A Windows Server 2022 file server begins generating excessive outbound traffic to an unfamiliar IP address, and users notice slower response times.
Using Task Manager, the administrator finds a process named svcsched.exe running under the LocalSystem account and taking 40 % CPU. The executable resides in C:\Users\Public\svcsched.exe and is not digitally signed. sc qc "Update Orchestrator" reveals that a service with that name launches the same binary and is set to Automatic (Delayed Start). Memory and log captures have already been saved for later forensic review.
Which action is the BEST next step to contain this rogue service while preserving evidence for follow-up analysis?
Run Windows Update to apply missing patches.
Create an outbound firewall rule that blocks port 443 for the server.
Stop the Update Orchestrator service and set its startup type to Disabled.
Delete svcsched.exe and reboot the server immediately.
Stopping the Update Orchestrator service and changing its startup type to Disabled immediately ends the malicious code's execution and prevents it from restarting on reboot. This contains the threat yet leaves the binary and registry / service entries intact for investigators.
Deleting the file first destroys evidence and may fail while the process is running. Simply installing patches does not address the active malware. Blocking a single outbound port could leave other channels open and does not remove the persistence mechanism.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is disabling the Update Orchestrator service better than deleting the file immediately?
Open an interactive chat with Bash
What does it mean if an executable is not digitally signed?
Open an interactive chat with Bash
Why would blocking port 443 not effectively contain the malware?