Exam SC-100 topic 4 question 22 discussion

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide

I think B is the answer. https://learn.microsoft.com/en-us/defender-xdr/playbook-responding-ransomware-m365-defender?view=o365-worldwide#step-1-verify-your-backups

Contrary to what the majority voted here (D), I judge that the answer is A. I base my logic on the below MS doc which covers the exact scope of the question: Eradication and recovery. https://learn.microsoft.com/en-us/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender?view=o365-worldwide#eradication-and-recovery Here we find all the steps for the Recovery process in the eventuality of a successful ransomware attack. 1. Verify your backups 2. Add indicators 3. Reset compromised users 4. Isolate attacker control points 5. Remove malware 6. Recover files on a cleaned device 7. Recover files in OneDrive for Business 8. Recover deleted email 9. Re-enable Exchange ActiveSync and OneDrive sync See continuation in below reply

I can understand answer should be D to the contaiment but any of the articles shared below talk about stopping sync with OneDrive and Exchange. Can anyone spot this?

Sorry, the correct link for my comment is this one: https://learn.microsoft.com/en-us/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender?view=o365-worldwide#eradication-and-recovery

i go with A, in the Security best practices for recovery the first option of the answers available is "to make a Scan", the second one is recover files to a cleaned Computer. Disable Microsoft OneDrive Sync and Exchane Active SYNC doesnt appear in the recovery Plan, only during the Attack. https://learn.microsoft.com/en-us/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender?view=o365-worldwide#step-3-prevent-the-spread

I think It's B. Keyword is Recovery https://learn.microsoft.com/en-us/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender?view=o365-worldwide#eradication-and-recovery

I would say A: Run a full, current antivirus scan https://learn.microsoft.com/en-us/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender?view=o365-worldwide#step-5-remove-malware

The first step in the recovery plan for a ransomware attack, following Microsoft Security Best Practices, would be: B. Recover files to a cleaned computer or device. Recovering files to a cleaned computer or device is crucial because it ensures that you are restoring data in a safe environment, free from the ransomware infection. This step helps to prevent the re-infection of your systems and data.

I'd say B (since this is about "define the recovery steps" which is interpret as _after_ the attack, not during) BTW: _During_ an attack, step no 2 is: "Contact your local or federal law enforcement agencies." https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware#what-to-do-during-an-attack So not even during an attack is "Disable Exchange ActiveSync and OneDrive sync" the first step in the list.

D is the answer. https://learn.microsoft.com/en-us/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender?view=o365-worldwide#step-3-prevent-the-spread Use this list to keep the attack from spreading to additional entities. - Disable Exchange ActiveSync and OneDrive sync Pausing OneDrive sync helps protect your cloud data from being updated by potentially infected devices.

The key point here is to stop the spread of data encryption by the ransomware. Therefore, answer "D" appears a correct option.

Answer is "d" https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide#step-2-disable-exchange-activesync-and-onedrive-sync

I would go with B. D is more a preventive measure, but not a recovery process.

Answer make sense. First - Isolate the incident