Question #1
What EDR function minimizes the risk of an endpoint infecting other resources in the environment?
- A . Quarantine
- B . Block
- C . Deny List
- D . Firewall
Correct Answer: A
A
Explanation:
The function of "Quarantine" in Endpoint Detection and Response (EDR) minimizes the risk of an infected endpoint spreading malware or malicious activities to other systems within the network environment. This is accomplished by isolating or restricting access of the infected endpoint to contain any threat within that specific machine. Here’s how Quarantine functions as a protective measure:
Detection and Isolation: When EDR detects potential malicious behavior or files on an endpoint, it can automatically place the infected file or process in a "quarantine" area. This means the threat is separated from the rest of the system, restricting its ability to execute or interact with other resources.
Minimizing Spread: By isolating compromised files or applications, Quarantine ensures that malware or suspicious activities do not propagate to other endpoints, reducing the risk of a widespread infection.
Administrative Review: After an item is quarantined, administrators can review it to determine if it should be deleted or restored based on a false positive evaluation. This controlled environment allows for further analysis without risking network security.
Endpoint-Specific Control: Quarantine is designed to act at the endpoint level, applying restrictions that affect only the infected system without disrupting other network resources.
Using Quarantine as an EDR response mechanism aligns with best practices outlined in endpoint security documentation, such as Symantec Endpoint Protection, which emphasizes containment as a critical first response to threats. This approach supports the proactive defense strategy of limiting lateral movement of malware across a network, thus preserving the security and stability of the
entire system.
A
Explanation:
The function of "Quarantine" in Endpoint Detection and Response (EDR) minimizes the risk of an infected endpoint spreading malware or malicious activities to other systems within the network environment. This is accomplished by isolating or restricting access of the infected endpoint to contain any threat within that specific machine. Here’s how Quarantine functions as a protective measure:
Detection and Isolation: When EDR detects potential malicious behavior or files on an endpoint, it can automatically place the infected file or process in a "quarantine" area. This means the threat is separated from the rest of the system, restricting its ability to execute or interact with other resources.
Minimizing Spread: By isolating compromised files or applications, Quarantine ensures that malware or suspicious activities do not propagate to other endpoints, reducing the risk of a widespread infection.
Administrative Review: After an item is quarantined, administrators can review it to determine if it should be deleted or restored based on a false positive evaluation. This controlled environment allows for further analysis without risking network security.
Endpoint-Specific Control: Quarantine is designed to act at the endpoint level, applying restrictions that affect only the infected system without disrupting other network resources.
Using Quarantine as an EDR response mechanism aligns with best practices outlined in endpoint security documentation, such as Symantec Endpoint Protection, which emphasizes containment as a critical first response to threats. This approach supports the proactive defense strategy of limiting lateral movement of malware across a network, thus preserving the security and stability of the
entire system.
Question #2
What priority would an incident that may have an impact on business be considered?
- A . Low
- B . Critical
- C . High
- D . Medium
Correct Answer: C
C
Explanation:
An incident that may have an impact on business is typically classified with a High priority in cybersecurity frameworks and incident response protocols. Here’s a detailed rationale for this classification:
Potential Business Disruption: An incident that affects or threatens to affect business operations, even if indirectly, is assigned a high priority to ensure swift response. This classification prioritizes incidents that may not be immediately critical but could escalate if not addressed promptly.
Risk of Escalation: High-priority incidents are situations that, while not catastrophic, have the potential to impact critical systems or compromise sensitive data, thus needing attention before they lead to severe business repercussions.
Rapid Response Requirement: Incidents labeled as high priority are flagged for immediate investigation and containment measures to prevent further business impact or operational downtime.
In this context, while Critical incidents involve urgent threats with immediate, severe effects (such as active data breaches), a High priority applies to incidents with significant risk or potential for business impact. This prioritization is essential for effective incident management, enabling resources to focus on potential risks to business continuity.
C
Explanation:
An incident that may have an impact on business is typically classified with a High priority in cybersecurity frameworks and incident response protocols. Here’s a detailed rationale for this classification:
Potential Business Disruption: An incident that affects or threatens to affect business operations, even if indirectly, is assigned a high priority to ensure swift response. This classification prioritizes incidents that may not be immediately critical but could escalate if not addressed promptly.
Risk of Escalation: High-priority incidents are situations that, while not catastrophic, have the potential to impact critical systems or compromise sensitive data, thus needing attention before they lead to severe business repercussions.
Rapid Response Requirement: Incidents labeled as high priority are flagged for immediate investigation and containment measures to prevent further business impact or operational downtime.
In this context, while Critical incidents involve urgent threats with immediate, severe effects (such as active data breaches), a High priority applies to incidents with significant risk or potential for business impact. This prioritization is essential for effective incident management, enabling resources to focus on potential risks to business continuity.
Question #3
Which antimalware intensity level is defined by the following: "Blocks files that are most certainly bad or potentially bad files results in a comparable number of false positives and false negatives."
- A . Level 6
- B . Level 5
- C . Level 2
- D . Level 1
Correct Answer: B
B
Explanation:
In antimalware solutions, Level 5 intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of both false positives (legitimate files mistakenly flagged as threats) and false negatives (malicious files mistakenly deemed safe) may still occur.
This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.
B
Explanation:
In antimalware solutions, Level 5 intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of both false positives (legitimate files mistakenly flagged as threats) and false negatives (malicious files mistakenly deemed safe) may still occur.
This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.
Question #4
The SES Intrusion Prevention System has blocked an intruder’s attempt to establish an IRC connection inside the firewall.
Which Advanced Firewall Protection setting should an administrator enable to prevent the intruder’s system from communicating with the network after the IPS detection?
- A . Enable port scan detection
- B . Automatically block an attacker’s IP address
- C . Block all traffic until the firewall starts and after the firewall stops
- D . Enable denial of service detection
Correct Answer: B
B
Explanation:
To enhance security and prevent further attempts from the intruder after the Intrusion Prevention System (IPS) has detected and blocked an attack, the administrator should enable the setting to Automatically block an attacker’s IP address.
Here’s why this setting is critical:
Immediate Action Against Threats: By automatically blocking the IP address of the detected attacker, the firewall can prevent any further communication attempts from that address. This helps to mitigate the risk of subsequent attacks or reconnections.
Proactive Defense Mechanism: Enabling this feature serves as a proactive defense strategy, minimizing the chances of successful future intrusions by making it harder for the attacker to re-establish a connection to the network.
Reduction of Administrative Overhead: Automating this response allows the security team to focus on investigating and remediating the incident rather than manually tracking and blocking malicious IP addresses, thus optimizing incident response workflows.
Layered Security Approach: This setting complements other security measures, such as intrusion detection and port scan detection, creating a layered security approach that enhances overall network security.
Enabling automatic blocking of an attacker’s IP address directly addresses the immediate risk posed by the detected intrusion and reinforces the organization’s defense posture against future threats.
