CompTIA CySA+ CS0-003 Practice Question
During an active incident response, an analyst has identified a server that has been compromised by malware. The server is part of a clustered database that includes real-time replication to other nodes. To prevent the spread of the malware, which of the following is the BEST course of action to isolate the compromised server while maintaining the highest degree of operational availability?
Start re-imaging the affected server to remove the malware.
Shut down the affected server immediately.
Disconnect the affected server's network connection.
Implement a rule on the firewall to block all traffic from the affected server.