Question

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network?

A.The removal of known traffic
B.The beaconing interval
C.The beacon's persistence
D.The beacon's protocol

Answer 1

When detecting malware beaconing, typical identifiers include the beaconing interval, the beacon's persistence, and the protocol used. However, the removal of known traffic is a filtering strategy, not a method for identifying malware beacons.

Step-by-step explanation:

When creating a script to filter logs for detecting suspected malware beaconing, it's crucial to understand typical beacon behaviors.

The beaconing interval, which is the consistent time gap between communications with a control server, and the beacon's persistence, the regularity of the beaconing over time, are both key identifiers. Additionally, analyzing the beacon's protocol can reveal suspicious patterns, such as uncommon or inappropriate use of a protocol for certain types of data.

However, the removal of known traffic is a strategy used to filter out legitimate traffic rather than a means of identifying a malware beacon's behavior.