Exam SY0-601 topic 1 question 731 discussion

192.168.10.22 - origin - scans disabled on this host by svchost 192.168.10.37 - clean - scan found and quarantined svchost 192.168.10.41 - infected - heuristic pattern match but failed to quarantine svchost 10.10.9.12 - clean - scan found and quarantined svchost 10.10.9.18 - infected - heuristic pattern match but failed to quarantine svchost I came to this conclusion for origin because the time stamp on this host disabling its scan is 14:31. This is also the time it opened a connection to an 8080 HTTP port. All other hosts scans detected svchost at the exact same time of 14:37:37. The two infected computers opened connections over 8080 a few minutes later. So based on the logs, the timeframes, and the port connections, 22 would have been the first one making it the origin. If someone's got better let me know.

Passed my test with a score of 821 yesterday. All PBQs and 95% of the questions were from this dump. Review the last 250 or so questions closely. Can't overstate how helpful this site (and you all) were. Good luck guys!

🟢 all this PBQ in this website with the logs and correct answer , Cyberani. org , enjoy

I am not able to locate the logs. Could any one can post here for reference?

where are the details of the question. How do I view the logs

Passed my exam this morning, this simulation was there. I chose what Narobi added. When I opened the PC I was able to confirm the findings by scrolling all the way to the bottom where some clearly showed "quarantined".

04/09/24 this question was on the exam. I have a free account so I only went up to 400 questions barely any of those MQ's showed up. I highly suggest you go over the comments and understand it to apply logic.

the hard part, initially, was finding the origin. At first I thought it was 10.10.9.18 since it connected to the nasty server first in the log, however, the first address (in the log) to connect using RPC (a vector found on MS systems) was 192.168.10.22 to 10.10.9.12, then 10.10.9.12 via rpc to 192.168.10.41 The only thing weird is that 10.10.9.18 made an RPC connection, but had not been tapped by 192.168.10.22 first (meaning it had to already be infected). Hmmm. Maybe I'm wrong again.

Was on the exam today. My first PBQ

This was on the exam 1/21/24

Just passed the exam. PBQ 153, 731, 733, 734 were on there.

This was on my exam 29.12.23

192.168.10.22 – Origin & Infected 10.10.9.18 – Infected 192.168.10.37 & 10.10.9.12 & 192.168.10.41- Clean

What is origin? And where are the logs from the servers and firewall? How did some of you answered the question without any provided information?

There is some missing info with this question.

Based on the logs, it seems that the host that originated the infection is 192.168.10.22. This host has a suspicious process named svchost.exe running on port 443, which is unusual for a Windows service. It also has a large number of outbound connections to different IP addresses on port 443, indicating that it is part of a botnet. The firewall log shows that this host has been communicating with 10.10.9.18, which is another infected host on the engineering network. This host also has a suspicious process named svchost.exe running on port 443, and a large number of outbound connections to different IP addresses on port 443. The other hosts on the R&D network (192.168.10.37 and 192.168.10.41) are clean, as they do not have any suspicious processes or connections.

Where is the F logs?