TCP SYN scans are often described as 'half-open.' Which statement best explains this descriptor?

The idea being tested is why a TCP SYN scan is called “half-open.” In TCP, establishing a connection uses a three-way handshake: SYN from the client, SYN-ACK from the server, and then ACK from the client to complete the connection. A SYN scan stops after the initial SYN and the server’s SYN-ACK response (if the port is open) and does not send the final ACK to fully establish the connection. Because the handshake is not completed, the connection is never fully opened, leaving the scanner’s attempt in a half-open state. This behavior is what gives the scan its name and makes it stealthier, since no full connection is established. The other options don’t fit because they describe completing a handshake, using different protocols, or injecting malware, none of which explain the “half-open” descriptor.