SY0-501 Question #427: Real Exam Question with Answer & Explanation

Question

A security analyst observes the following events in the logs of an employee workstation: 1/23 1:07:16 865 Access to C:\Users\user\temp\oasdfkh.hta has been restricted by your administrator by the default restriction policy level. 1/23 1:07:09 1034 The scan is completed. No detections were found. The security analyst reviews the file system and observes the following: C:\>dir C:\Users\user\temp 1/23 1:07:02 oasdfkh.hta 1/23 1:07:02 update.bat 1/23 1:07:02 msg.txt Given the information provided, which of the following MOST likely occurred on the workstation?

Options

• AApplication whitelisting controls blocked an exploit payload from executing.
• BAntivirus software found and quarantined three malware files.
• CAutomatic updates were initiated but failed because they had not been approved.
• DThe SIEM log aged was not tuned properly and reported a false positive.

Explanation

Application whitelisting or similar application control policies successfully prevented the execution of a potentially malicious HTA file, despite antivirus not detecting it.

Common mistakes.

• B. The log entry "The scan is completed. No detections were found" directly contradicts the claim that antivirus software found and quarantined malware files.
• C. There is no information in the provided logs to suggest that automatic updates were initiated or failed due to lack of approval; the primary event is about access restriction.
• D. The log entry clearly indicates a successful block by a restriction policy, which is a definitive security action, not a false positive caused by SIEM log aging or tuning issues.

Concept tested. Application control policies (whitelisting/blacklisting)

Reference. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac-design-guide

No community discussion yet for this question.