During a routine check, you notice a process running with the name 'sysworker' consuming an unusually high amount of system resources on a server. This process is not documented in the company's list of standard applications or services. What is the MOST appropriate first step to take in determining if this process is legitimate or indicative of potential malware?
Restart the server to clear all running processes and reset the system to a known good state.
Immediately terminate the process to prevent potential damage or data loss.
Isolate the server from the network to prevent potential lateral movement or contagion.
Review the server security logs and system configuration to correlate the process activity with any documented change or known application.
The correct answer is 'Review the server security logs and system configuration to correlate the process activity with any documented change or known application.' This choice is correct because it involves checking the system logs and configuration, which could reveal whether the sysworker process is related to a recent change or application update before taking further action. It offers an initial validation step without immediately disrupting potential business-critical services. The other options are less informative as initial steps because they might not provide context on legitimate system changes that could explain the process behavior.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are server security logs and what information do they typically contain?
Open an interactive chat with Bash
What should I look for in system configuration to assess the legitimacy of a process?
Open an interactive chat with Bash
Why is it important to avoid immediately terminating a suspected malicious process?