CompTIA CASP+ (CAS-004) — Question 139

A host on a company's network has been infected by a worm that appears to be spreading via SMB. A security analyst has been tasked with containing the incident while also maintaining evidence for a subsequent investigation and malware analysis.
Which of the following steps would be best to perform FIRST?

Answer options

• A. Turn off the infected host immediately.
• B. Run a full anti-malware scan on the infected host.
• C. Modify the smb.conf file of the host to prevent outgoing SMB connections.
• D. Isolate the infected host from the network by removing all network connections.

Correct answer: D

Explanation

The best first step is to isolate the infected host from the network by removing all network connections, as it prevents further spread of the worm. Turning off the host immediately could lead to loss of crucial evidence, while running an anti-malware scan or modifying configuration files may not effectively contain the threat as quickly as isolation would.