220-1102 Question #493: Real Exam Question with Answer & Explanation

Question

A user reports that an air-gapped computer may have been infected with a virus after the user transferred files from a USB drive. The technician runs a computer scan with Windows Defender but does not find an infection. Which of the following actions should the technician take next? (Choose two.)

Options

• AExamine the event logs
• BConnect to the network
• CDocument the findings
• DUpdate the definitions
• EReimage the computer
• FEnable the firewall

Explanation

After an initial scan of a potentially infected air-gapped system yields no results, the technician should next examine event logs for suspicious activity and document all findings.

Common mistakes.

• B. Connecting an air-gapped computer to the network would defeat its purpose of isolation and could potentially spread an undetected infection or expose the network to the supposedly infected machine.
• D. Updating definitions on an air-gapped computer typically requires connecting it to a network or using an external medium, which could introduce risk or is not the immediate next step after a scan, especially if the current definitions are recent.
• E. Reimaging the computer is a drastic step typically reserved for confirmed infections that cannot be remediated or for high-security environments, not for an initial "may have been infected" scenario without further evidence.
• F. Enabling the firewall is a good security practice, but for an air-gapped system that is not connected to a network, its immediate impact on detecting or preventing an internal infection from a USB drive is minimal.

Concept tested. Incident response for air-gapped systems and malware investigation

Reference. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-scan-options

No community discussion yet for this question.