
C.Control Panel > User Accounts > Credential Manager
D.Control Panel > Hardware and Sound > Devices and Printers
AnswerB

The Privacy section in Settings lets you control which apps can access the camera, microphone, and other sensors.

Why this answer

The Privacy settings are managed through the Settings app in Windows 10/11, not the traditional Control Panel. However, the question tests knowledge of where privacy controls are located. The correct path is Settings > Privacy > Camera/Microphone, which allows per-app permission management.

495
MCQeasy

A small business wants to ensure that only authorized employees can access the file server from their laptops. Each laptop has a unique MAC address. Which security measure should be implemented on the network switch?

A.Disable SSID broadcast
B.Enable WPA3 encryption
C.Configure MAC filtering
D.Change the default admin password
AnswerC

MAC filtering allows only devices with approved MAC addresses to access the network, meeting the requirement.

Why this answer

Option C is correct because MAC filtering on a network switch allows the administrator to create an access control list (ACL) that permits or denies traffic based on the source MAC address. By configuring the switch to allow only the MAC addresses of authorized employee laptops, the small business can restrict file server access to those specific devices, even if they connect via a wired Ethernet port.

Exam trap

The trap here is that candidates confuse wireless security features (SSID, WPA3) with wired network access controls, or they mistakenly think changing the admin password restricts user access to network resources rather than just protecting the switch itself.

How to eliminate wrong answers

Option A is wrong because disabling SSID broadcast is a wireless security measure that hides the network name from beacon frames; it does not control access on a wired switch and does not authenticate individual laptops. Option B is wrong because WPA3 encryption is a Wi-Fi security protocol for wireless networks, not a feature that can be configured on a wired Ethernet switch to filter traffic by MAC address. Option D is wrong because changing the default admin password protects the switch's management interface from unauthorized configuration changes, but it does not enforce per-device access control to the file server.

496
MCQeasy

A user reports that they cannot execute a shell script they wrote in their home directory. The script has permissions -rw-r--r--. Which command should be used to allow the owner to execute the script?

A.chmod 755 script.sh
B.chmod u+x script.sh
C.chmod +r script.sh
D.chmod 644 script.sh
AnswerB

This adds execute permission only for the owner, which is exactly what is required.

Why this answer

The script currently has permissions -rw-r--r--, meaning the owner has read and write but not execute. The command chmod u+x adds execute permission for the owner (u) without affecting other permissions. This directly addresses the user's inability to execute the script by granting the missing execute bit to the owner.

Exam trap

CompTIA often tests the distinction between adding a specific permission (u+x) versus setting an absolute mode (755), where candidates may choose 755 because it 'works' without recognizing it unnecessarily grants execute to group and others.

How to eliminate wrong answers

Option A is wrong because chmod 755 sets permissions to rwxr-xr-x, which grants execute to owner, group, and others — this is overly permissive and not the minimal change needed. Option C is wrong because chmod +r adds read permission, but the script already has read permission for all; it does not add execute permission. Option D is wrong because chmod 644 sets permissions to rw-r--r--, which is identical to the current permissions and does not add execute permission for anyone.

497
MCQhard

A security incident occurs where an attacker captures the 4-way handshake of a WPA2-PSK network and successfully cracks the passphrase offline. The technician is tasked with preventing this type of attack in the future. Which protocol should the technician implement?

A.WPA2-PSK with a longer passphrase.
B.WPA3-SAE.
C.WPA2-Enterprise with PEAP-MSCHAPv2.
D.WPA2-PSK with TKIP.
AnswerB

WPA3-SAE uses SAE, which is resistant to offline dictionary attacks, even if the handshake is captured.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) replaces the pre-shared key (PSK) model with a password-authenticated key exchange that is resistant to offline dictionary attacks. Unlike WPA2-PSK, which transmits a hash of the password in the 4-way handshake that can be captured and cracked offline, SAE uses a zero-knowledge proof protocol that prevents an attacker from deriving the password from captured handshake data, even if they have the full handshake.

Exam trap

A common misconception is that simply increasing passphrase length or switching to enterprise authentication prevents offline cracking of the 4-way handshake, when in fact only a protocol change to SAE (WPA3) eliminates the offline dictionary attack vector.

How to eliminate wrong answers

Option A is wrong because simply lengthening the WPA2-PSK passphrase does not change the underlying protocol vulnerability; the 4-way handshake still transmits a hash that can be captured and cracked offline with sufficient time and resources, making it a mitigation, not a prevention. Option C is wrong because WPA2-Enterprise with PEAP-MSCHAPv2 still uses the same 4-way handshake for the wireless encryption key exchange, and while the authentication is server-based, the handshake itself remains vulnerable to offline cracking if the attacker captures it and the MSCHAPv2 challenge/response is weak. Option D is wrong because WPA2-PSK with TKIP is actually less secure than WPA2-PSK with AES; TKIP is deprecated and vulnerable to multiple attacks, and it does nothing to prevent offline dictionary attacks on the 4-way handshake.

498
MCQhard

A technician is deploying laptops for a sales team that works remotely from coffee shops and client sites. The laptops contain sensitive customer data. Which physical security control is most practical for these mobile devices?

A.Install a laptop tracking software
B.Use a biometric fingerprint reader on the laptop
C.Require a smart card for login
D.Attach a cable lock to the laptop
AnswerD

A cable lock physically anchors the laptop to a table or desk, making it difficult to steal, which is the most practical physical control for mobile devices.