B
Explanation:
To enhance security and prevent further attempts from the intruder after the Intrusion Prevention System (IPS) has detected and blocked an attack, the administrator should enable the setting to Automatically block an attacker’s IP address.
Here’s why this setting is critical:
Immediate Action Against Threats: By automatically blocking the IP address of the detected attacker, the firewall can prevent any further communication attempts from that address. This helps to mitigate the risk of subsequent attacks or reconnections.
Proactive Defense Mechanism: Enabling this feature serves as a proactive defense strategy, minimizing the chances of successful future intrusions by making it harder for the attacker to re-establish a connection to the network.
Reduction of Administrative Overhead: Automating this response allows the security team to focus on investigating and remediating the incident rather than manually tracking and blocking malicious IP addresses, thus optimizing incident response workflows.
Layered Security Approach: This setting complements other security measures, such as intrusion detection and port scan detection, creating a layered security approach that enhances overall network security.
Enabling automatic blocking of an attacker’s IP address directly addresses the immediate risk posed by the detected intrusion and reinforces the organization’s defense posture against future threats.
Question #5
After several failed logon attempts, the Symantec Endpoint Protection Manager (SEPM) has locked the default admin account. An administrator needs to make system changes as soon as possible to address an outbreak, but the admin account is the only account.
Which action should the administrator take to correct the problem with minimal impact on the existing environment?
- A . Wait 15 minutes and attempt to log on again
- B . Restore the SEPM from a backup
- C . Run the Management Server and Configuration Wizard to reconfigure the server
- D . Reinstall the SEPM
Correct Answer: A
A
Explanation:
In the situation where the default admin account of the Symantec Endpoint Protection Manager (SEPM) is locked after several failed login attempts, the best course of action for the administrator is to wait 15 minutes and attempt to log on again.
Here’s why this approach is advisable:
Account Lockout Policy: Most systems, including SEPM, are designed with account lockout policies that temporarily disable accounts after a number of failed login attempts. Typically, these policies include a reset time (often around 15 minutes), after which the account becomes active again.
Minimal Disruption: Waiting for the account to automatically unlock minimizes disruption to the existing environment. This avoids potentially complex recovery processes or the need to restore from a backup, which could introduce additional complications or data loss.
Avoiding System Changes: Taking actions such as restoring the SEPM from a backup, reconfiguring the server, or reinstalling could lead to significant changes in the configuration and might cause further complications, especially if immediate action is needed to address an outbreak. Prioritizing Response to Threats: While it’s important to respond to security incidents quickly, maintaining the integrity of the SEPM configuration and ensuring a smooth recovery is also crucial. Waiting for the lockout period respects the system’s security protocols and allows the administrator to regain access with minimal risk.
In summary, waiting for the lockout to expire is the most straightforward and least disruptive solution, allowing the administrator to resume critical functions without unnecessary risk to the SEPM environment.
A
Explanation:
In the situation where the default admin account of the Symantec Endpoint Protection Manager (SEPM) is locked after several failed login attempts, the best course of action for the administrator is to wait 15 minutes and attempt to log on again.
Here’s why this approach is advisable:
Account Lockout Policy: Most systems, including SEPM, are designed with account lockout policies that temporarily disable accounts after a number of failed login attempts. Typically, these policies include a reset time (often around 15 minutes), after which the account becomes active again.
Minimal Disruption: Waiting for the account to automatically unlock minimizes disruption to the existing environment. This avoids potentially complex recovery processes or the need to restore from a backup, which could introduce additional complications or data loss.
Avoiding System Changes: Taking actions such as restoring the SEPM from a backup, reconfiguring the server, or reinstalling could lead to significant changes in the configuration and might cause further complications, especially if immediate action is needed to address an outbreak. Prioritizing Response to Threats: While it’s important to respond to security incidents quickly, maintaining the integrity of the SEPM configuration and ensuring a smooth recovery is also crucial. Waiting for the lockout period respects the system’s security protocols and allows the administrator to regain access with minimal risk.
In summary, waiting for the lockout to expire is the most straightforward and least disruptive solution, allowing the administrator to resume critical functions without unnecessary risk to the SEPM environment.
Question #6
Which Incident View widget shows the parent-child relationship of related security events?
- A . The Incident Summary Widget
- B . The Process Lineage Widget
- C . The Events Widget
- D . The Incident Graph Widget
Correct Answer: B
B
Explanation:
The Process Lineage Widget in the Incident View of Symantec Endpoint Security provides a visual representation of the parent-child relationship among related security events, such as processes or activities stemming from a primary malicious action. This widget is valuable for tracing the origins and propagation paths of potential threats within a system, allowing security teams to identify the initial process that triggered subsequent actions. By displaying this hierarchical relationship, the Process Lineage Widget supports in-depth forensic analysis, helping administrators understand how an incident unfolded and assess the impact of each related security event in context.
B
Explanation:
The Process Lineage Widget in the Incident View of Symantec Endpoint Security provides a visual representation of the parent-child relationship among related security events, such as processes or activities stemming from a primary malicious action. This widget is valuable for tracing the origins and propagation paths of potential threats within a system, allowing security teams to identify the initial process that triggered subsequent actions. By displaying this hierarchical relationship, the Process Lineage Widget supports in-depth forensic analysis, helping administrators understand how an incident unfolded and assess the impact of each related security event in context.
Question #7
Which Symantec Endpoint Protection technology blocks a downloaded program from installing browser plugins?
- A . Intrusion Prevention
- B . SONAR
- C . Application and Device Control
- D . Tamper Protection
Correct Answer: C
C
Explanation:
The Application and Device Control technology within Symantec Endpoint Protection (SEP) is responsible for blocking unauthorized software behaviors, such as preventing a downloaded program from installing browser plugins. This feature is designed to enforce policies that restrict specific actions by applications, which includes controlling program installation behaviors, access to certain system components, and interactions with browser settings. Application and Device Control effectively safeguards endpoints by stopping potentially unwanted or malicious modifications to the browser, thus protecting users from threats that may arise from unverified or harmful plugins.
C
Explanation:
The Application and Device Control technology within Symantec Endpoint Protection (SEP) is responsible for blocking unauthorized software behaviors, such as preventing a downloaded program from installing browser plugins. This feature is designed to enforce policies that restrict specific actions by applications, which includes controlling program installation behaviors, access to certain system components, and interactions with browser settings. Application and Device Control effectively safeguards endpoints by stopping potentially unwanted or malicious modifications to the browser, thus protecting users from threats that may arise from unverified or harmful plugins.
Question #8
Which type of event does operation:1 indicate in a SEDR database search?
- A . File Deleted.
- B . File Closed.
- C . File Open.
- D . File Created.
