正解:A
EDR in block mode is a Defender for Endpoint capability designed specifically for environments where a non-Microsoft antivirus is the primary real-time protection (i.e., Microsoft Defender Antivirus is running in passive mode). The official documentation explains that EDR in block mode "provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product." Practically, that means behavioral detections and EDR cloud signals can trigger remediation actions (quarantine, remove, kill process, etc.) even if the third-party AV missed the artifact. Microsoft explicitly states EDR in block mode remediates post-breach artifacts that were missed by the primary antivirus and is recommended for this scenario. Note that some prevention features that require Defender Antivirus active (on-access real-time scanning, certain ASR/network protection features) won't be available while Defender AV is passive, but EDR in block mode still provides post-detection blocking/remediation - which meets the stated goal of protecting devices from artifacts undetected by the third-party AV.