SC-200 Certification Practice Question #257

Question

You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You identify that an attacker performed the following actions on a device:

•	Modified the file system path of a registry-based antivirus exclusion
•	Downloaded a malicious file to the file system path

You initiate a live response session on the device.

You need to remove the malicious file.

Which command should you run?

Accepted Answer

In a Defender for Endpoint live response session the command that deletes a malicious file from the device is `remediate` (for a File entity the remediation action is "delete"), as shown by the doc example `remediate file `. The attacker downloaded a malicious file to a path, so running `remediate file ` removes it. The other commands don't delete: `collect` and `getfile` only retrieve data, and `undo` restores a remediated entity. Suggested Answer, the community vote, and MS Learn all converge on D, giving high confidence.

More SC-200 practice questions