ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 4 discussion

Actual exam question from Microsoft's SC-200
Question #: 4
Topic #: 1
[All SC-200 Questions]

Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes.
Which two commands can you run to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A.

B.

C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: BC
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
by JohnAvlakiotis at Sept. 29, 2021, 10:29 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
JohnAvlakiotis
Highly Voted 3 years, 8 months ago
Should be A, D.
upvoted 111 times
Metasploit
8 months, 4 weeks ago
A,D. These are 2 complete solutions on their own. Not a step by step by step. 1) Add the rule and enable it. 2) Add the rule, set the rule to overwrite existing rules, and enable it. "Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, use Add-MpPreference instead." https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#powershell The command does not need to mention anything about block because the GUID references a Rule with already set actions. Configuration Manager name: Block Office application from creating child processes GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?source=recommendations&view=o365-worldwide#block-all-office-applications-from-creating-child-processes
upvoted 24 times
...
AlaReAla
3 years, 8 months ago
I echo, as the requirement is not for audit, but to prevent. So the answer should be A & D.
upvoted 17 times
Startkabels
3 years, 8 months ago
Agree, auditing doesnt prevent anything only monitors and reports
upvoted 2 times
...
JohnAvlakiotis
3 years, 8 months ago
Agreed, link to reinforce https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#powershell
upvoted 7 times
...
...
smanzana
1 year, 7 months ago
I agree, A and D
upvoted 1 times
...
BMG6
1 year, 9 months ago
agree @JohnAvlakiotis A,D... The question or task is to PREVENT. Audits do not accomplish this task.
upvoted 8 times
...
...
Haz56
Highly Voted 3 years, 6 months ago
I would say A&D as the question states "Each correct answer presents a complete solution.", so choosing one of the audit options would not be a complete solution on its own to prevent the action
upvoted 14 times
pedromonteirozikado
3 years, 4 months ago
Yes, normally we add a new audit policy with Add-MpPreference and change the policy to enabled with Set-MpPreference, but in this case, each correct answers presents a complete solution, A&D Right, cause Set can change and create policies too, and Add-MpPreference can only add new policies.
upvoted 2 times
...
...
Nikki0222
Most Recent 7 months, 3 weeks ago
Answer is A,D
upvoted 4 times
...
Hawklx
11 months ago
It is A and D but we cannot vote for it
upvoted 4 times
...
4b097e5
11 months, 3 weeks ago
A and D is correct since we need to prevent users and not monitor them.
upvoted 2 times
...
Harryd82
1 year, 1 month ago
A & D is correct answer
upvoted 1 times
...
28meters
1 year, 1 month ago
It is A and D. B and C Place their respective commands in audit mode, which only generates logs and does not take any other action
upvoted 1 times
...
AVN1711
1 year, 1 month ago
correct me if I am wrong, but: first sentence is "Your company uses line-of-business apps that contain Microsoft Office VBA macros." that is mean you already have something and it should work, so you set to Audit only as an exclusion for this particular Macros you need to use, al others/new still gonna be blocked.. so the correct answer is B and C
upvoted 1 times
...
Dracula666
1 year, 7 months ago
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules?view=o365-worldwide#scenario-2-asr-rule-blocks-the-test-file-with-the-corresponding-vulnerability Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshooting-mode-scenarios?view=o365-worldwide
upvoted 1 times
...
donathon
1 year, 9 months ago
should be AD.
upvoted 1 times
...
tatendazw
2 years ago
A&D https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#powershell
upvoted 2 times
...
wyindualizer
2 years, 2 months ago
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide
upvoted 1 times
...
SavageJ
2 years, 2 months ago
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled -- Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
upvoted 1 times
...
Nailik_Ms
2 years, 4 months ago
Audit does not mean Blocking Question stands for "You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes." Auditing something you are not implementing anything to prevent, but to gain the knowledge to later on take the action you want to.
upvoted 2 times
...
Atun23
2 years, 8 months ago
According to MS content this should be A and D, because the company is trying to prevent, not checking first if it will work. Audit mode for evaluation Use audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity
upvoted 2 times
...
ArunRavilla
2 years, 8 months ago
It is A & D. I am 100% sure.
upvoted 2 times
...
Sango
2 years, 9 months ago
A and D are the only logical two: Must use Set-MpPreference with Enabled and then Add-MpPreference with Enabled. Audit does not block.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel