Exam CS0-003 topic 1 question 229 discussion

Another terrible question by CompTIA. An analyst can't simply subscribe on the fly to a paid service while an incident is ongoing. That is done at the management level, so C is the only logical answer (which isn't even the best way to go about it).

A sandbox environment is a secure, isolated virtual space where untrusted programs can be run safely. It prevents the malware from interacting with the host system or network, thereby protecting the organization’s network from potential harm. This is particularly important when dealing with polymorphic malware, which can change its code to evade detection, and malware that requires an internet connection, as it may communicate with an external server or download additional malicious components.

C for me can't understand why you would subscribe at work.

The best option is : D. Subscribe to an online service to create a sandbox environment. Explanation: The malware is polymorphic (it changes its code to evade detection) and has built-in conditional triggers, meaning it may only activate under certain conditions, such as an internet connection or CPU usage. Using a dedicated malware analysis sandbox provided by a professional security service ensures that the malware can be examined in a controlled and isolated environment without risking organizational assets. These online sandboxes offer automated analysis, behavioral monitoring, and network traffic inspection without exposing the company’s infrastructure.

Some malware can detect if it is being run in a VM. Also there is the possibility for a VM Escape if you run it from an Analysts machine which I can guarntee has valuble information on it. Best bet is to upload that sample to anyrun (free online sandbox). Once you confirm your findings you can share with other analyst through the sandbox platform.

They set a trap with D. Most saw sandbox and went with it. You can set up a VM and isolate it from the network (also known as a sandbox and won't cost you additional resources or take more time). Cloud can take a while and keep in mind... You likely have a deadline (SLA). If you've set up a home lab you are aware of this for sure. Using a "Host-Only Adapter" or private network would ensure your tested environment can't communicate with your network allowing your to freely detonate malware on your VM.

No idea why you would upload malware to a cloud service... Going with C here.

In a professional SOC environment, decisions about subscribing to external services like sandboxing platforms are typically made at an organizational level, not on the fly by individual analysts. SOCs usually have established processes, tools, and subscriptions in place for malware analysis, and analysts would use those internal resources to handle incidents.

Its suposed to protect the organization's network, so why u should go online? D is wrong for me