KT-EPS Startup persistence

Registry Run keys point to a random AppData executable after an email attachment. BEST remediation?

Multiple choice — select one answer

Answer choices

  1. a. Remove persistence entries, quarantine binary, and reimage if tampering is widespread
  2. b. Ignore if antivirus is green, without security or identity team coordination per policy.
  3. c. Delete only the email, without security or identity team coordination per policy.
  4. d. Disable Run keys globally forever, without security or identity team coordination per policy.

Architectural breakdown & explanation

Persistence must be removed with the payload; reimage if integrity is uncertain.

Correct answer(s): a. Remove persistence entries, quarantine binary, and reimage if tampering is widespread

Exam domain: Startup persistence (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Endpoint Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.