Correct Answer: C
C
Explanation:
In a Symantec Endpoint Detection and Response (SEDR) database search, an event labeled with operation:1 corresponds to a File Open action. This identifier is part of SEDR’s internal operation codes used to log file interactions. When querying or analyzing events in the SEDR database, recognizing this code helps Incident Responders understand that the action recorded was an attempt to access or open a file on the endpoint, which may be relevant in tracking suspicious or malicious activities.
C
Explanation:
In a Symantec Endpoint Detection and Response (SEDR) database search, an event labeled with operation:1 corresponds to a File Open action. This identifier is part of SEDR’s internal operation codes used to log file interactions. When querying or analyzing events in the SEDR database, recognizing this code helps Incident Responders understand that the action recorded was an attempt to access or open a file on the endpoint, which may be relevant in tracking suspicious or malicious activities.
Question #9
An Incident Responder has determined that an endpoint is compromised by a malicious threat.
What SEDR feature would be utilized first to contain the threat?
- A . File Deletion
- B . Incident Manager
- C . Isolation
- D . Endpoint Activity Recorder
Correct Answer: C
C
Explanation:
When an Incident Responder determines that an endpoint is compromised, the first action to contain the threat is to use the Isolation feature in Symantec Endpoint Detection and Response (SEDR). Isolation effectively disconnects the affected endpoint from the network, thereby preventing the malicious threat from communicating with other systems or spreading within the network environment. This feature enables the responder to contain the threat swiftly, allowing further investigation and remediation steps to be conducted without risk of lateral movement by the attacker.
C
Explanation:
When an Incident Responder determines that an endpoint is compromised, the first action to contain the threat is to use the Isolation feature in Symantec Endpoint Detection and Response (SEDR). Isolation effectively disconnects the affected endpoint from the network, thereby preventing the malicious threat from communicating with other systems or spreading within the network environment. This feature enables the responder to contain the threat swiftly, allowing further investigation and remediation steps to be conducted without risk of lateral movement by the attacker.
Question #10
If an administrator enables the setting to manage policies from the cloud, what steps must be taken to reverse this process?
- A . Navigate to ICDm > Enrollment and disable the setting
- B . Unenroll the SEPM > Disable the setting > Re-enroll the SEPM
- C . Revoke policies from ICDm
- D . Revoke policies from SEPM
Correct Answer: B
B
Explanation:
If an administrator has enabled the setting to manage policies from the cloud and needs to reverse this, they must follow these steps:
Unenroll the SEPM (Symantec Endpoint Protection Manager) from the cloud management (ICDm).
Disable the cloud policy management setting within the SEPM.
Re-enroll the SEPM back into the cloud if required.
This process ensures that policy control is reverted from cloud management to local management on the SEPM. By following these steps, administrators restore full local control over policies, disabling any cloud-based management settings previously in effect.
B
Explanation:
If an administrator has enabled the setting to manage policies from the cloud and needs to reverse this, they must follow these steps:
Unenroll the SEPM (Symantec Endpoint Protection Manager) from the cloud management (ICDm).
Disable the cloud policy management setting within the SEPM.
Re-enroll the SEPM back into the cloud if required.
This process ensures that policy control is reverted from cloud management to local management on the SEPM. By following these steps, administrators restore full local control over policies, disabling any cloud-based management settings previously in effect.
Question #11
How would an administrator specify which remote consoles and servers have access to the management server?
- A . Edit the Server Properties and under the General tab, change the Server Communication Permission.
- B . Edit the Communication Settings for the Group under the Clients tab.
- C . Edit the External Communication Settings for the Group under the Clients tab.
- D . Edit the Site Properties and under the General tab, change the server priority.
Correct Answer: A
A
Explanation:
To control which remote consoles and servers have access to the Symantec Endpoint Protection Management (SEPM) server, an administrator should edit the Server Properties and adjust the Server Communication Permission under the General tab. This setting specifies which remote systems are authorized to communicate with the management server, enhancing security by limiting access to trusted consoles and servers only. Adjusting the Server Communication Permission helps manage server access centrally and ensures only approved systems interact with the management server.
A
Explanation:
To control which remote consoles and servers have access to the Symantec Endpoint Protection Management (SEPM) server, an administrator should edit the Server Properties and adjust the Server Communication Permission under the General tab. This setting specifies which remote systems are authorized to communicate with the management server, enhancing security by limiting access to trusted consoles and servers only. Adjusting the Server Communication Permission helps manage server access centrally and ensures only approved systems interact with the management server.
Question #12
Which designation should an administrator assign to the computer configured to find unmanaged devices?
- A . Discovery Device
- B . Discovery Manager
- C . Discovery Agent
- D . Discovery Broker
Correct Answer: C
C
Explanation:
In Symantec Endpoint Protection, the Discovery Agent designation is assigned to a computer responsible for identifying unmanaged devices within a network. This role is crucial for discovering endpoints that lack protection or are unmanaged, allowing the administrator to deploy agents or take appropriate action. Configuring a Discovery Agent facilitates continuous monitoring and helps ensure that all devices on the network are recognized and managed.
C
Explanation:
In Symantec Endpoint Protection, the Discovery Agent designation is assigned to a computer responsible for identifying unmanaged devices within a network. This role is crucial for discovering endpoints that lack protection or are unmanaged, allowing the administrator to deploy agents or take appropriate action. Configuring a Discovery Agent facilitates continuous monitoring and helps ensure that all devices on the network are recognized and managed.
Question #13
An administrator notices that some entries list that the Risk was partially removed. The administrator
needs to determine whether additional steps are necessary to remediate the threat.
Where in the Symantec Endpoint Protection Manager console can the administrator find additional information on the risk?
- A . Risk log
- B . Computer Status report
- C . Notifications
- D . Infected and At-Risk Computers report
Correct Answer: A
A
Explanation:
To gather more details about threats that were only partially removed, an administrator should consult the Risk log in the Symantec Endpoint Protection Manager (SEPM) console. The Risk log provides comprehensive information about detected threats, their removal status, and any remediation actions taken. By examining these logs, the administrator can determine if additional steps are required to fully mitigate the threat, ensuring that the endpoint is entirely secure and free of residual risks.
A
Explanation:
To gather more details about threats that were only partially removed, an administrator should consult the Risk log in the Symantec Endpoint Protection Manager (SEPM) console. The Risk log provides comprehensive information about detected threats, their removal status, and any remediation actions taken. By examining these logs, the administrator can determine if additional steps are required to fully mitigate the threat, ensuring that the endpoint is entirely secure and free of residual risks.
Question #14
Which Endpoint Setting should an administrator utilize to locate unmanaged endpoints on a network subnet?
- A . Device Discovery
- B . Endpoint Enrollment
- C . Discover and Deploy
- D . Discover Endpoints
Correct Answer: C
C
Explanation:
To locate unmanaged endpoints within a specific network subnet, an administrator should utilize the Discover and Deploy setting. This feature scans the network for endpoints without security management, enabling administrators to identify and initiate the deployment of Symantec Endpoint Protection agents on unmanaged devices. This proactive approach ensures comprehensive coverage across the network, allowing for efficient detection and management of all endpoints within the organization.
