| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 21.1 - Malware (Part 2 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the malware chapter in Domain 8, turning from how viruses spread to how they hide. It looks at the arms race between scanners and virus writers, the classic evasion styles you must recognize, and two related code objects: virus hoaxes and logic bombs.
What this episode covers
- The evasion arms race — as detection improves, virus writers invent new tricks purely to survive it.
- Multipartite virus — mixes more than one propagation route, so guarding a single doorway is not enough.
- Stealth virus — tampers with how the OS reports files, handing the scanner a clean copy on request.
- Polymorphic virus — same logic but a fresh signature each host, defeating fixed-pattern matching.
- Encrypted virus — scrambles its body with a new key each infection; the decryption stub gives it away.
- Virus hoax — carries no real code yet still wastes help-desk time and prompts deletion of healthy files.
- Logic bomb — dormant until a trigger fires, defended by code review and separation of duties.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is a multipartite virus?
A multipartite virus refuses to spread only one way, mixing more than one propagation route in a single package. It might infect executable program files and also write itself into the boot record, so it is both a file infector and a boot sector threat. The point is coverage: if your defense guards only one doorway, the virus simply strolls in through the other.
What is a stealth virus?
A stealth virus lies to the operating system to cover its tracks by tampering with how the system reports its own files. When a scanner asks to inspect an infected area, the compromised operating system hands back a clean, virus-free copy instead of the truth. The scanner sees exactly what it expects and moves on, while the real infection loads quietly at boot.
How do polymorphic and encrypted viruses differ?
A polymorphic virus changes its outward signature with every infection while keeping the same propagation and payload logic, defeating scanners that look for one fixed pattern. An encrypted virus scrambles its own body with cryptography using a different key each time, so only a small decryption routine sits in the clear. That decryption stub tends to carry a recognizable pattern that updated scanners learn to spot.
What is a virus hoax, and why does it still cost you?
A virus hoax is a false alarm, a message warning of some unstoppable, uniquely destructive virus that no product can catch. There is no actual malware, yet the hoax still drains real resources: well-meaning people forward it, flood help desks with questions, and sometimes delete healthy files on its bad advice. Treat the panic itself as the payload, and verify before you forward.
What is a logic bomb waiting for?
A logic bomb is malicious code that hides quietly until a specific condition trips it, such as a date, a program launch, a particular login, or a sequence of keystrokes. Many are planted inside custom software by developers who want their work to self-destruct if they are pushed out of the company. Because bombs often ride inside viruses and Trojans too, code review and separation of duties are your real defense.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 21.1 - Malware (Part 2 of 3).