Exam SY0-601 topic 1 question 160 discussion

Take a snapshot of the VDI would allow to both analyze and temporary isolate the threat as we can then shut it down to proceed to futher analyze the snapshot

The BEST way to analyze diskless malware that has infected a Virtual Desktop Infrastructure (VDI) is to take a memory snapshot of the running system. Memory analysis is a crucial step in malware analysis as it allows security analysts to examine the malware's behavior and activities within the volatile memory space. This method can provide valuable insights into the malware's execution, processes, network connections, and any artifacts left in memory. Options A, C, and D are not as effective or appropriate for analyzing diskless malware on a VDI. Shutting down the VDI and copying off event logs (Option A) may not be sufficient to capture the transient behavior of the malware in memory. Using NetFlow to identify command-and-control IPs (Option C) might be helpful for network analysis but does not specifically focus on the malware running in memory. Running a full on-demand scan of the root volume (Option D) is more suited to traditional disk-based systems and may not be as effective in analyzing diskless malware in a VDI environment.

Option B and C both are literally right for analyzing disk less malware. As question asked Best way in that sense B would be best fit.

B. Take a memory snapshot of the running system. To analyze diskless malware that has infected a Virtual Desktop Infrastructure (VDI), it would be best to take a memory snapshot of the running system. The malware, as diskless, is likely to exist only in memory, not on disk. A memory snapshot captures the state of the system's memory at a specific point in time and can be analyzed offline, allowing the security analyst to identify and analyze the malware without risking further spread. The memory snapshot can be used to analyze the running processes, loaded modules, and other system activity to determine the source and nature of the malware.

The best way to analyze diskless malware that has infected a VDI would be to take a memory snapshot of the running system. This would capture the state of the system's memory at the time the snapshot was taken, including any malware that may be present in memory. This would allow analysts to examine the malware without running the risk of infecting other systems or allowing the malware to continue operating. Additionally, taking a memory snapshot would allow analysts to examine the malware without shutting down the VDI, which could disrupt other users and potentially cause data loss. Using NetFlow to identify command-and-control IPs and running a full on-demand scan of the root volume would not be as effective in analyzing diskless malware, as they would not provide direct access to the malware itself. Copying off the event logs would also not be as effective, as they may not contain detailed information about the malware.

ake a snapshot of the VDI would allow to both analyze and temporary isolate the threat as we can then shut it down to proceed to futher analyze the snapshot