C
Explanation:
To locate unmanaged endpoints within a specific network subnet, an administrator should utilize the Discover and Deploy setting. This feature scans the network for endpoints without security management, enabling administrators to identify and initiate the deployment of Symantec Endpoint Protection agents on unmanaged devices. This proactive approach ensures comprehensive coverage across the network, allowing for efficient detection and management of all endpoints within the organization.
Question #15
Why is it important for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system during the Recovery phase?
- A . To create custom IPS signatures
- B . To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)
- C . To have a copy of the file for policy enforcement
- D . To document and preserve any pieces of evidence associated with the incident
Correct Answer: D
D
Explanation:
During the Recovery phase of an incident response, it is critical for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post-incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.
D
Explanation:
During the Recovery phase of an incident response, it is critical for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post-incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.
Question #16
An administrator changes the Virus and Spyware Protection policy for a specific group that disables Auto-Protect. The administrator assigns the policy and the client systems apply the corresponding policy serial number. Upon visual inspection of a physical client system, the policy serial number is correct. However, Auto-Protect is still enabled on the client system.
Which action should the administrator take to ensure that the desired setting is in place for the client?
- A . Restart the client system
- B . Run a command on the computer to Update Content
- C . Enable the padlock next to the setting in the policy
- D . Withdraw the Virus and Spyware Protection policy
Correct Answer: C
C
Explanation:
If an administrator modifies the Virus and Spyware Protection policy to disable Auto-Protect, but finds it still enabled on the client, the likely cause is that the setting was not locked. In Symantec Endpoint Protection policies, enabling the padlock icon next to a setting ensures that the policy is enforced strictly, overriding local client configurations. Without this lock, clients may retain previous settings despite the new policy. Locking the setting guarantees that the desired configuration is applied consistently across all clients within the specified group.
C
Explanation:
If an administrator modifies the Virus and Spyware Protection policy to disable Auto-Protect, but finds it still enabled on the client, the likely cause is that the setting was not locked. In Symantec Endpoint Protection policies, enabling the padlock icon next to a setting ensures that the policy is enforced strictly, overriding local client configurations. Without this lock, clients may retain previous settings despite the new policy. Locking the setting guarantees that the desired configuration is applied consistently across all clients within the specified group.
Question #17
In the virus and Spyware Protection policy, an administrator sets the First action to Clean risk and sets If first action fails to Delete risk.
Which two (2) factors should the administrator consider? (Select two.)
- A . The deleted file may still be in the Recycle Bin.
- B . IT Analytics may keep a copy of the file for investigation.
- C . False positives may delete legitimate files.
- D . Insight may back up the file before sending it to Symantec.
- E . A copy of the threat may still be in the quarantine.
Correct Answer: CE
CE
Explanation:
When configuring a Virus and Spyware Protection policy with the actions to "Clean risk" first and "Delete risk" if cleaning fails, two important considerations are:
False Positives (C): There is a risk that legitimate files may be falsely identified as threats and deleted if the cleaning action fails. This outcome underscores the importance of careful policy configuration to avoid loss of important files.
Quarantine Copy (E): Even if a file is deleted, a copy might still remain in the quarantine. This backup allows for retrieval if the deletion was a false positive or if further analysis of the file is required for investigation purposes.
These considerations help administrators avoid unintended data loss and maintain flexibility for future review of quarantined threats.
CE
Explanation:
When configuring a Virus and Spyware Protection policy with the actions to "Clean risk" first and "Delete risk" if cleaning fails, two important considerations are:
False Positives (C): There is a risk that legitimate files may be falsely identified as threats and deleted if the cleaning action fails. This outcome underscores the importance of careful policy configuration to avoid loss of important files.
Quarantine Copy (E): Even if a file is deleted, a copy might still remain in the quarantine. This backup allows for retrieval if the deletion was a false positive or if further analysis of the file is required for investigation purposes.
These considerations help administrators avoid unintended data loss and maintain flexibility for future review of quarantined threats.
Question #18
What protection technology should an administrator enable to prevent double executable file names of ransomware variants like Cryptolocker from running?
- A . Download Insight
- B . Intrusion Prevention System
- C . SONAR
- D . Memory Exploit Mitigation
Correct Answer: C
C
Explanation:
To prevent ransomware variants, such as Cryptolocker, from executing with double executable file names, an administrator should enable SONAR (Symantec Online Network for Advanced Response). SONAR detects and blocks suspicious behaviors based on file characteristics and real-time monitoring, which is effective in identifying malicious patterns associated with ransomware. By analyzing unusual behaviors, such as double executable file names, SONAR provides proactive protection against ransomware threats before they can cause harm to the system.
C
Explanation:
To prevent ransomware variants, such as Cryptolocker, from executing with double executable file names, an administrator should enable SONAR (Symantec Online Network for Advanced Response). SONAR detects and blocks suspicious behaviors based on file characteristics and real-time monitoring, which is effective in identifying malicious patterns associated with ransomware. By analyzing unusual behaviors, such as double executable file names, SONAR provides proactive protection against ransomware threats before they can cause harm to the system.
Question #19
Which Indicator of Compromise might be detected as variations in the behavior of privileged users that indicate that their account is being used by someone else to gain a foothold in an environment?
- A . Mismatched Port – Application Traffic
- B . Irregularities in Privileged User Account Activity
- C . Surges in Database Read Volume
- D . Geographical Irregularities
Correct Answer: B
B
Explanation:
An Indicator of Compromise (IOC), such as irregularities in privileged user account activity, can signal that a privileged account may be compromised and used maliciously. This can involve deviations from typical login times, unusual commands or requests, or access to resources not typically utilized by the user. Monitoring such anomalies can help detect when an attacker has gained access to a privileged account and is attempting to establish control within the environment.
B
Explanation:
An Indicator of Compromise (IOC), such as irregularities in privileged user account activity, can signal that a privileged account may be compromised and used maliciously. This can involve deviations from typical login times, unusual commands or requests, or access to resources not typically utilized by the user. Monitoring such anomalies can help detect when an attacker has gained access to a privileged account and is attempting to establish control within the environment.
Question #20
Why is Active Directory a part of nearly every targeted attack?
- A . AD administration is managed by weak legacy APIs.
- B . AD is, by design, an easily accessed flat file name space directory database
- C . AD exposes all of its identities, applications, and resources to every endpoint in the network
- D . AD user attribution includes hidden elevated admin privileges
Correct Answer: C
C
Explanation:
Active Directory (AD) is commonly targeted in attacks because it serves as a central directory for user identities, applications, and resources accessible across the network. This visibility makes it an attractive target for attackers to exploit for lateral movement, privilege escalation, and reconnaissance. Once compromised, AD provides attackers with significant insight into an organization’s internal structure, enabling further exploitation and access to sensitive data.