Why this answer

A cable lock is the most practical physical security control for mobile devices used in public spaces because it physically secures the laptop to a fixed object, preventing theft. Unlike software or authentication measures, a cable lock directly addresses the risk of the device being physically taken, which is the primary threat when working in coffee shops or client sites.

Exam trap

The A+ exam often tests the distinction between physical security controls (like cable locks) and logical/authentication controls (like biometrics or smart cards), so the trap here is confusing authentication methods with physical theft prevention.

How to eliminate wrong answers

Option A is wrong because laptop tracking software is a reactive measure that helps locate a stolen device after the fact, but it does not prevent the initial theft or protect sensitive data in the moment. Option B is wrong because a biometric fingerprint reader provides authentication security, not physical security; it can be bypassed if the device is stolen and the attacker uses other methods to access data. Option C is wrong because requiring a smart card for login is an authentication control that protects access to the operating system, but it does not prevent the physical theft of the laptop itself.

499
MCQeasy

A small business owner wants to restrict app installations on company Macs to only the Mac App Store to prevent employees from downloading unapproved software. Which macOS security feature should you configure?

A.FileVault
B.System Integrity Protection (SIP)
C.Gatekeeper
D.Parental Controls
AnswerC

Gatekeeper allows administrators to set allowed app sources: App Store, App Store and identified developers, or anywhere.

Why this answer

Gatekeeper controls where apps can be installed from. Setting it to 'App Store' restricts installations to only Mac App Store apps, meeting the business requirement.

500
MCQeasy

During a software deployment, you need to copy a configuration file from a network share to multiple workstations. The command must run silently and overwrite existing files. Which command should you use?

A.copy /y
B.xcopy /y
C.move /y
D.robocopy /mir
AnswerB

xcopy /y copies files and directories, suppressing confirmation prompts to overwrite, ideal for silent deployment.

Why this answer

The xcopy command with the /y switch suppresses the prompt to confirm overwriting, and /s copies directories and subdirectories (if needed). It is designed for file copying with advanced options like silent overwrite. Other commands either do not copy files or lack the silent overwrite feature.

501
MCQmedium

A technician is troubleshooting a laser printer that is producing smudged prints. The technician needs to remove the toner cartridge to inspect the drum. What safety precaution should be taken?

A.Wear a respirator mask to avoid inhaling toner particles.
B.Discharge the high-voltage power supply before touching the drum.
C.Avoid touching the drum surface and handle the cartridge carefully to prevent toner spills.
D.Use a vacuum cleaner to clean any spilled toner immediately.
AnswerC

This is correct. The drum is sensitive to light and scratches, and toner spills can cause health issues. Careful handling is essential.

Why this answer

Option C is correct because the primary safety precaution when handling a toner cartridge is to avoid touching the drum surface, which is sensitive to light, oils, and scratches, and to handle the cartridge carefully to prevent toner spills. Toner is a fine powder that can be messy and difficult to clean, but it is not a respiratory hazard under normal handling conditions, so a respirator is not required. The high-voltage power supply in a laser printer is typically discharged automatically when the printer is unplugged, and using a vacuum cleaner for toner spills is dangerous because toner can be electrostatically charged and may cause a fire or explosion in a standard vacuum.

Exam trap

CompTIA often tests the misconception that toner is toxic and requires a respirator, or that high-voltage components need manual discharge, when in fact the immediate risk is physical damage to the drum and the electrostatic fire hazard from improper cleanup.

How to eliminate wrong answers

Option A is wrong because toner particles are not a respiratory hazard under normal handling conditions; a respirator mask is unnecessary and not a standard safety precaution for toner cartridge removal. Option B is wrong because the high-voltage power supply in a laser printer is designed to discharge automatically when the printer is unplugged and the power is removed; there is no need to manually discharge it before touching the drum, and doing so could be dangerous. Option D is wrong because using a standard vacuum cleaner to clean toner spills is a fire and explosion hazard due to the electrostatic charge of toner particles; only a toner-rated or anti-static vacuum should be used.

502
MCQeasy

An employee receives an email that appears to be from the CEO, asking them to urgently wire funds to a new vendor. The email address looks similar to the CEO's but has a slight typo. What type of social engineering attack is this?

A.Phishing
B.Whaling
C.Spear phishing
D.Vishing
AnswerB

Whaling is a targeted phishing attack against high-profile individuals like the CEO, often involving impersonation.

Why this answer

B is correct because whaling is a targeted phishing attack aimed at high-profile individuals like the CEO or CFO, often using a fake but similar email address to request urgent financial transfers. The slight typo in the email address (e.g., ceo@company.com vs. ceo@cornpany.com) is a classic whaling tactic to bypass casual inspection, exploiting the authority of the executive to pressure the victim into bypassing normal verification procedures.

Exam trap

CompTIA A+ often tests the distinction between spear phishing and whaling by making candidates recognize that whaling is a specific type of spear phishing targeting executives, not just any targeted email attack.

How to eliminate wrong answers

Option A is wrong because phishing is a broad, untargeted attack sent to many users, often with generic messages (e.g., 'your account is compromised'), not a personalized request from a specific executive. Option C is wrong because spear phishing targets a specific individual or group but does not necessarily focus on high-level executives; whaling is a subset of spear phishing that specifically targets senior management. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to deceive victims into revealing sensitive information or performing actions like wire transfers.

