Microsoft Security Operations Analyst — Question 82
You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint.
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You identify that an attacker performed the following actions on a device:
• Modified the file system path of a registry-based antivirus exclusion
• Downloaded a malicious file to the file system path
You initiate a live response session on the device.
You need to remove the malicious file.
Which command should you run?
Answer options
- A. collect
- B. getfile
- C. undo
- D. remediate
Correct answer: D
Explanation
The correct command to remove a malicious file during a live response session is 'remediate', as it is specifically designed for addressing threats on the device. The other options, such as 'collect', 'getfile', and 'undo', do not serve the purpose of directly deleting malicious files.