Exam SY0-701 topic 1 question 77 discussion

Why Are you choosing random answers. Here is real answers => { 22 is Origin. It has started infection first. 37 is Clean, because it is able to get new updates and quarantine malicious file. 41 is Infected, because it was not able to quarantine infected file. 12 is Clean, because it is able to get new updates and quarantine malicious file. 18 is Infected, because it was not able get new update and qurantine file. These are real answers.

Commenting to reiterate Fazliddin's comment: .22 infected at 2:31AM, it was infected 12 hrs before all other IPs .37 clean, quarantined at 2:43PM .41 infected at 2:43PM .12 clean, quarantined at 2:43PM .18 infected at 2:43PM I took a Sec+ Bootcamp and they went over this lab, these are the answers they gave us.

41 origin since it enabled smbv1 Everything else in infected because even if quarantined it is still not cleaned because a device is not considered cleaned until removed completely

Wouldnt .41 be the Origin since it enable smbv1 on the 17th which is a legacy protocol vulnerable to a ton of things

Here are the solutions: 41 origin 37 infected 18 Infected 12 infected

REVEAL SOLUTION says so the REVEAL SOLUTIONS are not correct? 22 Infected 37 infected 41 origin 12 infected 18 Infected

192.168.10.22 ✅ Clean 192.168.10.37 🔴 Infected 192.168.10.41 🔴 Infected 10.10.9.12 🔴 Infected 10.10.9.18 🔴 Infected (Origin) - The firewall logs indicate that 10.10.9.18 was the first to establish outbound communication (16:01:44) to an external IP (57.203.54.183) over SSL (port 443). This is an early indicator that 10.10.9.18 may be the true origin of the infection.

DeepSeek says: Host Status 192.168.10.22 ✅ Clean 192.168.10.37 🔴 Infected (Origin) 192.168.10.41 🔴 Infected 10.10.9.12 🔴 Infected 10.10.9.18 🔴 Infected

smbv1 looks to be the obvious port of issue, however there's a bigger giveaway above it that has an rpc call happening from .22. Blaster worm is malware that uses RPC to infect and transfer. The difference between gpt and reality can be staggering sometimes. Fazliddin has this right. a pc that has quarantined something is not considered infected as it's now sitting in a secure system preventing any further transfer/ malicious activity.

10.22 ~~~~~~~~~~~~~~~~~~~~~~ scvh0st.exe disabled schedule scan and update on 4/18 @ 2:31-32 (Infected/Origin) FW >>> 4/18 @ 2:31 57.203.55.29:8080 http 10.37 ~~~~~~~~~~~~~~~~~~~~~~ scvh0st.exe found and quarantined on 4/18 @ 14:37 (Clean) 10.41 ~~~~~~~~~~~~~~~~~~~~~~ scvh0st.exe matched heuristic pattern but unable to quarantine file on 4/18 @ 14:37 and then after another scan was not listed a quarantined. (Infected) 9.12 ~~~~~~~~~~~~~~~~~~~~~~ scvh0st.exe found and quarantined on 4/18 @ 14:37 (Clean) 9.18 ~~~~~~~~~~~~~~~~~~~~~~ scvh0st.exe matched heuristic pattern but unable to quarantine file on 4/18 @ 14:37 and then after another scan was not listed a quarantined. (Infected)

.37 reached out over the internet after the initial virus scan on the 17th, which we know can detect the virus regardless of infected status. It was on 443 (secure port) but was using SSL (outdated insecure) instead of TLS. This was their "gotcha". Viruses do not come out of nowhere. It had to be one of the two that reached out to the internet after the first scan. You would not see the lateral communication of IPs on either side of the firewall because they are not talking across it. The 192 side of the firewall were the only ones to start trying to make connections to check software version of the 10 side of the firewall. .22 - smbv1 - least secure. Had AV scan completely disabled. .41 .18 -smbv2 - little more secure. Was able to prevent definition updates. Preventing QT. .12 .37 -smbv3 - secure. Was not able to modify AV scan. Definitions updated. Malware QT.

TLDR THE ORIGIN IS NOT .22 .37 Origin (QT'd) .22 (Still Infected) .41 (Still Infected) .12 (QT'd) .18 (Still Infected) I do not know if Comptia considers a host with quarantined malware as infected, but all PCs had the malware. Here is the break down if you are interested..

22 Infected 37 Origin 41 Infected 12 Clean 18 Infected 192.168.10.37 is the origin point because it is 1 of 2 IP addresses that accessed the public internet prior to 02:30, has a visible file transfer chain, and is tied to active reconnaissance activity. Furthermore, we must note the firewall's location means only cross firewall access is recorded to the log. Lateral movement is not recorded. Let's get rid of the incumbent answer: 22 can't be the origin because we must take the host log on the 17th as fact that 22 was clean at that time, otherwise the scan should have triggered the heuristic match on the 17th. It would not have started its own infection when it was perfectly fine and there is no proof of other file transfers other than the firewall itself. No, I believe 22 was selected as a host with persistence and the process looks like this: 37 is infected at 16:01 via a malicious file. 12 is infected at 16:35 via SMBv2. 12 sends out a ping sweep at 23:58, identifying active machines on the network. 22 executes post-exploit payload at 02:30. 18 performs what looks like exfiltration (9GB) at 02:39. This is the limit of what I see with these logs. Maybe I'm overthinking it since it is this a Comptia exam.

10.22 Origin 10.37 Clean 10.41 Infected 9.12 Clean 9.18 Infected

Correct answers: 10.22 --> started the infection and scvh0st.exe disabled scheduled scan and update. (Origin) 10.37 --> the malicious file was in quarantine and it got a new update. (Clean) 10.41 --> No update unable to quarantine file. (Infected) 9.12 --> the malicious file was in quarantine and it got a new update. (Clean) 9.18 --> No update and unable to quarantine. (Infected)

If .22 is the Origin, then it's also infected, right? The scan got disabled right away, and it continued spreading to the other computers afterwards. So I'm checking both Origin and Infected for .22 if they allow me to

If I get this question i'm going to think "OH boy do I miss cici's pizza" 22- Origin - OH CICI 37 - Clean 41 - Infected 12 - Clean 18 - Infected