In Microsoft Defender for Endpoint (Plan 2), you can use indicator file hashes (IoC file hashes) to block files f rom executing or being downloaded. When you create a file hash indicator, you specify the exact file hash (for example, SHA-256 or MD5) and choose actions such as “block” or “remediate.”
However, an important detail is that file hash indicators are applied to specific files —that is, for a given executable or file content. You cannot use a hash indicator to block all files of a certain extension generically. If a given file has a different hash, it will not be blocked unless you add its specific hash. Becaus e the question says you found suspected malware files sys , pdf , docx , xlsx , and you need to block users from downloading those files, only those files for which you can compute and apply a specific hash indicator can be blocked. The question implies you ca n create indicator hashes for each of those file names (assuming each has a unique hash).
Thus you can block all four (File1.sys, File2.pdf, File3.docx, File4.xlsx) by adding each as an indicator hash. The choice E lists all four. That is consistent with M icrosoft’s statements that “you can create indicators that define detection, prevention, or exclusion of entities,” and file hash indicators specifically apply to those files. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3
Options that exclude some file types (e.g. only blocking sys and docx but not pdf or xlsx) would leave gaps, which doesn’t satisfy the requirement of blocking all those suspected files. Hence E is the correct answer.
