CompTIA A+ Core 2 (220-1102) — Question 59

A technician received a call stating that all files in a user's documents folder appear to be changed, and each of the files now has a .lock file extension. Which of the following actions is the FIRST step the technician should take?

Answer options

• A. Run a live disk clone.
• B. Run a full antivirus scan.
• C. Use a batch file to rename the files.
• D. Disconnect the machine from the network.

Correct answer: D

Explanation

The correct first step is to disconnect the machine from the network to prevent further spread of any potential malware that might be causing the file changes. Running antivirus scans or attempting to rename files may not address the immediate threat and could worsen the situation if the malware continues to operate. Cloning the disk is not a priority until the system is secured.