SC-200 · Question #371
SC-200 Question #371: Real Exam Question with Answer & Explanation
The correct answer is A: remediate. In a Microsoft Defender for Endpoint live response session, the remediate command is used to undo or reverse malicious changes on a device, including registry modifications. In this scenario, the attacker modified a registry-based antivirus exclusion path; running remediate targe
Question
You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint. You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You identify that an attacker performed the following actions on a device: - Modified the filesystem path of a registry-based antivirus exclusion - Downloaded a malicious file to the file system path You initiate a live response session on the device. You need to undo the registry change. Which command should you run?
Options
- Aremediate
- Bregistry
- Cscan
- Danalyze
Explanation
In a Microsoft Defender for Endpoint live response session, the remediate command is used to undo or reverse malicious changes on a device, including registry modifications. In this scenario, the attacker modified a registry-based antivirus exclusion path; running remediate targets the identified threat artifact and can restore the registry key to its original state. The registry command (B) is not a valid live response command. scan (C) initiates an antivirus scan but does not undo registry changes. analyze (D) is used to run deep analysis on a file, not to remediate registry changes.
Community Discussion
No community discussion yet for this question.