SY0-501 Question #188: Real Exam Question with Answer & Explanation

Question

A security analyst observes the following events in the logs of an employee workstation: Given the information provided, which of the following MOST likely occurred on the workstation?

Options

• AApplication whitelisting controls blocked an exploit payload from executing.
• BAntivirus software found and quarantined three malware files.
• CAutomatic updates were initiated but failed because they had not been approved.
• DThe SIEM log agent was not turned properly and reported a false positive.

Explanation

Application whitelisting works by allowing only pre-approved programs to run, so when an exploit payload attempts to execute, the whitelist policy blocks it and logs the attempt - which matches what a security analyst would observe as a blocked execution event rather than a deletion or quarantine event. Option B is wrong because antivirus quarantine would produce different log artifacts (scanner detections, file moves to quarantine storage) than a policy-blocked execution. Option C is wrong because update failures leave traces in update service logs, not in execution-blocked events on the workstation. Option D is wrong because a SIEM misconfiguration producing false positives is unlikely to generate the specific, coherent pattern of a blocked payload execution.

Memory tip: Think of whitelisting as a "bouncer with a guest list" - the payload tried to get in, got turned away, and the bouncer logged the attempt. The key signal is blocked execution, not detected and removed (AV) or update failure.

No community discussion yet for this question.