When a malicious file is detected on an endpoint, what action should be taken to prevent lateral movement?

Isolating the computer is a critical action when a malicious file is detected on an endpoint, particularly to prevent lateral movement within a network. By isolating the affected machine, you effectively cut off its network access. This action prevents the potential spread of the malware to other systems on the same network, which is essential in mitigating the risk of a wider security breach.

Isolating the endpoint limits the malicious software's ability to communicate with command and control servers or propagate itself via network shares or other connected devices. Furthermore, this step allows security teams to investigate the incident without the added risk of further infection or data compromise.

The other actions, while they may have their merits in specific circumstances, do not address the immediate concern of preventing further spread as effectively as isolation does. Restarting the computer may interrupt the attack temporarily but does not remove the threat or stop its ability to spread when the computer comes back online. Deleting the malicious file is important but may not be sufficient to stop lateral movement if the malware has already established connections or created exploits. Performing a full system scan is beneficial for identifying additional threats but does not serve the immediate need to contain the incident. Thus, isolation is the most effective first step in managing a detected malware threat and safeguarding