Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.4

Summarize types of malware and tools/methods for detection, removal, and prevention

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.4: Summarize types of malware and tools/methods for detection, removal, and prevention

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Summarize. The candidate must recognize malware types, the detection/response tooling ecosystem, and the layered defenses that prevent infection.

What this objective tests

You should be able to identify each malware type by behavior, distinguish detection/response platforms (EDR/MDR/XDR), and name the layered defenses (AV, anti-malware, email gateway, software firewall, user training, OS reinstall).

Key facts

Malware (umbrella term):

  • Any software written to harm, exploit, or otherwise wrong the user/system. Trojan, virus, worm, rootkit, spyware, ransomware, keylogger, cryptominer, adware, fileless attacks, stalkerware.

Trojan:

  • Disguised as legitimate software. User installs it thinking it's something useful; payload runs in the background.
  • Often opens a backdoor for the attacker.

Rootkit:

  • Malware that hides its own presence and other malicious activity at a deep OS level (kernel, bootloader, firmware).
  • Hard to detect and remove because it manipulates the tools you'd use to find it. Full reinstall often the only reliable cleanup.

Virus:

  • Self-replicating code that attaches to another program or file. Spreads when the infected file runs or is opened.
  • Older malware shape; less common today than ransomware and trojans but still tested.

Spyware:

  • Collects user information without consent. Keystrokes, browsing, screenshots, credentials.

Ransomware:

  • Encrypts files and demands payment for the decryption key. Often spreads laterally across a network.
  • Modern variants exfiltrate data and threaten public release (double extortion) in addition to encryption.

Keylogger:

  • Records keystrokes. Software (installed on the PC) or hardware (USB pass-through). Captures credentials, messages, financial info.

Boot sector virus:

  • Infects the master boot record or volume boot sector. Loads before the OS. Old attack vector still tested.

Cryptominer (cryptojacking):

  • Uses the victim's CPU/GPU to mine cryptocurrency for the attacker. Doesn't destroy data but burns electricity and slows the machine.

Stalkerware:

  • Spyware specifically marketed for monitoring partners, family, employees. Often installed by someone with physical access.

Fileless malware:

  • Operates entirely in memory or via legitimate system tools (PowerShell, WMI). Leaves few or no files on disk.
  • Evades file-scanning AV. EDR with behavior detection is more effective.

Adware:

  • Injects unwanted ads (pop-ups, banner overlays, browser redirects). Annoying, sometimes a gateway to worse infections.

Potentially unwanted program (PUP):

  • Software a user might not want even if it's not strictly malicious. Bundled toolbars, "system optimizers," free utilities with telemetry. AV often flags PUPs but lets the user decide.

Recovery console:

  • Recovery environment that boots before Windows starts. Repair tools, command prompt, system restore, startup repair, reset PC.
  • Access by holding Shift while clicking Restart, or from installation media.

Endpoint detection and response (EDR):

  • Modern AV+ that watches behavior across endpoints. Detects suspicious activity (PowerShell encoded commands, mass file modification, unusual lateral movement), alerts on signals, supports investigation and response.
  • Examples: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint.

Managed detection and response (MDR):

  • EDR + a 24/7 SOC team that monitors alerts and responds on your behalf.
  • Right answer for SMBs that don't have a dedicated security team.

Extended detection and response (XDR):

  • Extends EDR to other telemetry sources (email, identity, cloud, network). Cross-domain correlation.
  • Modern enterprise security platform direction.

Antivirus:

  • Signature-based scanning for known malware. Real-time and on-demand scans.
  • Necessary but no longer sufficient on its own (fileless malware, behavior-based attacks evade pure AV).

Anti-malware:

  • Broader category than AV. Includes behavior-based detection, anti-spyware, anti-rootkit, browser protection.
  • Often used interchangeably with AV in marketing. Look for the actual feature set.

Email security gateway:

  • Filters incoming/outgoing email for malicious attachments, links, and content.
  • Blocks the most common malware delivery vector before it reaches the user's inbox.
  • Examples: Microsoft Defender for Office 365, Proofpoint, Mimecast.

Software firewall:

  • Per-PC firewall (Windows Defender Firewall, third-party products). Restricts inbound/outbound traffic per app and per port.

User education regarding common threats:

  • Phishing awareness training, password hygiene, attachment caution, public Wi-Fi risks.
  • The human factor is the single most important defense layer because every other defense is bypassed by a user who clicks the wrong link.

Antiphishing training:

  • Simulated phishing campaigns + just-in-time education when a user clicks.
  • Examples: KnowBe4, Proofpoint Security Awareness, Microsoft Attack Simulator.

OS reinstallation:

  • Final cleanup option when malware is too embedded to remove (rootkits, multiple infections).
  • Reformat, reinstall OS, restore data from a known-clean backup.

Common gotchas

  • Trusting "scan completed" on an EDR-bypassing infection. AV says clean; EDR sees suspicious behavior. Both are useful; neither is sufficient alone.
  • Disabling AV "temporarily" and forgetting. Common user move that leaves the door open. Educate, don't allow.
  • PUP cleanup ignored. Not technically malware but degrades the system and often comes with telemetry the user didn't agree to.
  • Ransom paid expecting decryption. Paying isn't guaranteed to work and funds future attacks. Restore from backup if possible.
  • Stalkerware on a personal phone after a breakup. Sensitive and underrecognized. Factory reset is often the safest option.

Real-world context

Layered malware defense for a real SMB:

  1. Email security gateway (Microsoft Defender for Office 365 or equivalent) catches the bulk.
  2. EDR or MDR on every endpoint for behavioral detection.
  3. DNS filtering (Cisco Umbrella, Cloudflare for Teams) blocks known-malicious domains.
  4. Patching cadence (covered in 2.7) keeps OS and apps current.
  5. Backup strategy (covered in 4.3) makes ransomware recovery cheap and quick.
  6. User training ongoing, with simulated phishing.

Incident response when an infection is suspected:

  1. Disconnect from network (Ethernet unplug or Wi-Fi disable; don't shut down because that may lose memory evidence).
  2. Notify IT/security team.
  3. Run on-demand scans with multiple tools (AV + Malwarebytes + EDR query).
  4. If serious, reimage from a known-good baseline.
  5. Restore data from backup.
  6. Document root cause (how did it get in?) and improve the layer that failed.

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.4](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [Microsoft Learn: Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/)
  • [CISA: Stop Ransomware](https://www.cisa.gov/stopransomware)
  • [Wikipedia: Endpoint detection and response](https://en.wikipedia.org/wiki/Endpoint_detection_and_response)
  • [Wikipedia: Ransomware](https://en.wikipedia.org/wiki/Ransomware)