Exam CISA Topic 1 Question 79 Discussion

Actual exam question for ISACA's CISA exam
Question #: 79
Topic #: 1
Which of the following statement INCORRECTLY describes anti-malware?

Suggested Answer: D Vote an answer

Section: Protection of Information Assets
Explanation/Reference:
The word INCORRECT is the keyword used in the question. All the terms presented in options correctly
describes some type of anti-malware related activities.
For your exam you should know below mentioned different kinds of malware Controls
A. Scanners Look for sequences of bit called signature that are typical malware programs.
The two primary types of scanner are
1. Malware mask or Signatures - Anti-malware scanners check files, sectors and system memory for
known and new (unknown to scanner) malware, on the basis of malware masks or signatures. Malware
masks or signature are specific code strings that are recognized as belonging to malware. For polymorphic
malware, the scanner sometimes has algorithms that check for all possible combinations of a signature
that could exist in an infected file.
2. Heuristic Scanner - Analyzes the instructions in the code being scanned and decide on the basis of
statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that
malware may be present, that is possibly infected. Heuristic scanner tend to generate a high level false
positive errors (they indicate that malware may be present when, in fact, no malware is present)
Scanner examines memory disk- boot sector, executables, data files, and command files for bit pattern that
match a known malware. Scanners, therefore, need to be updated periodically to remain effective.
B. Immunizers - Defend against malware by appending sections of themselves to files - sometime in the
same way Malware append themselves. Immunizers continuously check a file for changes and report
changes as possible malware behavior. Other types of Immunizers are focused to a specific malware and
work by giving the malware the impression that the malware has already infected to the computer. This
method is not always practical since it is not possible to immunize file against all known malware.
C. Behavior Blocker- Focus on detecting potential abnormal behavior such as writing to the boot sector or
the master boot record, or making changes to executable files. Blockers can potentially detect malware at
an early stage. Most hardware based anti-malware mechanism are based on this concept.
D. Integrity CRC checker- Compute a binary number on a known malware free program that is then stored
in a database file. The number is called Cyclic Redundancy Check (CRC). On subsequent scans, when
that program is called to execute, it checks for changes to the file as compare to the database and report
possible infection if changes have occurred. A match means no infection; a mismatch means change in the
program has occurred. A change in the program could mean malware within it. These scanners are
effective in detecting infection; however, they can do so only after infection has occurred. Also, a CRC
checker can only detect subsequent changes to files, because they assume files are malware free in the
first place. Therefore, they are ineffective against new files that are malware infected and that are not
recorded in the database. Integrity checker take advantage of the fact that executable programs and boot
sectors do not change often, if at all.
E. Active Monitors - Active monitors interpret DOS and read-only memory (ROM) BIOS calls, looking for
malware like actions. Active monitors can be problematic because they can not distinguish between a user
request and a program or a malware request. As a result, users are asked to confirm actions, including
formatting a disk or deleting a file or set of files.
The following were incorrect answers:
All of the choices presented other than one were describing Anti-Malware related activities
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 354 and 355

by Mortimer at Dec 05, 2025, 01:07 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

Contact Us

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Our Working Time: ( GMT 0:00-15:00 ) From Monday to Saturday

Support: Contact now 

日本語 Deutsch 繁体中文 한국어