C
Explanation:
Active Directory (AD) is commonly targeted in attacks because it serves as a central directory for user identities, applications, and resources accessible across the network. This visibility makes it an attractive target for attackers to exploit for lateral movement, privilege escalation, and reconnaissance. Once compromised, AD provides attackers with significant insight into an organization’s internal structure, enabling further exploitation and access to sensitive data.
Question #21
Which technology can prevent an unknown executable from being downloaded through a browser session?
- A . Intrusion Prevention
- B . Insight
- C . Application Control
- D . Advanced Machine Learning
Correct Answer: B
B
Explanation:
Symantec Insight technology can prevent the download of unknown executables through a browser session by leveraging a cloud-based reputation service. Insight assesses the reputation of files based on data collected from millions of endpoints, blocking downloads that are unknown or have a low reputation. This technology is particularly effective against zero-day threats or unknown files that do not yet have established signatures.
B
Explanation:
Symantec Insight technology can prevent the download of unknown executables through a browser session by leveraging a cloud-based reputation service. Insight assesses the reputation of files based on data collected from millions of endpoints, blocking downloads that are unknown or have a low reputation. This technology is particularly effective against zero-day threats or unknown files that do not yet have established signatures.
Question #22
What should an administrator know regarding the differences between a Domain and a Tenant in ICDm?
- A . A tenant can contain multiple domains
- B . Each customer can have one domain and many tenants
- C . A domain can contain multiple tenants
- D . Each customer can have one tenant and no domains
Correct Answer: A
A
Explanation:
In Integrated Cyber Defense Manager (ICDm), a tenant can encompass multiple domains, allowing organizations with complex structures to manage security across various groups or departments within a single tenant. Each tenant represents an overarching entity, while domains within a tenant enable separate administration and policy enforcement for different segments, providing flexibility in security management across large enterprises.
A
Explanation:
In Integrated Cyber Defense Manager (ICDm), a tenant can encompass multiple domains, allowing organizations with complex structures to manage security across various groups or departments within a single tenant. Each tenant represents an overarching entity, while domains within a tenant enable separate administration and policy enforcement for different segments, providing flexibility in security management across large enterprises.
Question #23
Which type of file attribute is valid for creating a block list entry with Symantec Endpoint Detection and Response (SEDR)?
- A . SHA256
- B . Type
- C . Date Created
- D . Filename
Correct Answer: A
A
Explanation:
When creating a block list entry in Symantec Endpoint Detection and Response (SEDR), the SHA256 hash is a valid file attribute. SHA256 uniquely identifies files based on their content, making it a reliable attribute for ensuring that specific files, regardless of their names or creation dates, are accurately blocked. This hashing method helps prevent identified malicious files from executing, regardless of their locations or renaming attempts by attackers.
A
Explanation:
When creating a block list entry in Symantec Endpoint Detection and Response (SEDR), the SHA256 hash is a valid file attribute. SHA256 uniquely identifies files based on their content, making it a reliable attribute for ensuring that specific files, regardless of their names or creation dates, are accurately blocked. This hashing method helps prevent identified malicious files from executing, regardless of their locations or renaming attempts by attackers.
Question #24
Which SES feature helps administrators apply policies based on specific endpoint profiles?
- A . Policy Bundles
- B . Device Profiles
- C . Policy Groups
- D . Device Groups
Correct Answer: D
D
Explanation:
In Symantec Endpoint Security (SES), Device Groups enable administrators to apply policies based on specific endpoint profiles. Device Groups categorize endpoints according to characteristics like department, location, or device type, allowing tailored policy application that meets the specific security needs of each group. By using Device Groups, administrators can efficiently manage security policies, ensuring relevant protections are applied based on the endpoint’s profile.
D
Explanation:
In Symantec Endpoint Security (SES), Device Groups enable administrators to apply policies based on specific endpoint profiles. Device Groups categorize endpoints according to characteristics like department, location, or device type, allowing tailored policy application that meets the specific security needs of each group. By using Device Groups, administrators can efficiently manage security policies, ensuring relevant protections are applied based on the endpoint’s profile.
Question #25
What should an administrator utilize to identify devices on a Mac?
- A . Use DevViewer when the Device is connected.
- B . Use Devicelnfo when the Device is connected.
- C . Use Device Manager when the Device is connected.
- D . Use GatherSymantecInfo when the Device is connected.
Correct Answer: D
D
Explanation:
To identify devices on a Mac, administrators can use the GatherSymantecInfo tool when the device is connected. This tool collects system information and diagnostic data specific to Symantec Endpoint Protection, helping administrators accurately identify and troubleshoot devices. Using GatherSymantecInfo ensures comprehensive data gathering, which is crucial for managing and supporting endpoints in a Mac environment.
D
Explanation:
To identify devices on a Mac, administrators can use the GatherSymantecInfo tool when the device is connected. This tool collects system information and diagnostic data specific to Symantec Endpoint Protection, helping administrators accurately identify and troubleshoot devices. Using GatherSymantecInfo ensures comprehensive data gathering, which is crucial for managing and supporting endpoints in a Mac environment.
Question #26
What is an appropriate use of a file fingerprint list?
- A . Allow unknown files to be downloaded with Insight
- B . Prevent programs from running
- C . Prevent Antivirus from scanning a file
- D . Allow files to bypass Intrusion Prevention detection
Correct Answer: B
B
Explanation:
A file fingerprint list is used to prevent specific programs from running by identifying them through unique file attributes (such as hashes). This list allows administrators to create block rules based on known malicious or unwanted file fingerprints, ensuring these programs cannot execute on the system. This approach is particularly effective in enforcing application control and preventing unauthorized software from running.
B
Explanation:
A file fingerprint list is used to prevent specific programs from running by identifying them through unique file attributes (such as hashes). This list allows administrators to create block rules based on known malicious or unwanted file fingerprints, ensuring these programs cannot execute on the system. This approach is particularly effective in enforcing application control and preventing unauthorized software from running.
Question #27
What is the purpose of a Threat Defense for Active Directory Deceptive Account?
- A . It prevents attackers from reading the contents of the Domain Admins Group.
- B . It assigns a fake NTLM password hash value for users with an assigned AdminCount attribute.
- C . It exposes attackers as they seek to gather credential information from workstation memory.
- D . It acts as a honeypot to expose attackers as they attempt to build their AD treasure map
Correct Answer: D
D
Explanation:
The Threat Defense for Active Directory (AD) Deceptive Account feature serves as a honeypot within Active Directory, designed to lure attackers who are attempting to map out AD for valuable accounts or resources. By using deceptive accounts, this feature can expose attackers’ reconnaissance activities, such as attempts to gather credential information or access sensitive accounts. This strategy helps detect attackers early by observing interactions with fake accounts set up to appear as attractive targets.