503
MCQhard

A technician is preparing to deploy a security patch to 50 workstations. The change request has been approved, and the patch has been tested on a pilot group. During the deployment, five workstations fail to install the patch. What should the technician do next according to change management best practices?

A.Continue deploying to the remaining workstations and troubleshoot the failures later
B.Halt the deployment and execute the rollback plan for the failed workstations
C.Force the patch to install using administrative tools
D.Submit a new change request for the failed workstations
AnswerB

Halting and rolling back is the correct response to mitigate risk and adhere to the change plan.

Why this answer

According to change management best practices, when a deployment encounters failures, the immediate priority is to halt the deployment to prevent further issues and then execute the rollback plan to restore the failed workstations to their previous known-good state. This ensures stability and minimizes disruption, as the rollback plan was already defined and approved as part of the change request. Continuing or forcing the patch could lead to system instability or security vulnerabilities.

Exam trap

CompTIA often tests the misconception that troubleshooting can be deferred or that a new change request is required for each failure, when in fact the approved change request already covers rollback procedures for failed deployments.

How to eliminate wrong answers

Option A is wrong because continuing the deployment while ignoring failures violates the change management principle of risk mitigation; it could propagate errors or leave systems in an inconsistent state, making later troubleshooting more complex. Option C is wrong because forcing the patch installation with administrative tools bypasses the tested deployment process and could cause system corruption or incompatibility, especially if the failures indicate a deeper issue like driver conflicts or missing dependencies. Option D is wrong because submitting a new change request for only five workstations is unnecessary and inefficient; the existing approved change request already includes a rollback plan for handling failures, and a new request would delay resolution without adding value.

504
MCQeasy

During a routine security audit, a technician discovers that a server was patched out of the approved maintenance window. The patch was applied by a junior admin who was not authorized. What is the most important step to include in the incident documentation?

A.The name of the junior admin who applied the patch.
B.The reason the patch was applied outside the maintenance window.
C.The exact time the patch was applied.
D.The patch's version number and source.
AnswerB

Documenting the justification helps the change advisory board understand the context and decide whether to approve the change retroactively.

Why this answer

The most important step in incident documentation is to capture the reason the patch was applied outside the approved maintenance window. This directly addresses the root cause of the unauthorized change, which is critical for post-incident review, process improvement, and preventing recurrence. Without the reason, the documentation fails to support a meaningful root cause analysis (RCA) and corrective action planning.

Exam trap

CompTIA often tests the distinction between documenting what happened versus why it happened, and the trap here is that candidates focus on technical details (time, version, person) instead of the root cause reason that drives corrective action.

How to eliminate wrong answers

Option A is wrong because while the name of the junior admin may be noted for accountability, it is not the most important element for understanding the incident's cause and preventing future occurrences. Option C is wrong because the exact time, though useful for timeline reconstruction, does not explain why the change was made outside policy. Option D is wrong because the patch version and source are technical details that help identify the change but do not address the procedural violation or its underlying motivation.

505
MCQeasy

A user complains that their computer is running very slowly, and they see frequent pop-up ads even when no browser is open. They also notice a new toolbar in their browser that they did not install. What is the most likely security issue?

A.A rootkit has hidden itself in the system's firmware.
B.A worm is spreading through the network, consuming bandwidth.
C.The system is infected with adware that displays unsolicited advertisements.
D.A Trojan horse has stolen the user's banking credentials.
AnswerC

Adware is specifically designed to generate revenue through unwanted ads and often bundles toolbars, matching the user's description exactly.

Why this answer

The symptoms—pop-up ads without a browser open, an unwanted toolbar, and system slowdown—are classic indicators of adware. Adware is a type of potentially unwanted program (PUP) that displays intrusive advertisements, often by injecting ads into system processes or browser sessions, and can degrade performance by consuming CPU and memory resources.

Exam trap

CompTIA often tests the distinction between adware and other malware types by presenting symptoms that seem like a Trojan or rootkit, but the presence of unsolicited pop-ups and an unwanted toolbar specifically points to adware, not credential theft or stealthy persistence.

How to eliminate wrong answers

Option A is wrong because a rootkit is designed to hide its presence and maintain privileged access, not to display pop-up ads or install browser toolbars; firmware rootkits specifically target low-level system firmware (e.g., UEFI) and do not cause visible adware symptoms. Option B is wrong because a worm spreads autonomously across networks to replicate and consume bandwidth, but it does not typically install browser toolbars or generate pop-up ads on a single user's machine. Option D is wrong because a Trojan horse that steals banking credentials would focus on keylogging or form grabbing, not on displaying unsolicited advertisements or adding browser toolbars; those symptoms are unrelated to credential theft.

506
MCQeasy

A school IT administrator needs to remotely lock a lost MacBook and display a custom message with contact information. The MacBook is enrolled in the school’s MDM and has an internet connection. Which macOS feature should they use?

A.Remote Desktop
B.Find My Mac
C.FileVault
D.Terminal command 'sudo pmset'
AnswerB

Find My Mac allows locking, erasing, and displaying a message on the lost device via iCloud.

Why this answer

Find My Mac is the correct feature because it is specifically designed to locate, lock, and display a custom message on a lost Apple device that is enrolled in MDM and connected to the internet. It leverages Apple's Activation Lock and MDM integration to remotely lock the Mac and present a contact message on the Lock screen, fulfilling the administrator's requirement without needing physical access.

