A security analyst, reviewing alerts from an Endpoint Detection and Response (EDR) system, notices suspicious command-line activity on a user's workstation indicative of a malware infection. The analyst needs to contain the threat while preserving evidence for a forensic investigation. What is the BEST immediate action for the analyst to take?
Run a full antivirus scan on the workstation while it remains connected to the network.
Immediately power off the workstation to stop the malware's execution.
Disconnect the workstation from the network and immediately re-image it from a known-good backup.
Isolate the workstation from the network but leave it powered on.
The best immediate action is to isolate the workstation from the network but keep it powered on. Isolating the system prevents the potential malware from spreading to other devices on the network (lateral movement) or communicating with external command-and-control servers. Keeping the system powered on is crucial because shutting it down would erase volatile memory (RAM), which contains valuable forensic evidence like running processes, active network connections, and other in-memory artifacts that are essential for analyzing the attack. Powering off the system immediately would destroy this evidence. Running a scan before isolation could allow the malware to spread further. Re-imaging the system is a remediation step that should only occur after a thorough investigation is complete.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to keep a quarantined system powered on?
Open an interactive chat with Bash
What does network isolation entail during the quarantine process?
Open an interactive chat with Bash
What steps are involved in forensic analysis after a system has been quarantined?