nerdexam
ExamsCAS-003Questions#875
CompTIA

CAS-003 · Question #875

CAS-003 Question #875: Real Exam Question with Answer & Explanation

The correct answer is D: FIM and antivirus. FIM and antivirus together provide root cause visibility into file-level changes and detection of malicious payloads, addressing both investigation and future protection needs.

Question

An organization's email filter is an ineffective control, and as a result, employees have been constantly receiving phishing emails. As part of a security incident investigation, a security analyst identifies the following: 1. An employee was working remotely when the security alert was triggered. 2. An employee visited a number of uncategorized Internet sites. 3. A .doc file was downloaded. 4. A number of files were uploaded to an unknown collaboration site. Which of the following would provide the security analyst with more data to identify the root cause of the issue and protect the organization's information during future incidents?

Options

  • AEDR and DLP
  • BDAM and MFA
  • CHIPS and application whitelisting
  • DFIM and antivirus

Explanation

FIM and antivirus together provide root cause visibility into file-level changes and detection of malicious payloads, addressing both investigation and future protection needs.

Common mistakes.

  • A. EDR and DLP focus on behavioral detection and outbound data loss prevention respectively, but do not provide the file-level change auditing needed to trace exactly how the malicious document altered the endpoint.
  • B. DAM is designed for database activity monitoring and provides no value for endpoint file analysis; MFA addresses authentication weaknesses rather than malware execution or data protection.
  • C. HIPS and application whitelisting are preventive controls that limit execution, but they do not generate the detailed forensic file-change data needed to identify the root cause of an existing compromise.

Concept tested. FIM and antivirus for endpoint incident analysis

Reference. https://csrc.nist.gov/publications/detail/sp/800-128/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice