Skip to Content

Microsoft SC-200: Block Malware Files with Microsoft Defender for Endpoint Indicator Hashes

By: Author Alex Lim

Posted on

Categories Exam

Learn which suspected malware file types you can block from being downloaded to Windows devices using indicator hashes in Microsoft Defender for Endpoint Plan 2.

Table of Contents

Question

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices.

As part of an incident investigation, you identify the following suspected malware files:

  • sys
  • pdf
  • docx
  • xlsx

You need to create indicator hashes to block users from downloading the files to the devices.

Which files can you block by using the indicator hashes?

A. File1.sys only
B. File1.sys and File3.docx only
C. File1.sys, File3.docx, and File4.xlsx only
D. File2.pdf, File3.docx, and File4.xlsx only
E. File1.sys, File2.pdf, File3.docx, and File4.xlsx

Answer

B. File1.sys and File3.docx only

Explanation

With Microsoft Defender for Endpoint Plan 2, you can create indicator hashes to block users from downloading certain file types that are suspected to be malware. However, not all file types are supported.

Specifically, you can create indicator hashes to block executable files like .exe, .dll, and driver files like .sys. You can also block Office files like .docx and .xlsx if they contain malicious macros or other potentially harmful content.

However, you cannot block PDF files like File2.pdf using indicator hashes in Microsoft Defender for Endpoint. PDF files are not a supported file type for indicator hashes.

Therefore, of the suspected malware files listed, you can only block File1.sys and File3.docx by creating indicator hashes in Microsoft Defender for Endpoint Plan 2. You would not be able to block File2.pdf or File4.xlsx using this method.

To summarize:

  • You can block executable files (.exe, .dll, .sys) and Office files (.docx, .xlsx) that contain malware using indicator hashes
  • PDF files cannot be blocked using indicator hashes in Microsoft Defender for Endpoint
  • So in this scenario, only File1.sys and File3.docx could be blocked using indicator hashes

Microsoft SC-200 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft SC-200 exam and earn Microsoft SC-200 certification.