Exam trap

The A+ exam often tests the distinction between remote management tools (like Remote Desktop) and dedicated lost-device recovery features (like Find My Mac). Candidates may mistakenly assume that any remote access tool can perform the lock-and-message function, but only Find My Mac provides the specific lost-mode lock with custom message display.

How to eliminate wrong answers

Option A is wrong because Remote Desktop is a screen-sharing and remote management tool that requires the Mac to be online and accessible via VNC, but it cannot remotely lock the device or display a custom message on the Lock screen; it is not designed for lost-device scenarios. Option C is wrong because FileVault provides full-disk encryption to protect data at rest, but it does not include any remote lock or message-display capability; it is a security feature, not a lost-device recovery tool. Option D is wrong because the Terminal command 'sudo pmset' is used to manage power management settings (e.g., sleep, wake, power-saving) and has no function for locking the device or displaying a custom message; it is a common misconception that a command-line tool can substitute for Find My Mac.

507
MCQhard

During a forensic investigation, an analyst needs to list all files in a directory that have been modified in the last 24 hours, including hidden files, and display the results with full path and timestamp. Which command should they use?

A.ls -laR --time-style=full-iso | grep '2025-03-21'
B.find . -mtime -1 -ls
C.stat * .* | grep Modify
D.find . -newer /tmp/ref -ls
AnswerB

This finds files modified within the last 24 hours and uses -ls to show full details including path and timestamp.

Why this answer

Option B is correct because the `find` command with `-mtime -1` lists files modified within the last 24 hours, and the `-ls` action displays detailed output including full path and timestamp. This approach inherently includes hidden files (those starting with a dot) because `find` traverses all directory entries by default, unlike `ls` which requires the `-a` flag to show hidden files.

Exam trap

CompTIA often tests the distinction between `ls` and `find` for file searches, trapping candidates who choose `ls` with `grep` because they overlook that `ls` output is static and requires manual date filtering, while `find` natively supports time-based criteria like `-mtime`.

How to eliminate wrong answers

Option A is wrong because `ls -laR` recursively lists all files including hidden ones, but the `grep '2025-03-21'` filter is hardcoded to a specific date, which is not dynamic and will fail on any other day; it also does not guarantee the last 24 hours unless the current date matches exactly. Option C is wrong because `stat * .*` will fail if there are no hidden files (the `.*` glob may expand to `.` and `..`, causing errors or incorrect results), and `grep Modify` only extracts the modification timestamp without filtering for the last 24 hours or providing full paths. Option D is wrong because `-newer /tmp/ref` compares against a reference file, but `/tmp/ref` does not exist by default; even if created, it would only find files newer than that specific file, not files modified within the last 24 hours, and the `-ls` action still provides the required output format.

508
MCQmedium

A technician is configuring a kiosk computer that will be used by the public to access a specific website. The technician wants to prevent users from navigating to other sites or changing browser settings. Which browser feature should be enabled?

A.Enable private browsing mode.
B.Enable parental controls.
C.Enable kiosk mode.
D.Disable the address bar via group policy.
AnswerC

Kiosk mode restricts the browser to a single full-screen application, preventing navigation to other sites and access to browser settings.

Why this answer

Kiosk mode locks the browser to a specific site or set of sites, hides the address bar, and disables settings access. This is ideal for public terminals. Other options like private browsing or parental controls do not provide the same level of restriction.

509
MCQeasy

A company is considering moving its email system from an on-premises Exchange server to a cloud-based solution. Which cloud service model would best fit this migration?

A.IaaS (Infrastructure as a Service)
B.PaaS (Platform as a Service)
C.SaaS (Software as a Service)
D.DaaS (Desktop as a Service)
AnswerC

SaaS delivers fully managed software applications, such as cloud-based email, eliminating the need for on-premises servers.

Why this answer

SaaS (Software as a Service) is the correct model because it delivers fully functional email applications (e.g., Microsoft 365 Exchange Online) over the internet, eliminating the need for the company to manage the underlying infrastructure, platform, or software. The cloud provider handles all maintenance, updates, and availability, making it ideal for migrating an existing email system without re-architecting the application itself.

Exam trap

The trap here is that candidates often confuse PaaS with SaaS, thinking that 'platform' includes email services, but PaaS requires the customer to deploy and manage the application code, whereas SaaS provides the complete, ready-to-use application.

How to eliminate wrong answers

Option A is wrong because IaaS provides virtualized computing resources (VMs, storage, networking) but requires the company to still install, configure, and manage the Exchange server software and its operating system, which defeats the purpose of a simple migration. Option B is wrong because PaaS offers a development and deployment platform (e.g., runtime environment, database middleware) but does not include pre-built email applications; the company would need to develop or deploy its own email software on the platform. Option D is wrong because DaaS delivers virtual desktops to end-users, not email services; it is designed for remote desktop access, not for replacing an on-premises email server.

510
MCQhard

A user reports that their Windows 11 laptop's battery drains quickly even when idle. They have already checked for background apps and power-hungry processes. Which single Settings page can you use to generate a detailed battery usage report showing which apps and hardware have consumed the most power over the last 24 hours?

