nerdexam
Cisco

350-201(NEW-127Q) · Question #9

350-201(NEW-127Q) Question #9: Real Exam Question with Answer & Explanation

The correct answer is D. Analyze the file in a controlled sandbox environment to determine its behavior and potential threats.. When a security platform returns an "unknown file" result after hash analysis, it means no prior reputation, risk scores, or metadata exist for that file - making option C immediately invalid since there is nothing to analyze from the platform. Sandboxing (D) is the correct next

Incident Response

Question

An organization's security team identified a potential security incident that involves an unusual file found on a critical server. The file appears to have been injected by an unknown attacker and raises concerns about a possible intrusion. To assess the threat, an engineer used SHA256 to calculate the hash of the suspicious file and submitted it for analysis to an advanced security platform. The platform returned the analysis result as an 'unknown file.' What should be the engineer's next action in examining this potential intrusion?

Options

  • AImmediately remove the file to prevent any potential harm to the server.
  • BRun a comprehensive endpoint scan on the affected server for other signs of compromise.
  • CInitiate an analysis of the file based on its assigned risk scores and metadata.
  • DAnalyze the file in a controlled sandbox environment to determine its behavior and potential threats.

Explanation

When a security platform returns an "unknown file" result after hash analysis, it means no prior reputation, risk scores, or metadata exist for that file - making option C immediately invalid since there is nothing to analyze from the platform. Sandboxing (D) is the correct next step because it allows the engineer to safely execute the suspicious file in an isolated environment, observing its behavior (network calls, file modifications, registry changes) without risking further harm to the production server. Removing the file outright (A) is wrong because it destroys critical forensic evidence and does nothing to reveal the scope of the intrusion. Running a broader endpoint scan (B) is a valid later step in incident response, but it skips the essential task of first understanding what the suspicious file actually does - a scan may also fail to detect novel malware with no known signature.

Memory tip: Think "Unknown = Sandbox." When no intelligence exists on a file, you must generate your own intelligence by watching it behave in a controlled environment before taking any other action.

Topics

#Malware Analysis#Incident Response#File Analysis#Forensics

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice