Implementing and Operating Cisco Security Core Technologies (SCOR) — Question 425

A company recently discovered an attack propagating throughout their Windows network via a file named abc123456789xyz.exe. The malicious file was uploaded to a Simple Custom Detection list in the AMP for Endpoints Portal and the currently applied policy for the Windows clients was updated to reference the detection list. Verification testing scans on known infected systems shows that AMP for Endpoints is not detecting the presence of this file as an indicator of compromise. What must be performed to ensure detection of the malicious file?

Answer options

• A. Check the box in the policy configuration to send the file to Cisco Threat Grid for dynamic analysis.
• B. Upload the malicious file to the Blocked Application Control List.
• C. Upload the SHA-256 hash for the file to the Simple Custom Detection List.
• D. Use an Advanced Custom Detection List instead of a Simple Custom Detection List.

Correct answer: B

Explanation

The correct answer is B because uploading the malicious file to the Blocked Application Control List will prevent its execution on endpoints, ensuring detection and blocking of the threat. The other options either do not directly address the detection issue or involve processes that may not provide immediate resolution for the specific file in question.