220-1102 Practice Question: That their workstation is infected with ransomware

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

Answer analysis

Why the other options are wrong

Understanding why incorrect options are tempting is as important as knowing the correct answer.

• ✗

  Run a full antivirus scan on the workstation

  Running an antivirus on an already-infected system may not guarantee removal of ransomware, and the infection may have already caused encryption; wiping and restoring from backup is more reliable.

• ✗

  Notify law enforcement and the company's legal department

  While important in some contexts, this is not the immediate technical next step; the priority is to eradicate the threat and restore operations.

• ✗

  Collect forensic data for analysis

  Forensic collection is often done before eradication if possible, but it is not always the immediate next step; many organizations prioritize recovery first.

Technical deep dive

How to think about this question

The core concept being tested here is the incident response process, specifically the eradication and recovery phases when dealing with a ransomware infection. After containment (isolating the machine), the most effective and reliable next step for ransomware is to completely eradicate the threat by wiping the infected system's hard drive. Ransomware often encrypts data and can embed itself deeply, making simple antivirus scans unreliable for complete removal. A full wipe ensures that all malicious code and encrypted data are removed, providing a clean slate. Following the wipe, the system is then restored from a known good backup, which is a copy of the data taken before the infection occurred. This two-step process guarantees that the system is free of malware and that the user's data is recovered to its pre-infection state, minimizing data loss and ensuring operational continuity. This approach directly addresses the primary goal of incident response: to return systems to normal operation securely and efficiently. This method differs significantly from merely running an antivirus scan, which might miss sophisticated ransomware or fail to decrypt already-encrypted files. While collecting forensic data (Option D) is a valid step in some incident response frameworks, especially for high-value targets or when a detailed post-mortem is required, it often takes a backseat to immediate eradication and recovery, particularly in a business environment where downtime is costly. Many organizations prioritize getting the user back to work quickly and securely. Notifying external parties like law enforcement (Option B) is a procedural step that typically occurs after the immediate technical threat has been neutralized or in parallel, but it is not the direct technical action to resolve the infection itself. The sequence of containment, eradication, and recovery is critical for effective incident response.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

FAQ

Questions learners often ask

Keep practising

More 220-1102 practice questions

• →A change advisory board (CAB) approved a standard change to update antivirus definitions on all servers. The technician…
• →A company's change management policy requires all server changes to be approved by the Change Advisory Board (CAB). A te…
• →A company is implementing a bring-your-own-device (BYOD) policy and needs to ensure that corporate data on employee mobi…
• →A company requires employees to present both a smart card and a PIN to log into their workstations. Which authentication…
• →A company requires all Windows 10 workstations to be able to join an Active Directory domain. Which edition of Windows 1…
• →A company wants to allow employees to securely access internal resources from home via the internet. Which method provid…