VMware Security Specialist — Question 6

Review the following search:
childproc_name:`rundll32.exe` AND -digsig_result:`Signed` AND path:c:\windows\*
What is this search looking for?

Answer options

• A. Processes being launched by rundll32.exe running out of the windows directory that are not signed
• B. Instances of rundll32.exe running out of the windows directory that are not signed
• C. Instances of rundll32.exe running out of the windows directory that are signed
• D. Processes launching rundll32.exe running out of the windows directory that are not signed

Correct answer: A

Explanation

The correct answer, A, identifies processes that are initiated by rundll32.exe and are located in the windows directory, specifically those that are not signed. The other options either misinterpret the search by focusing on instances of rundll32.exe itself rather than the processes it launches or incorrectly classify the signature status of the results.