Exam CAS-004 topic 1 question 182 discussion

Sandbox security testing proactively detects malware by running suspicious code in a safe and isolated environment, and monitoring the behavior and outputs of the code. This is known as “detonation”. The major advantage of sandbox-based security testing is that it can reliably detect unknown threats

Crazy cause you know, if you have an application ALLOW list (app whitelist) that means unknown malware wouldnt even be allowed to run in your environment. hence zero days would be mostly covered. Basically with an app whitelist you're reducing your attack surface of zero days. Sandboxing only allows for testing of malware, not necessarily provide active protection capabilities

The most secure solution against unknown and zero-day malware is a layered security approach that heavily utilizes advanced threat detection techniques powered by artificial intelligence (AI) and machine learning (ML), including sandboxing, behavioral analysis, and heuristic detection, combined with a robust firewall, regular software updates, and strict user access controls; this allows for proactive identification of suspicious activity even when the malware signature is completely unknown. Sandboxing is isolating suspicious files in a controlled environment to observe their behavior without risking the wider network, allowing for detailed analysis of potential zero-day exploits.

I think sandboxing is more effective. Stuxnet relied on exploiting Windows and Siemens PLC software. Aurora exploited Internet Explorer, which would likely be whitelisted in most environments. EternalBlue targeted SMB protocol vulnerabilities in Windows. Since SMB services are part of the operating system, whitelisting wouldn’t block this exploit.

Active protection capabilities against unknown and zero-day malware. Sandbox detonation would be for known malware.

B, by definition cannot solve the problem. Think about it - you can't know if an application you've whitelisted has "UNKNOWN" malware unless you've tested it somehow... I.e. Sandbox detonation. Correct answer is C.

the goal is to protect again unknown and zero-day vulnerabilities. Since these are unknown, you would want to allow only known and trusted applications to run. B and C are correct, but due to the question B is the correct answer

C. Sandbox detonation: This involves executing incoming files in a controlled environment (sandbox) to see if they display any malicious behaviors. If they do, they are flagged as malicious.

Application attempts to get into environment Allow/Deny Sandbox security testing Stop it before it gains entry. Thoughts?

I believe C is the answer because an application allow list is going to obviously prevent the use of applications on a system. Zero-day malware may be present in software that you or your organization need to use. Therefore denying the use of that application isn't the answer. Detonating within a sandbox to determine if there are any issues would proactively work against the problem.

I believe the answer is Application Allow list. B

Application whitelisting = best defense Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Application allow list is an active way to approach defense.

Application allow list (whitelist / permit list) is really the only "active" approach you can take defensively in regard to zero-day or unknown malware. This is actively lowering the vectors of attack through possible malicious software being downloaded.

Come on ya'll, it's B.

B....application allow list. This is an active control. The vote percentages are skewed for this question because people are not selecting a "voting comment"

B, thats correct