A.Settings > System > Power & battery > Battery saver
B.Settings > System > Power & battery > Battery usage
C.Control Panel > Power Options > Edit Plan Settings
D.Settings > Privacy & security > Diagnostics & feedback
AnswerB

This section shows a detailed breakdown of battery consumption by app and system components over the last 24 hours or 7 days.

Why this answer

The correct tool is 'Battery usage' under Settings > System > Power & battery. This page provides a graph and detailed list of app and hardware power consumption, which can help identify the cause of rapid drain.

511
MCQeasy

A small business owner reports that after upgrading their wireless router to a newer model, their older laptops running Windows 7 cannot connect to the Wi-Fi network. The new router is configured with WPA3-Personal. Which of the following is the most likely reason for the connectivity failure?

A.The router's SSID is hidden.
B.The laptops' wireless adapters do not support WPA3.
C.The router is broadcasting on a 5 GHz band only.
D.The laptops have incorrect DNS settings.
AnswerB

WPA3 is a newer security standard; older hardware and drivers often lack support, forcing a fallback to WPA2 or causing connection failures.

Why this answer

WPA3-Personal is a newer wireless security protocol that requires hardware support in the wireless adapter. Older laptops running Windows 7 typically have legacy wireless adapters that only support WPA2 or earlier protocols. Since the router is configured to use WPA3 only, the laptops' adapters cannot negotiate a connection, resulting in failure.

Exam trap

CompTIA often tests the misconception that older Windows 7 laptops can connect to any Wi-Fi network as long as they have the password, but the trap here is that WPA3 requires both hardware and driver-level support, which legacy adapters lack.

How to eliminate wrong answers

Option A is wrong because a hidden SSID does not prevent connection; clients can still connect if they know the SSID and have compatible security settings. Option C is wrong because even if the router broadcasts only on 5 GHz, many older Windows 7 laptops support 5 GHz if they have dual-band adapters; the primary issue is the security protocol mismatch, not the frequency band. Option D is wrong because incorrect DNS settings would prevent name resolution but not the initial Wi-Fi association and authentication; the laptops cannot even connect to the network, indicating a lower-layer issue.

512
MCQeasy

While upgrading a workstation, you find that the old lithium-ion battery is swollen. What is the safest and most environmentally sound way to handle this battery?

A.Puncture the battery to release the pressure, then throw it in the trash.
B.Place it in a fireproof container and contact a hazardous waste disposal service.
C.Put it in a sealed plastic bag and put it in the regular recycling bin.
D.Freeze the battery to stop the swelling, then dispose of it in the trash.
AnswerB

This method minimizes fire risk and ensures the battery is disposed of according to environmental regulations.

Why this answer

A swollen lithium-ion battery indicates internal damage and potential thermal runaway risk. Placing it in a fireproof container and contacting hazardous waste disposal ensures safe containment and proper recycling, preventing fire hazards and environmental contamination from toxic electrolytes and heavy metals.

Exam trap

CompTIA A+ exams often test the misconception that damaged batteries can be safely disposed of in regular trash or recycling, when in fact they require special handling due to fire and environmental hazards.

How to eliminate wrong answers

Option A is wrong because puncturing a swollen lithium-ion battery can cause a short circuit, leading to fire or explosion, and throwing it in the trash violates environmental regulations. Option C is wrong because placing a damaged lithium-ion battery in a sealed plastic bag in regular recycling can cause fires at recycling facilities due to crushing or shorting, and it is not accepted in standard recycling streams. Option D is wrong because freezing does not stop chemical degradation or swelling, and disposing of it in the trash still poses fire and environmental risks.

513
MCQhard

A user reports that they cannot install a signed driver for a new graphics card because Windows displays a 'Windows can't verify the publisher of this driver software' error. You need to adjust the driver signing enforcement settings to allow installation. Which Control Panel tool allows you to change driver signing behavior?

A.Device Manager
B.System > Advanced system settings > Hardware > Device Installation Settings
C.Programs and Features > Turn Windows features on or off
D.Administrative Tools > Services
AnswerB

System > Advanced system settings > Hardware > Device Installation Settings only controls whether Windows automatically downloads drivers from Windows Update; it does not change driver signing enforcement.

Why this answer

None of the listed Control Panel tools allow changing driver signing enforcement. Driver signature enforcement can only be changed via advanced startup (Disable driver signature enforcement) or using bcdedit. The Device Installation Settings (option B) only controls automatic driver downloads from Windows Update and does not affect signing enforcement.

514
MCQmedium

A user reports that their iPhone 13 is not receiving text messages from Android users, but iMessage conversations with other iPhone users work fine. After checking that the user is not blocked, which step should you take to resolve this issue?

A.Disable iMessage in Settings > Messages.
B.Reset Network Settings from General > Reset.
C.Toggle Airplane Mode on and off.
D.Sign out of iCloud and sign back in.
AnswerA

Turning off iMessage forces the device to send and receive all messages as SMS/MMS, which resolves the issue of missing texts from non-Apple devices.

Why this answer

Disabling iMessage forces the iPhone to send and receive messages via SMS/MMS instead of Apple's proprietary protocol. When iMessage is enabled, Apple's servers may hold messages from non-Apple devices (Android) in a pending state or fail to route them correctly if the sender's number is not properly deregistered from iMessage. This step resolves the issue by ensuring all incoming messages from Android users are delivered as standard SMS/MMS.