D
Explanation:
The Threat Defense for Active Directory (AD) Deceptive Account feature serves as a honeypot within Active Directory, designed to lure attackers who are attempting to map out AD for valuable accounts or resources. By using deceptive accounts, this feature can expose attackers’ reconnaissance activities, such as attempts to gather credential information or access sensitive accounts. This strategy helps detect attackers early by observing interactions with fake accounts set up to appear as attractive targets.
Question #28
When are events generated within SEDR?
- A . When an incident is selected
- B . When an activity occurs
- C . When any event is opened
- D . When entities are viewed
Correct Answer: B
B
Explanation:
In Symantec Endpoint Detection and Response (SEDR), events are generated when an activity occurs. This includes any actions or behaviors detected by the system, such as file modifications, network connections, or process launches that could indicate a potential threat. The generation of events in response to activities enables SEDR to provide real-time monitoring and logging, essential for effective threat detection and response.
B
Explanation:
In Symantec Endpoint Detection and Response (SEDR), events are generated when an activity occurs. This includes any actions or behaviors detected by the system, such as file modifications, network connections, or process launches that could indicate a potential threat. The generation of events in response to activities enables SEDR to provide real-time monitoring and logging, essential for effective threat detection and response.
Question #29
What tool can administrators use to create custom behavioral isolation policies based on collected application behavior data?
- A . Behavioral Prevalence Check
- B . Behavioral Heat Map
- C . Application Catalog
- D . Application Frequency Map
Correct Answer: C
C
Explanation:
Administrators can use the Application Catalog in Symantec Endpoint Security to create custom behavioral isolation policies. This tool compiles data on application behavior, enabling administrators to define isolation policies that address specific behaviors observed within their environment. By leveraging the Application Catalog, administrators can tailor policies based on the behaviors of applications, enhancing the control and containment of potentially malicious activity.
C
Explanation:
Administrators can use the Application Catalog in Symantec Endpoint Security to create custom behavioral isolation policies. This tool compiles data on application behavior, enabling administrators to define isolation policies that address specific behaviors observed within their environment. By leveraging the Application Catalog, administrators can tailor policies based on the behaviors of applications, enhancing the control and containment of potentially malicious activity.
Question #30
A file has been identified as malicious.
Which feature of SEDR allows an administrator to manually block a specific file hash?
- A . Playbooks
- B . Quarantine
- C . Allow List
- D . Block List
Correct Answer: D
D
Explanation:
In Symantec Endpoint Detection and Response (SEDR), the Block List feature allows administrators to manually block a specific file hash identified as malicious. By adding the hash of the malicious file to the Block List, SEDR ensures that the file cannot execute or interact with the network, preventing further harm. This manual blocking capability provides administrators with direct control over specific threats detected in their environment.
D
Explanation:
In Symantec Endpoint Detection and Response (SEDR), the Block List feature allows administrators to manually block a specific file hash identified as malicious. By adding the hash of the malicious file to the Block List, SEDR ensures that the file cannot execute or interact with the network, preventing further harm. This manual blocking capability provides administrators with direct control over specific threats detected in their environment.
Question #31
How does IPS check custom signatures?
- A . IPS checks for signatures listed in the table. When a detection matches an inbound or outbound traffic packet, the IPS engine continues checking for other signatures.
- B . IPS checks for signatures listed in the table. When a detection matches an inbound or outbound traffic packet, the IPS engine restarts checking for signatures.
- C . IPS checks for signatures listed in the table. When a detection matches an inbound or outbound traffic packet, the IPS engine stops checking other signatures.
- D . IPS checks for signatures listed in the table. When a detection matches an inbound or outbound traffic packet, the IPS engine logs the other signatures.
Correct Answer: C
C
Explanation:
The Intrusion Prevention System (IPS) in Symantec Endpoint Protection operates by scanning inbound and outbound traffic packets against a defined list of signatures. This process aims to identify known attack patterns or anomalies that signify potential security threats.
When IPS detects a match in the traffic packet based on these custom signatures, the following
sequence occurs:
Initial Detection and Match: The IPS engine actively monitors traffic in real-time, referencing its signature table. Each packet is checked sequentially until a match is found.
Halting Further Checks: Upon matching a signature with the inbound or outbound traffic, the IPS engine terminates further checks for other signatures in the same traffic packet. This design conserves system resources and optimizes performance by avoiding redundant processing once a threat has been identified.
Action on Detection: After identifying and confirming the threat based on the matched signature, the IPS engine enforces configured responses, such as blocking the packet, alerting administrators, or logging the event.
This approach ensures efficient threat detection by focusing only on the first detected signature, which prevents unnecessary processing overhead and ensures rapid incident response.
C
Explanation:
The Intrusion Prevention System (IPS) in Symantec Endpoint Protection operates by scanning inbound and outbound traffic packets against a defined list of signatures. This process aims to identify known attack patterns or anomalies that signify potential security threats.
When IPS detects a match in the traffic packet based on these custom signatures, the following
sequence occurs:
Initial Detection and Match: The IPS engine actively monitors traffic in real-time, referencing its signature table. Each packet is checked sequentially until a match is found.
Halting Further Checks: Upon matching a signature with the inbound or outbound traffic, the IPS engine terminates further checks for other signatures in the same traffic packet. This design conserves system resources and optimizes performance by avoiding redundant processing once a threat has been identified.
Action on Detection: After identifying and confirming the threat based on the matched signature, the IPS engine enforces configured responses, such as blocking the packet, alerting administrators, or logging the event.
This approach ensures efficient threat detection by focusing only on the first detected signature, which prevents unnecessary processing overhead and ensures rapid incident response.
Question #32
An Application Control policy includes an Allowed list and a Blocked list. A user wants to use an application that is neither on the Allowed list nor on the Blocked list.
What can the user do to gain access to the application?
- A . Email the App Control Admin
- B . Request an Override
- C . Install the application
- D . Wait for the Application Drift process to complete
Correct Answer: B
B
Explanation:
In Symantec Endpoint Protection (SEP) Application Control policies, applications are managed through lists: an Allowed list (applications approved for use) and a Blocked list (applications restricted or prohibited). When a user encounters an application that is not explicitly on either the Allowed or Blocked list, it falls into a neutral category.
For accessing this application, the typical process includes:
Requesting an Override: The user can initiate a request to temporarily or permanently allow access to the application. This process usually involves contacting the administrator or following a specified override protocol to gain necessary permissions.
Administrator Review: Upon receiving the override request, the administrator evaluates the application to ensure it aligns with organizational security policies and compliance standards. Override Approval: If deemed safe, the application may be added to the Allowed list, granting the user access.
This request mechanism ensures that unlisted appli
B
Explanation:
In Symantec Endpoint Protection (SEP) Application Control policies, applications are managed through lists: an Allowed list (applications approved for use) and a Blocked list (applications restricted or prohibited). When a user encounters an application that is not explicitly on either the Allowed or Blocked list, it falls into a neutral category.
For accessing this application, the typical process includes:
Requesting an Override: The user can initiate a request to temporarily or permanently allow access to the application. This process usually involves contacting the administrator or following a specified override protocol to gain necessary permissions.
