CompTIA CS0-003 Exam - Topic 2 Question 48 Discussion

Actual exam question for CompTIA's CS0-003 exam

Question #: 48
Topic #: 2

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

ACross-reference the signature with open-source threat intelligence.

BConfigure the EDR to perform a full scan.

CTransfer the malware to a sandbox environment.

DLog in to the affected systems and run necstat.

Show Suggested Answer

Suggested Answer: A

The signature of the malware is a unique identifier that can be used to compare it with known malware samples and their behaviors. Open-source threat intelligence sources provide information on various types of malware, their indicators of compromise, and their mitigation strategies. By cross-referencing the signature with these sources, the analyst can determine the type of malware and its telemetry. The other options are not relevant for this purpose: configuring the EDR to perform a full scan may not provide additional information on the malware type; transferring the malware to a sandbox environment may expose the analyst to further risks; logging in to the affected systems and running netstat may not reveal the malware activity.

by Florinda at Aug 15, 2025, 08:56 PM

Limited Time Offer

25%

Off

Get Premium CS0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Izetta

2 months ago

Cross-referencing with threat intel could save time too!

upvoted 0 times

...

Berry

2 months ago

Wait, can you really trust the EDR's findings?

upvoted 0 times

...

Shizue

2 months ago

Not sure about that, a full scan might be more effective first.

upvoted 0 times

...

Ilene

2 months ago

Totally agree, sandboxing is key for analysis!

upvoted 0 times

...

Janey

3 months ago

I think transferring the malware to a sandbox is the best move.

upvoted 0 times

...

Pete

3 months ago

I vaguely recall that using necstat is more for network analysis, not directly for identifying malware types. So, I’m not sure that’s the right choice here.

upvoted 0 times

...

Darrin

4 months ago

I feel like running a full scan with the EDR might just slow things down. I’m not confident that it would give us the specific details we need right away.

upvoted 0 times

...

Francoise

4 months ago

I remember practicing a similar question where transferring malware to a sandbox was emphasized. It seems like a safe way to analyze it without risking the network.

upvoted 0 times

...

Carey

4 months ago

I think cross-referencing the signature with open-source threat intelligence could help identify the malware type, but I'm not entirely sure if that's the best first step.

upvoted 0 times

...

Shawna

4 months ago

Ah, this is a classic incident response scenario. I think the best approach here is to cross-reference the signature with threat intelligence first, and then if that doesn't provide enough information, move on to the sandbox analysis.

upvoted 0 times

...

Ryan

4 months ago

I've seen this type of question before. My strategy would be to transfer the malware sample to a sandbox and see what it does. That should give me a good idea of the malware's behavior and capabilities.

upvoted 0 times

...

Celestine

5 months ago

Okay, I'm a bit confused here. The question mentions the EDR has already obtained a sample of the malware, so I'm not sure if I should just go straight to analyzing that in a sandbox environment.

upvoted 0 times

...

Andrew

5 months ago

Hmm, this looks like a tricky one. I think I'll start by cross-referencing the signature with open-source threat intelligence to see if I can get some clues about the type of malware.

upvoted 0 times

...

Raul

5 months ago

I agree with Leonora, analyzing the malware in a sandbox environment is the best way to determine its type.

upvoted 0 times

...

Leonora

5 months ago

I think the analyst should transfer the malware to a sandbox environment.

upvoted 0 times

...

Margo

5 months ago

I agree with Jovita, C is the way to go. Gotta contain that malware before it spreads even further! Sandbox it up!

upvoted 0 times

Dana

2 months ago

Let's get that malware isolated!

upvoted 0 times

...

Leota

2 months ago

Sandbox it up! Great idea!

upvoted 0 times

...

Carline

3 months ago

C is definitely the best option here.

upvoted 0 times

...

Devorah

3 months ago

Totally agree! Need to contain it fast.

upvoted 0 times

...

Amber

6 months ago

B is a good option too. A full scan could help identify the extent of the infection and any other affected systems.

upvoted 0 times

Sage

5 months ago

A) Cross-reference the signature with open-source threat intelligence.

upvoted 0 times

...

Jovita

6 months ago

Definitely C. Putting the malware in a sandbox is the way to go to analyze it without risking the rest of the network. That's what I'd do if I were the analyst.

upvoted 0 times

Romana

5 months ago

C) Transfer the malware to a sandbox environment.

upvoted 0 times

...

Josephine

5 months ago

B) Configure the EDR to perform a full scan.

upvoted 0 times

...

Reita

5 months ago

A) Cross-reference the signature with open-source threat intelligence.

upvoted 0 times

...