Which selection is an ASR (attack surface reduction) rule that can be implemented and can be blocked?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Option A is incorrect.
This is not an ASR rule that can be implemented and cannot be blocked.
Option B is incorrect.
.ps1 execution cannot be blocked with an ASR rule.
Option C is correct.
This is an ASR rule that can be implemented and can be blocked.
Reference:
The correct answer is C. Process creations initiating from WMI and PSExec commands.
ASR (attack surface reduction) is a set of security features in Windows 10 that help prevent malware from running on a computer or network. ASR rules can be implemented to restrict the attack surface by preventing specific behaviors or actions that are commonly used by attackers to gain unauthorized access or control over a system.
Option A, "Content from mobile devices," is not an ASR rule that can be implemented and blocked. Instead, it refers to a type of data that can be transferred between a mobile device and a computer. ASR rules are typically focused on preventing specific types of behavior or actions, rather than blocking specific types of content.
Option B, "PowerShell from executing," is an ASR rule that can be implemented, but it cannot be completely blocked. PowerShell is a powerful scripting language that is often used by system administrators to manage Windows systems, but it can also be used by attackers to run malicious code. By implementing the ASR rule to block PowerShell from executing, it can prevent some types of attacks that rely on PowerShell. However, this rule cannot completely block all uses of PowerShell, as it may be required for legitimate system administration tasks.
Option C, "Process creations initiating from WMI and PSExec commands," is an ASR rule that can be implemented and can be blocked. WMI (Windows Management Instrumentation) and PSExec are both commonly used by attackers to execute code remotely on a Windows system. By blocking process creations that initiate from these commands, it can prevent many types of attacks that rely on remote code execution.
Option D, "None of the above," is not the correct answer, as Option C is a valid ASR rule that can be implemented and blocked.