Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 4 question 11 discussion

Actual exam question from Microsoft's SC-200

Question #: 11
Topic #: 4

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices.

As part of an incident investigation, you identify the following suspected malware files:

• sys
• pdf
• docx
• xlsx

You need to create indicator hashes to block users from downloading the files to the devices.

Which files can you block by using the indicator hashes?

A. File1.sys only
B. File1.sys and File3.docx only
C. File1.sys, File3.docx, and File4.xlsx only
D. File2.pdf, File3.docx, and File4.xlsx only
E. File1.sys, File2.pdf, File3.docx, and File4.xlsx

Show Suggested Answer

Suggested Answer: E 🗳️

by liveup2it at June 4, 2024, 2:36 p.m.

Comments

Submit Cancel

liveup2it

Highly Voted 1 year ago

Selected Answer: E

Based on File hashes, you should be able to block each and every file with this hash, regardless the name of the file.

upvoted 19 times

Krayzr

3 weeks ago

Are There Limitations? Could there be restrictions based on file type or extension? In some security contexts, blocking might focus on execution (e.g., for .exe or .sys) rather than file access. However, Microsoft Defender for Endpoint’s "Block and remediate" action is designed to prevent file operations broadly—reading, writing, or executing—based on hash matches. Documentation and practical use cases confirm that this applies to all file types, including documents like .pdf, .docx, and .xlsx, not just executables. There’s no indication in Plan 2 that certain file extensions are excluded from hash-based blocking.

upvoted 1 times

Krayzr

2 weeks ago

However, given this straight forward link. It should be A: https://learn.microsoft.com/en-us/defender-endpoint/indicator-file#windows-prerequisites

upvoted 1 times

...

Tuitor01

6 months, 3 weeks ago

I second this...adding though that M$ doesn't recommend using hash based IOC since they can change in a blink of an eye but use App control instead (side note), so Answer E, undoubtedly since a hash is file name and extension agnostic.

upvoted 2 times

...

Hawklx

Highly Voted 11 months, 1 week ago

Selected Answer: A

This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-file

upvoted 6 times

shdwktn

10 months, 3 weeks ago

by this logic and the link you provided. .sys files are not even stated. Maybe I misunderstood

upvoted 1 times

Syncure

10 months ago

Portable Executable(PE) include: .exe .dll .sys .ocx .cpl .scr The answer es A at the moment, I don't see Office 365 files supports in the MD for Endpoint V2 in this feature

upvoted 2 times

...

Feredi

Most Recent 2 weeks, 4 days ago

Selected Answer: A

According to Microsoft Defender for Endpoint documentation, you can block files based on hash only if they are executable. This typically includes: .exe, .dll, .sys, .msi, .scr, .drv, .com

upvoted 2 times

6 months, 3 weeks ago

Selected Answer: A

https://learn.microsoft.com/en-us/defender-endpoint/indicator-file From Microsoft: "File indicators support portable executable (PE) files, including .exe and .dll files only." Only the .sys is a PE file, therefore it is the only file that can be blocked via file indicator.

upvoted 3 times

Krayzr

2 weeks ago

https://learn.microsoft.com/en-us/defender-endpoint/indicator-file#windows-prerequisites

upvoted 1 times

...

talosDevbot

8 months, 1 week ago

11 months ago

Selected Answer: E

I took the hash from (.pdf, sys, doc,) and each file and was able to upload successfully. Therefore, the answer is E.

upvoted 1 times

...

phoenix5

11 months, 4 weeks ago

Answer - C (.sys , .docx, .xlsx as per this explanation by Copilot - You can create indicator hashes to block executable files with the following extensions: .exe, .dll, and .sys. Additionally, Office files like .docx and .xlsx can also be blocked using indicator hashes. However, PDF files cannot be blocked using indicator hashes in Microsoft Defender for Endpoint1.

upvoted 3 times

...

ada26b1

12 months ago

Selected Answer: E

Surely you can block all of them

upvoted 1 times

...