- (Topic 1)
Which of the following program infects the system boot sector and the executable files at the same time?

1. A. Polymorphic virus
2. B. Stealth virus
3. C. Multipartite Virus
4. D. Macro virus

Correct Answer: C

- (Topic 2)
Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped working?

1. A. Time Keeper
2. B. NTP
3. C. PPP
4. D. OSPP

Correct Answer: B

- (Topic 1)
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network??s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

1. A. Protocol analyzer
2. B. Network sniffer
3. C. Intrusion Prevention System (IPS)
4. D. Vulnerability scanner

Correct Answer: A

- (Topic 2)
Which of the following commands checks for valid users on an SMTP server?

1. A. RCPT
2. B. CHK
3. C. VRFY
4. D. EXPN

Correct Answer: C
The VRFY commands enables SMTP clients to send an invitation to an SMTP server to verify that mail for a selected user name resides on the server. The VRFY command is defined in RFC 821.The server sends a response indicating whether the user is local or not, whether mail are going to be forwarded, and so on. A response of 250 indicates that the user name is local; a response of 251 indicates that the user name isn??t local, but the server can forward the message. The server response includes the mailbox name.

- (Topic 2)
Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.

In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?

1. A. Switch then acts as hub by broadcasting packets to all machines on the network
2. B. The CAM overflow table will cause the switch to crash causing Denial of Service
3. C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
4. D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port

Correct Answer: A