CompTIA CySA+ (CS0-003) — Question 297

A user clicks on a malicious adware link, and the malware successfully downloads to the machine. The malware has a script that invokes command-and-control activity. Which of the following actions is the best way to contain the incident without any additional impact?

Answer options

• A. Disable the user account until the malware investigation is complete.
• B. Review EDR information to determine whether the file was detected and quarantined locally.
• C. Block the server on the proxy and firewall.
• D. Submit a recategorization update to the vendor.

Correct answer: C

Explanation

Blocking the server on the proxy and firewall prevents further communication between the malware and its command-and-control server, effectively containing the threat. Disabling the user account may not stop the malware already present on the machine, while reviewing EDR information and submitting a recategorization update do not provide immediate containment of the incident.