Exam trap

CompTIA often tests the misconception that network-related issues (like SMS not working) must be fixed by resetting network settings or toggling Airplane Mode, when the actual root cause is an iMessage registration conflict with non-Apple senders.

How to eliminate wrong answers

Option B is wrong because resetting network settings clears Wi-Fi passwords, cellular settings, and VPN configurations, but does not address the core issue of iMessage routing SMS/MMS from Android senders. Option C is wrong because toggling Airplane Mode only refreshes the cellular connection temporarily; it does not disable iMessage or force SMS fallback for incoming messages from non-Apple devices. Option D is wrong because signing out of iCloud removes iMessage activation but also disables other iCloud services unnecessarily; the targeted fix is to disable iMessage specifically, not the entire iCloud account.

515
MCQeasy

A technician is configuring a new Windows 10 workstation for a remote employee who will handle sensitive customer data. Which security feature should be enabled to ensure that if the laptop is lost, the data remains protected?

A.Windows Defender Firewall
B.User Account Control (UAC)
C.BitLocker Drive Encryption
D.Windows Hello for Business
AnswerC

BitLocker encrypts the drive, making data unreadable without the key, ideal for lost or stolen devices.

Why this answer

BitLocker Drive Encryption (C) is the correct choice because it provides full-disk encryption using AES encryption algorithms, ensuring that if the laptop is lost or stolen, the sensitive customer data remains inaccessible without the recovery key or TPM authentication. This directly addresses the requirement to protect data at rest on a lost device.

Exam trap

CompTIA often tests the distinction between authentication/access control features (like UAC or Windows Hello) and data-at-rest encryption (BitLocker), leading candidates to choose a security feature that protects the system while running rather than protecting data when the device is physically compromised.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall is a network security feature that monitors and controls incoming/outgoing traffic based on rules, but it does not encrypt data on the drive, so it cannot protect data if the laptop is physically lost. Option B is wrong because User Account Control (UAC) prompts for permission before allowing system-level changes to prevent unauthorized software from making modifications, but it does not encrypt the drive or protect data when the device is offline. Option D is wrong because Windows Hello for Business provides biometric or PIN-based authentication for user sign-in, but it does not encrypt the storage volume, so data remains readable if the drive is removed or the device is accessed via other means.

516
MCQmedium

A technician is troubleshooting why a smart card reader at a secure entrance fails intermittently. Users can sometimes enter, but other times the reader does not respond. What should the technician check first?

A.Update the smart card reader firmware
B.Replace the smart cards for all users
C.Check the cabling and connections to the reader
D.Reconfigure the access control software
AnswerC

Intermittent connectivity often points to loose or damaged cables; verifying physical connections is a quick and effective first step.

Why this answer

Intermittent failures in a smart card reader are most often caused by physical connection issues, such as loose or damaged cabling, rather than software or firmware problems. Checking cabling and connections is the first step in a structured troubleshooting approach because it addresses the most common and easily verifiable cause of intermittent behavior.

Exam trap

Cisco often tests the principle of 'starting with the simplest and most likely cause' in troubleshooting scenarios, and the trap here is that candidates jump to firmware or software fixes without first verifying the physical layer.

How to eliminate wrong answers

Option A is wrong because updating firmware is a more advanced step that should only be attempted after verifying physical connections and power; firmware issues typically cause consistent failures, not intermittent ones. Option B is wrong because replacing all smart cards is an expensive and disruptive action that assumes a widespread card failure, which is unlikely when the reader itself is unresponsive and the problem is intermittent. Option D is wrong because reconfiguring access control software would not resolve a hardware-level intermittent connection problem; software misconfiguration usually results in consistent access denials or errors, not random unresponsiveness.

517
MCQeasy

A user reports that they cannot execute a custom shell script they created in their home directory. The script is owned by the user and has permissions set to 644. Which command should be used to allow the owner to execute the script?

A.chmod 755 script.sh
B.chmod u+x script.sh
C.chmod 644 script.sh
D.chown user:user script.sh
AnswerB

This adds execute permission only for the owner, preserving the existing read/write permissions for others.

Why this answer

The script has permissions 644, which means the owner has read/write (6) but not execute. To allow the owner to execute the script, you need to add the execute permission for the owner. The command `chmod u+x script.sh` adds execute permission for the user (owner) only, which is the correct and minimal change to resolve the issue.

Exam trap

The trap here is that candidates often choose `chmod 755` (Option A) because it is a common permission set for scripts, but the question specifically asks to allow only the owner to execute, making `chmod u+x` the precise and correct answer.

How to eliminate wrong answers

Option A is wrong because `chmod 755 script.sh` sets permissions to rwxr-xr-x, which grants execute to the owner, group, and others — this is overly permissive and not the minimal fix required. Option C is wrong because `chmod 644 script.sh` sets permissions to rw-r--r--, which is the current state and does not add execute permission, so it would not solve the problem. Option D is wrong because `chown user:user script.sh` changes the owner and group of the file, but the script is already owned by the user; the issue is about permissions, not ownership.

518
MCQeasy

A customer reports that their Windows 10 computer is running very slowly, and they see frequent pop-up ads even when no browser is open. They also notice a new toolbar in their browser that they did not install. What type of malware is most likely causing these symptoms?

A.Ransomware
B.Adware
C.Virus
D.Worm
AnswerB

Adware generates pop-up ads and installs unwanted toolbars, matching the described symptoms exactly.

