Exam CS0-002 topic 1 question 69 discussion

Laudy, you never explain the reasoning behind any of your answers. I am beginning to have this nasty feeling that you are here simply to throw people off.

I'm choosing D. In the question it states that the anti-virus is already preventing the file from executing, but it did not remove the file from the device. Later, more developers tried to DOWNLOAD and execute the same file. If the anti-virus is already preventing the execution of the file, then the real issue is the downloading of the file. By blocking the download, you can prevent anyone else from downloading that file while the AV is already preventing the execution of it. Unless by "blacklist" they also mean automatic deletion of said file when discovered and/or prevent it from being downloaded too. Very confusing question that's not written well...

I choose A. The reason is that the question is still asking about what would be done to the tool "The next generation Anti-virus solution" It did ask what other solutions can be used.

By blacklisting the hash, the organization can effectively prevent the adware from spreading and compromising more systems.

D. Block the download of the file via the web proxy. Explanation: Blacklisting the hash in the next-generation antivirus system (Option A): - While blacklisting the hash could prevent the specific file from executing, it may not be a foolproof solution, as attackers can easily modify the file to generate a new hash. Blocking the download of the file via the web proxy (Option D): - This is the most proactive and effective solution. By blocking the download at the web proxy level, you prevent the file from reaching the developer workstations in the first place. This approach stops the problem at its source and helps protect all workstations from potential harm. Therefore, option D is the best choice in this scenario.

Why nobody said C? A developer should not have administrative rights in the machine he is working with. Privilege management: "The principle of least privilege states that an individual should only have the minimum set of privileges necessary to complete their assigned job duties."

Going with A and not D because it doesn't mention that they are downloading it from a website.

A is the best option since blacklisting the app give it no chance of being downloaded at all.

The most correct option is D. If at some point the application is updated, the hash will be different, so it will be useless to check the hash in the next-generation antivirus system. Some people choose option A to prevent installation via USB but do not take into account that if the hash is changed, this option will be invalidated. Therefore, the most correct option is D

Why D? the web browser will inspect and block any attempts to access the blocked URL or stop the attempt of downloading the malicious file. So what if the developers accessed another URL and download the same file, will the web browser prevent this? A is better because the hash itself will be blocked an any attempts to download the file from other websites or other means (aka usb or email) will be detected and stopped… so A is more comprehensive approach

When I blacklist a file in Cisco Secure Endpoint, it automatically deletes it when someone attempts to download it.

Blacklist the hash in the next-generation antivirus system would be the BEST approach to remedy the issue. Since the next-generation antivirus software prevented the file from executing but did not remove it from the device, blacklisting the hash in the antivirus system would prevent the file from executing on any workstation in the future, even if a user tries to download it again.

A. -Can retroactively delete all existing hashes from existing computers -Immediately detects future download Hits two birds in one stone compared to D. which shows A is better (question is asking for the Best)

You know there is a reason why they keep mentioning NGAV!!! Please read this through. https://www.carleton.edu/its/newsletter/news/malwarebytes-next-generation-antivirus/?issue=cybersecurity-2022

D. We are trying to mitigate the download. The current AV is already detecting, just not removing. Blacklisting HASHs would not be as efficient as the AV is already detecting it.

Answer is A - Blocking the download of the file via the web proxy (option D) is also a useful security measure, but it may not be sufficient to prevent the file from being downloaded and executed through other means, such as USB drives or email attachments.

The proxy will prevent it from being downloaded.