CompTIA Security+ (SY0-601) — Question 176

A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and on the Internet using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible while causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario?

Answer options

• A. Update the host firewalls to block outbound SMB.
• B. Place the machines with the unapproved software in containment.
• C. Place the unauthorized application in a blocklist.
• D. Implement a content filter to block the unauthorized software communication.

Correct answer: C

Explanation

The best course of action is to add the unauthorized application to a blocklist, as this will prevent it from running and spreading further without significantly disrupting the researchers' work. Blocking outbound SMB alone may not stop the spread of the software, while isolating machines could hinder research collaboration. Implementing a content filter may be effective but could also disrupt legitimate traffic.