Why this answer

Adware displays unwanted advertisements and often installs browser toolbars, slowing down the system. Unlike a virus or worm, adware does not self-replicate, and ransomware would demand payment rather than show ads.

519
MCQhard

A user's iPhone is running iOS 16 and they cannot update to the latest iOS 17 because the 'Software Update' section in Settings shows 'Unable to Check for Update'. The device is connected to Wi-Fi and has sufficient storage. Which advanced troubleshooting step should you take to resolve this update issue?

A.Reset All Settings from General > Reset.
B.Restore the iPhone using an iCloud backup.
C.Use a computer with Finder (macOS) or iTunes (Windows) to download and install the update.
D.Disable iCloud Private Relay in iCloud settings.
AnswerC

Using a computer forces the device to download the update via a wired connection, bypassing the device's own update mechanism and often resolving cache or network issues.

Why this answer

Option C is correct because when an iPhone displays 'Unable to Check for Update' despite having Wi-Fi and storage, the issue often lies with the device's inability to contact Apple's update servers directly due to network restrictions or corrupted cached update data. Using a computer with Finder (macOS) or iTunes (Windows) bypasses the iPhone's over-the-air (OTA) update mechanism by downloading the full IPSW firmware directly from Apple's servers and installing it via USB, which is a standard advanced troubleshooting step for OTA update failures.

Exam trap

CompTIA often tests the misconception that 'Reset All Settings' or disabling network features like Private Relay will fix OTA update failures, when in fact the correct advanced step is to use a computer-based restore to bypass the device's broken OTA mechanism.

How to eliminate wrong answers

Option A is wrong because 'Reset All Settings' clears user preferences like Wi-Fi passwords and wallpapers but does not address the underlying communication failure with Apple's update servers or corrupted OTA update assets; it is a general troubleshooting step, not specific to update check failures. Option B is wrong because restoring from an iCloud backup would reapply the same iOS version and settings, potentially reintroducing the same issue, and does not provide a method to install a newer iOS version; it is a data recovery step, not an update solution. Option D is wrong because disabling iCloud Private Relay, while it can affect certain network connections, is not a standard advanced troubleshooting step for OTA update failures; the error 'Unable to Check for Update' typically stems from DNS resolution issues, proxy conflicts, or corrupted update caches, not specifically from Private Relay, and Apple's update servers are generally reachable through Private Relay.

520
MCQhard

During a routine check, a technician finds that a user's Windows 10 computer has an outdated antivirus that hasn't updated in 3 months. The user claims they never saw any update prompts. What is the most likely reason and the appropriate remediation?

A.The antivirus subscription has expired; renew it
B.The Windows Update service is disabled; re-enable it and set to automatic
C.The user has manually set the antivirus to manual update mode
D.The computer is infected with a virus that blocks updates
AnswerB

If the Windows Update service is disabled, the antivirus cannot receive updates, and the user would not see prompts. Enabling it resolves the issue.

Why this answer

The most likely reason the antivirus hasn't updated in 3 months is that the Windows Update service (wuauserv) is disabled. Many Windows 10 antivirus solutions, including Windows Defender, rely on the Windows Update service to download definition updates. If this service is disabled, the antivirus cannot receive updates, and the user would not see update prompts because the update mechanism itself is non-functional.

Re-enabling the service and setting it to automatic allows updates to flow normally.

Exam trap

CompTIA A+ often tests the misconception that antivirus update failures are always due to subscription expiry or infection, when in fact a disabled Windows Update service is a common and overlooked cause, especially in Windows 10 environments where antivirus updates depend on this service.

How to eliminate wrong answers

Option A is wrong because an expired subscription would typically generate visible warnings or prompts within the antivirus interface, not a complete absence of update prompts for 3 months. Option C is wrong because manual update mode would still show update prompts or notifications when updates are available, just requiring user action to install; the user would see prompts. Option D is wrong because while a virus could theoretically block updates, it is far less common than a disabled Windows Update service, and the scenario describes a routine check with no other symptoms of infection.

521
MCQmedium

A user complains that their Android phone's battery drains quickly after installing a new weather app. The phone is warm to the touch even when idle. What should you do to resolve this?

A.Replace the battery immediately.
B.Check battery usage in Settings to see which app is consuming power.
C.Perform a factory reset to remove all apps.
D.Update the phone's operating system to the latest version.
AnswerB

Battery usage stats will show the weather app if it is draining power, allowing targeted action.

Why this answer

Battery drain and overheating after app installation indicate a misbehaving app. The best first step is to check battery usage statistics to identify the culprit, then force stop or uninstall that app. This is a standard Android troubleshooting procedure.

522
MCQeasy

A customer complains that their Windows 11 laptop frequently freezes after waking from sleep. You suspect a driver issue and need to view detailed hardware and driver information to diagnose the problem. Which administrative tool should you open first?

A.Disk Management
B.System Configuration (msconfig)
C.Device Manager
D.Event Viewer
AnswerC

Device Manager lists all hardware and allows you to check driver properties, update drivers, or roll back problematic ones.

Why this answer

Device Manager is the correct tool because it provides a centralized view of all hardware components and their associated drivers. You can expand categories like 'System devices' or 'Batteries' to check for driver conflicts, outdated drivers, or power management settings that could cause freezing after sleep. It also allows you to update, roll back, or disable drivers directly, which is essential for diagnosing wake-from-sleep issues.

