A technician is investigating a computer that has been sending spam emails from the user's account without their knowledge. The user has not installed any new software recently. The technician finds a process running that matches a known botnet client. Which two steps should the technician take first to mitigate the threat?
Disconnecting stops the botnet's command-and-control communication, and terminating the process halts the spam.
Why this answer
The immediate priority is to disconnect the computer from the network to stop the botnet communication and prevent further spam. Then, the technician should identify and terminate the malicious process. Scanning without disconnecting may allow continued data exfiltration.