nerdexam
Cisco

350-201(NEW-127Q) · Question #44

350-201(NEW-127Q) Question #44: Real Exam Question with Answer & Explanation

The correct answer is B. Deploy a group policy configuration update to disable embedded macro execution.. Disabling macro execution via Group Policy is the correct mitigation because it removes the attack vector entirely - macros embedded in Office documents are what enabled the malware to execute in the first place, and a GPO enforces this control organization-wide, preventing recur

Incident Response and Management

Question

A company's legal office was notified by a law enforcement agency that anomalous traffic was detected during a separate investigation that was not directly related to the company. Traffic originated from hosts within the company's network that may be indicative of an active malware infection. Log samples show traffic going to IPs that belong to a previously unknown botnet. The affected hosts were identified as a part of the HR subnet. The malware appears to be contained on a shared spreadsheet hosted on the HR SharePoint server that contains a macro exploit. How must this type of event be mitigated in the future?

Options

  • AIdentify all IP addresses associated with the incident and block with a firewall.
  • BDeploy a group policy configuration update to disable embedded macro execution.
  • CDetermine data loss and the associated risks with the executive board.
  • DCopy and remove the malicious spreadsheet from all locations identified.

Explanation

Disabling macro execution via Group Policy is the correct mitigation because it removes the attack vector entirely - macros embedded in Office documents are what enabled the malware to execute in the first place, and a GPO enforces this control organization-wide, preventing recurrence across all hosts.

Why the distractors are wrong:

  • A (block IPs): Blocking known botnet IPs treats the symptom, not the cause. The attacker can rotate to new IPs, and the macro exploit remains active and ready to re-infect.
  • C (brief the executive board): Notifying leadership about data loss is a reporting/governance step - it documents impact but does nothing to prevent the attack from happening again.
  • D (remove the spreadsheet): Deleting the malicious file stops this incident but leaves every host still capable of executing macros from any future malicious document.

Memory tip: The question asks how to mitigate this event in the future - that's your signal to look for the preventive control, not a reactive cleanup step. Whenever macros are the attack vector, the answer is almost always a Group Policy to disable them, since GPOs are the standard enterprise mechanism for enforcing security baselines at scale.

Topics

#Macro-Based Malware#Group Policy Controls#Endpoint Mitigation#Incident Response

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice