CompTIA CySA+ (CS0-003) — Question 238

A user’s computer is performing slower than the day before, and unexpected windows continually open and close. The user did not install any new programs, and after the user restarted the desktop, the issue was not resolved. Which of the following incident response actions should be taken next?

Answer options

• A. Restart in safe mode and start a virus scan.
• B. Disconnect from the network and leave the PC turned on.
• C. Contain the device and implement a legal hold.
• D. Reformat and reimage the OS.

Correct answer: B

Explanation

The correct answer is B because disconnecting from the network helps prevent any potential spread of malware or data breaches while preserving evidence. Option A, while a good troubleshooting step, may not contain the issue effectively. Option C is typically used in legal situations and is not necessary here, and option D is a last resort that would result in data loss.