After a file disposition changes from unknown to malicious, what is the next step that should be taken?
- Run the file in a sandbox to verify if it is malicious and to determine the file behaviors.
- Create a new IPS signature to detect the malicious file.
- Go back to the system where the file was previously seen and quarantine the malicious file.
- Run a file retrospective analysis in the cloud using machine learning to determine the file SHA.
| Explanation & Hint:
After a file disposition changes from unknown to malicious in a security system like Cisco AMP for Endpoints, the next step that should be taken is to go back to the system where the file was previously seen and quarantine the malicious file. Quarantining the file helps prevent it from causing further harm within the network or on the affected system. The file can be isolated and prevented from executing, spreading, or causing damage. After the file is quarantined, further investigation and analysis may be conducted to understand the scope of the incident and take appropriate remediation steps. |