Administrator Review: Upon receiving the override request, the administrator evaluates the application to ensure it aligns with organizational security policies and compliance standards. Override Approval: If deemed safe, the application may be added to the Allowed list, granting the user access.
This request mechanism ensures that unlisted appli
Question #33
What does an end-user receive when an administrator utilizes the Invite User feature to distribute the SES client?
- A . An email with the SES_setup.zip file attached
- B . An email with a link to register on the ICDm user portal
- C . An email with a link to directly download the SES client
- D . An email with a link to a KB article explaining how to install the SES Agent
Correct Answer: C
C
Explanation:
When an administrator uses the "Invite User" feature to distribute the Symantec Endpoint Security (SES) client, the end-user receives a direct link via email to download the SES client. This email typically includes:
Download Link: The email provides a secure link that directs the user to download the SES client installer directly from Symantec’s servers or a managed distribution location.
Installation Instructions: Clear instructions are often included to assist the end-user with installing the SES client on their device.
User Access Simplification: This approach streamlines the installation process by reducing the steps required for the user, making it convenient and ensuring they receive the correct client version. This method enhances security and user convenience, as the SES client download is directly verified by the system, ensuring that the correct version is deployed.
C
Explanation:
When an administrator uses the "Invite User" feature to distribute the Symantec Endpoint Security (SES) client, the end-user receives a direct link via email to download the SES client. This email typically includes:
Download Link: The email provides a secure link that directs the user to download the SES client installer directly from Symantec’s servers or a managed distribution location.
Installation Instructions: Clear instructions are often included to assist the end-user with installing the SES client on their device.
User Access Simplification: This approach streamlines the installation process by reducing the steps required for the user, making it convenient and ensuring they receive the correct client version. This method enhances security and user convenience, as the SES client download is directly verified by the system, ensuring that the correct version is deployed.
Question #34
An organization identifies a threat in its environment and needs to limit the spread of the threat.
How should the SEP Administrator block the threat using Application and Device Control?
- A . Gather the MD5 hash of the file and create an Application Content Rule that blocks the file based on the file fingerprint.
- B . Gather the process name of the file and create an Application Content Rule that blocks the file based on the device ID type.
- C . Gather the MD5 hash of the file and create an Application Content Rule that uses regular expression matching.
- D . Gather the MD5 hash of the file and create an Application Content Rule that blocks the file based on specific arguments.
Correct Answer: A
A
Explanation:
When a threat is detected within an organization’s environment, preventing its spread becomes crucial. Symantec Endpoint Protection (SEP) allows administrators to create Application and Device Control policies that target specific threat files to block them across the network. To block a known malicious file, the administrator should:
Identify the File MD5 Hash: The MD5 hash serves as a unique "fingerprint" for the malicious file, ensuring that the specific file version can be accurately identified across systems.
Create an Application Content Rule: Using the Application and Device Control feature, the administrator can create a content rule that targets the identified file by its MD5 hash, effectively blocking it based on its fingerprint.
Apply the Rule Across Endpoints: Once created, this rule is applied to endpoints, preventing the file from executing or spreading.
This method ensures precise blocking of the threat without impacting other files or processes.
A
Explanation:
When a threat is detected within an organization’s environment, preventing its spread becomes crucial. Symantec Endpoint Protection (SEP) allows administrators to create Application and Device Control policies that target specific threat files to block them across the network. To block a known malicious file, the administrator should:
Identify the File MD5 Hash: The MD5 hash serves as a unique "fingerprint" for the malicious file, ensuring that the specific file version can be accurately identified across systems.
Create an Application Content Rule: Using the Application and Device Control feature, the administrator can create a content rule that targets the identified file by its MD5 hash, effectively blocking it based on its fingerprint.
Apply the Rule Across Endpoints: Once created, this rule is applied to endpoints, preventing the file from executing or spreading.
This method ensures precise blocking of the threat without impacting other files or processes.
Question #35
What EDR feature provides endpoint activity recorder data for a file hash?
- A . Process Dump
- B . Entity Dump
- C . Hash Dump
- D . Full Dump
Correct Answer: B
B
Explanation:
In Symantec Endpoint Detection and Response (EDR), the Entity Dump feature provides detailed activity recorder data related to a specific file hash. This data is essential for understanding the behavior and origin of a suspicious file, as well as tracking its activity across endpoints. Here’s how it works:
Hash-Based Search: The EDR solution allows the administrator to search by file hash, which helps retrieve a history of the file’s interactions and activities.
Entity Dump Retrieval: Selecting the Entity Dump option provides comprehensive data, including process execution, file modification, network connections, and other endpoint interactions related to the file.
Enhanced Threat Analysis: By analyzing this information, the administrator gains insights into how the threat may have propagated, aiding in containment and mitigation efforts.
The Entity Dump is thus a vital tool in forensic analysis, providing detailed endpoint activity data for specified file hashes.
B
Explanation:
In Symantec Endpoint Detection and Response (EDR), the Entity Dump feature provides detailed activity recorder data related to a specific file hash. This data is essential for understanding the behavior and origin of a suspicious file, as well as tracking its activity across endpoints. Here’s how it works:
Hash-Based Search: The EDR solution allows the administrator to search by file hash, which helps retrieve a history of the file’s interactions and activities.
Entity Dump Retrieval: Selecting the Entity Dump option provides comprehensive data, including process execution, file modification, network connections, and other endpoint interactions related to the file.
Enhanced Threat Analysis: By analyzing this information, the administrator gains insights into how the threat may have propagated, aiding in containment and mitigation efforts.
The Entity Dump is thus a vital tool in forensic analysis, providing detailed endpoint activity data for specified file hashes.
Question #36
What Symantec Best Practice is recommended when setting up Active Directory integration with the Symantec Endpoint Protection Manager?
- A . Ensure there is more than one Active Directory Server listed in the Server Properties.
- B . Link the built-in Admin account to an Active Directory account.
- C . Import the existing AD structure to organize clients in user mode.
- D . Secure the management console by denying access to certain computers.
Correct Answer: C
C
Explanation:
When setting up Active Directory (AD) integration with Symantec Endpoint Protection Manager (SEPM), Symantec’s best practice is to import the existing AD structure to manage clients in user mode.
This approach offers several benefits:
Simplified Client Management: By importing the AD structure, SEPM can mirror the organizational structure already defined in AD, enabling easier management and assignment of policies to groups or organizational units.
User-Based Policies: Organizing clients in user mode allows policies to follow users across devices, providing consistent protection regardless of where the user logs in.
Streamlined Updates and Permissions: Integration with AD ensures that any changes in user accounts or groups are automatically reflected within SEPM, reducing administrative effort and potential errors in client organization.
This best practice enhances SEPM’s functionality by leveraging the established structure in AD.
