KT-EPS Malware

EDR detects a living-off-the-land script spawning rundll32 from WinWord. Next step?

Multiple choice — select one answer

Answer choices

  1. a. Reboot once and close the ticket if the user can open documents again, without security or identity team coordination per policy.
  2. b. Isolate the host, collect triage package, and hunt for lateral movement from that user
  3. c. Whitelist rundll32 because it is a signed Microsoft binary on all systems, without security or identity team coordination per policy.
  4. d. Add a firewall rule blocking Word globally without examining the endpoint, without security or identity team coordination per policy.

Architectural breakdown & explanation

Office spawning rundll32 is suspicious; isolate and investigate before declaring clean.

Correct answer(s): b. Isolate the host, collect triage package, and hunt for lateral movement from that user

Exam domain: Malware (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Endpoint Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.