VMware Security Specialist — Question 7

An analyst has investigated two alerts on two separate HR workstations and found that notepad.exe has established communication to another IP address.
Which rule will kill notepad.exe entirely if this activity is detected in the future?

Answer options

• A. **\system32\notepad.exe --> Communicates over the network --> Terminate process
• B. **\system32\notepad.exe --> Runs or is Running --> Deny operation
• C. **/system32/notepad.exe --> Runs or is Running --> Terminate process
• D. **/system32/notepad.exe--> Communicates over the network --> Deny operation

Correct answer: C

Explanation

Option C is correct because it specifies that if notepad.exe is running, it should be terminated, which directly addresses the situation of unwanted network communication. Options A and D focus on communication but do not address the running state of the process, while option B only denies operation without terminating the process.