CompTIA CySA+ (CS0-001) — Question 122

A security analyst received an alert from the antivirus software identifying a complex instance of malware on a company's network. The company does not have the resources to fully analyze the malware and determine its effect on the system. Which of the following is the BEST action to take in the incident recovery and post-incident response process?

Answer options

• A. Wipe hard drives, reimage the systems, and return the affected systems to ready state.
• B. Detect and analyze the precursors and indicators; schedule a lessons learned meeting.
• C. Remove the malware and inappropriate materials; eradicate the incident.
• D. Perform event correlation; create a log retention policy.

Correct answer: C

Explanation

The correct choice is C because removing the malware and any inappropriate materials is crucial to eradicating the incident and preventing further damage. Option A involves reimaging, which may not be necessary if the malware can be effectively removed. Option B focuses on analysis and lessons learned, which are important post-incident but do not address the immediate threat. Option D is about improving future responses but does not resolve the current incident.