CompTIA Security+ (SY0-601) — Question 768

Which of the following would be the BEST way to analyze diskless malware that has infected a VDI?

Answer options

• A. Shut down the VDI and copy off the event logs.
• B. Take a memory snapshot of the running system.
• C. Use NetFlow to identify command-and-control IPs.
• D. Run a full on-demand scan of the root volume.

Correct answer: B

Explanation

Taking a memory snapshot of the running system (option B) allows for a thorough analysis of the malware while it is active, capturing its behavior and state. Shutting down the VDI and copying logs (option A) may miss real-time activities, while using NetFlow (option C) would only provide network-related insights. Running a full on-demand scan (option D) may not detect all types of malware that operate in memory.