CompTIA CySA+ (CS0-002) — Question 85

A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do NEXT?

Answer options

• A. Document the procedures and walkthrough the incident training guide
• B. Reverse engineer the malware to determine its purpose and risk to the organization
• C. Sanitize the workstation and verify countermeasures are restored
• D. Isolate the workstation and issue a new computer to the user

Correct answer: C

Explanation

The correct answer is C because sanitizing the workstation and ensuring that countermeasures are reinstated is essential for eliminating the threat and protecting the network. Options A and B are less immediate actions compared to sanitizing, and option D might not be necessary if the workstation can be cleaned effectively.