Exam trap

CompTIA often tests the distinction between Event Viewer (for logs) and Device Manager (for live driver/hardware status), trapping candidates who think logs are the first step when the question asks for viewing detailed hardware and driver information.

How to eliminate wrong answers

Option A is wrong because Disk Management is used for managing disk partitions, volumes, and file systems, not for viewing hardware or driver details. Option B is wrong because System Configuration (msconfig) controls startup programs, boot options, and services, but does not display hardware or driver information. Option D is wrong because Event Viewer logs system events and errors, which can help after a freeze occurs, but it does not show detailed hardware and driver information directly; Device Manager is the first tool to inspect driver status.

523
MCQeasy

A small business wants to ensure that only authorized employees can access the file server from their laptops. Each laptop has a unique hardware ID. Which logical security method should be implemented to enforce this restriction?

A.Require a complex password for the file server share.
B.Enable MAC address filtering on the network switch or router.
C.Install a host-based firewall on each laptop.
D.Disable the guest account on the file server.
AnswerB

MAC filtering ties access to the specific hardware addresses of the laptops, meeting the requirement.

Why this answer

MAC address filtering on the network switch or router allows the administrator to create an access control list (ACL) that permits only specific hardware MAC addresses to connect to the network. Since each laptop has a unique hardware ID (MAC address), this method directly ties network access to the authorized devices, ensuring only those laptops can reach the file server. This is a logical security control implemented at Layer 2 of the OSI model.

Exam trap

The trap here is that candidates often confuse user authentication (passwords) with device authentication (MAC filtering), assuming that a strong password alone can restrict access to specific hardware, when in fact passwords only verify the user, not the device.

How to eliminate wrong answers

Option A is wrong because requiring a complex password for the file server share authenticates the user, not the device; any user with the password could log in from an unauthorized laptop. Option C is wrong because a host-based firewall on each laptop controls inbound/outbound traffic on that laptop but does not restrict which laptops are allowed to access the file server from the network perspective. Option D is wrong because disabling the guest account on the file server prevents anonymous access but does not enforce device-specific authorization; authorized users could still connect from any laptop.

524
MCQeasy

A user reports that their computer is infected with a virus and they have been trying to remove it using a free online scanner, but the problem persists. The technician suspects the malware may have disabled the antivirus software. Which safe mode should the technician use to run a full system scan?

A.Safe Mode
B.Safe Mode with Command Prompt
C.Safe Mode with Networking
D.Last Known Good Configuration
AnswerC

This mode provides network access, allowing the technician to download updated tools while keeping malware disabled.

Why this answer

Safe Mode with Networking (C) is correct because it loads only essential drivers and services, including network components, which allows the technician to run a full system scan while the malware is likely inactive. Since the malware may have disabled the antivirus software in normal mode, booting into Safe Mode with Networking ensures the antivirus can run and still access the internet for signature updates or cloud-based scanning.

Exam trap

CompTIA often tests the distinction between Safe Mode and Safe Mode with Networking, where candidates mistakenly choose Safe Mode without realizing that antivirus software often requires network access to download updated signatures for effective malware removal.

How to eliminate wrong answers

Option A is wrong because Safe Mode does not load network drivers, which prevents the antivirus from downloading updated virus definitions or connecting to cloud-based scanning services, potentially leaving the scan incomplete. Option B is wrong because Safe Mode with Command Prompt provides a command-line interface but still lacks networking, so it offers no advantage over Safe Mode for running a full system scan with updated definitions. Option D is wrong because Last Known Good Configuration loads the last set of registry and driver settings that worked, but it does not prevent malware from loading, as malware often persists in user profiles or startup locations unaffected by this option.

525
MCQmedium

A technician is cleaning a computer that has been infected with a rootkit. After running a standard antivirus scan, the malware is still detected on reboot. Which step should the technician take next to ensure complete removal?

A.Perform a clean installation of Windows.
B.Boot from a rescue disk and run a malware scan.
C.Disable System Restore and run the antivirus again.
D.Run the antivirus in Safe Mode.
AnswerB

A rescue disk boots a trusted OS, bypassing the rootkit and enabling effective removal.

Why this answer

Rootkits are designed to hide from the operating system and standard antivirus tools by intercepting system calls and loading before the OS security components. Booting from a rescue disk (e.g., a Linux live CD or a dedicated antivirus rescue ISO) bypasses the infected OS entirely, allowing the scanner to access the file system without the rootkit actively masking its presence. This ensures the malware cannot interfere with the scan, enabling complete detection and removal.

Exam trap

The trap here is that candidates assume Safe Mode provides a clean environment for malware removal, but rootkits specifically target kernel-level persistence that persists even in Safe Mode, making a boot-time rescue disk the only reliable method.

How to eliminate wrong answers

Option A is wrong because a clean installation of Windows is a last-resort step that is unnecessarily drastic when a targeted boot-time scan can remove the rootkit without data loss. Option C is wrong because disabling System Restore only removes restore points that might contain malware, but it does not address the rootkit's ability to hide from the antivirus while the OS is running. Option D is wrong because Safe Mode still loads essential Windows drivers and services that a rootkit can hook into, allowing it to remain active and evade detection during the scan.

Page 6

Page 7 of 10

Page 8

All pages

CompTIA A+ Core 2 220-1202 220-1202 Questions 451–525 | Page 7/10 | Courseiva