C
Explanation:
When setting up Active Directory (AD) integration with Symantec Endpoint Protection Manager (SEPM), Symantec’s best practice is to import the existing AD structure to manage clients in user mode.
This approach offers several benefits:
Simplified Client Management: By importing the AD structure, SEPM can mirror the organizational structure already defined in AD, enabling easier management and assignment of policies to groups or organizational units.
User-Based Policies: Organizing clients in user mode allows policies to follow users across devices, providing consistent protection regardless of where the user logs in.
Streamlined Updates and Permissions: Integration with AD ensures that any changes in user accounts or groups are automatically reflected within SEPM, reducing administrative effort and potential errors in client organization.
This best practice enhances SEPM’s functionality by leveraging the established structure in AD.
Question #37
Which SES security control protects a user against data leakage if they encounter a man-in-the-middle attack?
- A . IPv6 Tunneling
- B . IPS
- C . Firewall
- D . VPN
Correct Answer: B
B
Explanation:
The Intrusion Prevention System (IPS) in Symantec Endpoint Security (SES) plays a crucial role in defending against data leakage during a man-in-the-middle (MITM) attack. Here’s how IPS protects in such scenarios:
Threat Detection: IPS monitors network traffic in real-time, identifying and blocking suspicious patterns that could indicate an MITM attack, such as unauthorized access attempts or abnormal packet patterns.
Prevention of Data Interception: By blocking these threats, IPS prevents malicious actors from intercepting or redirecting user data, thus safeguarding against data leakage.
Automatic Response: IPS is designed to respond immediately, ensuring that attacks are detected and mitigated before sensitive data can be compromised.
By providing proactive protection, IPS ensures that data remains secure even in the face of potential MITM threats.
B
Explanation:
The Intrusion Prevention System (IPS) in Symantec Endpoint Security (SES) plays a crucial role in defending against data leakage during a man-in-the-middle (MITM) attack. Here’s how IPS protects in such scenarios:
Threat Detection: IPS monitors network traffic in real-time, identifying and blocking suspicious patterns that could indicate an MITM attack, such as unauthorized access attempts or abnormal packet patterns.
Prevention of Data Interception: By blocking these threats, IPS prevents malicious actors from intercepting or redirecting user data, thus safeguarding against data leakage.
Automatic Response: IPS is designed to respond immediately, ensuring that attacks are detected and mitigated before sensitive data can be compromised.
By providing proactive protection, IPS ensures that data remains secure even in the face of potential MITM threats.
Question #38
What happens when an administrator adds a file to the deny list?
- A . The file is assigned to a chosen Deny List policy
- B . The file is assigned to the Deny List task list
- C . The file is automatically quarantined
- D . The file is assigned to the default Deny List policy
Correct Answer: D
D
Explanation:
When an administrator adds a file to the deny list in Symantec Endpoint Protection, the file is automatically assigned to the default Deny List policy. This action results in the following: Immediate Blocking: The file is blocked from executing on any endpoint where the Deny List policy is enforced, effectively preventing the file from causing harm.
Consistent Enforcement: Using the default Deny List policy ensures that the file is denied access across all relevant endpoints without the need for additional customization.
Centralized Management: Administrators can manage and review the default Deny List policy within SEPM, providing an efficient method for handling potentially harmful files across the network. This default behavior ensures swift response to threats by leveraging a centralized deny list policy.
D
Explanation:
When an administrator adds a file to the deny list in Symantec Endpoint Protection, the file is automatically assigned to the default Deny List policy. This action results in the following: Immediate Blocking: The file is blocked from executing on any endpoint where the Deny List policy is enforced, effectively preventing the file from causing harm.
Consistent Enforcement: Using the default Deny List policy ensures that the file is denied access across all relevant endpoints without the need for additional customization.
Centralized Management: Administrators can manage and review the default Deny List policy within SEPM, providing an efficient method for handling potentially harmful files across the network. This default behavior ensures swift response to threats by leveraging a centralized deny list policy.
Question #39
What is a feature of Cynic?
- A . Local Sandboxing
- B . Forwarding event data to Security Information and Event Management (SIEM)
- C . Cloud Sandboxing
- D . Customizable OS Images
Correct Answer: C
C
Explanation:
Cynic is a feature of Symantec Endpoint Security that provides cloud sandboxing capabilities. Cloud sandboxing allows Cynic to analyze suspicious files and behaviors in a secure, isolated cloud environment, identifying potential threats without risking harm to the internal network.
Here’s how it works:
File Submission to the Cloud: Suspicious files are sent to the cloud-based sandbox for deeper analysis.
Behavioral Analysis: Within the cloud environment, Cynic simulates various conditions to observe the behavior of the file, effectively detecting malware or other harmful actions.
Real-Time Threat Intelligence: Findings are quickly reported back, allowing Symantec Endpoint Protection to take prompt action based on the analysis.
Cloud sandboxing in Cynic provides a scalable, secure, and highly effective approach to advanced threat detection.
C
Explanation:
Cynic is a feature of Symantec Endpoint Security that provides cloud sandboxing capabilities. Cloud sandboxing allows Cynic to analyze suspicious files and behaviors in a secure, isolated cloud environment, identifying potential threats without risking harm to the internal network.
Here’s how it works:
File Submission to the Cloud: Suspicious files are sent to the cloud-based sandbox for deeper analysis.
Behavioral Analysis: Within the cloud environment, Cynic simulates various conditions to observe the behavior of the file, effectively detecting malware or other harmful actions.
Real-Time Threat Intelligence: Findings are quickly reported back, allowing Symantec Endpoint Protection to take prompt action based on the analysis.
Cloud sandboxing in Cynic provides a scalable, secure, and highly effective approach to advanced threat detection.
Question #40
Which IPS signature type is primarily used to identify specific unwanted network traffic?
- A . Attack
- B . Audit
- C . Malcode
- D . Probe
Correct Answer: A
A
Explanation:
Within Symantec Endpoint Protection’s Intrusion Prevention System (IPS), Attack signatures are specifically designed to identify and block known patterns of malicious network traffic.
Attack signatures focus on:
Recognizing Malicious Patterns: These signatures detect traffic associated with exploitation attempts, such as buffer overflow attacks, SQL injection attempts, or other common attack techniques. Real-Time Blocking: Once identified, the IPS can immediately block the traffic, preventing the attack from reaching its target.
High Accuracy in Targeted Threats: Attack signatures are tailored to match malicious activities precisely, making them effective for detecting and mitigating specific types of unwanted or harmful network traffic.
Attack signatures, therefore, serve as a primary layer of defense in identifying and managing unwanted network threats.
A
Explanation:
Within Symantec Endpoint Protection’s Intrusion Prevention System (IPS), Attack signatures are specifically designed to identify and block known patterns of malicious network traffic.
Attack signatures focus on:
Recognizing Malicious Patterns: These signatures detect traffic associated with exploitation attempts, such as buffer overflow attacks, SQL injection attempts, or other common attack techniques. Real-Time Blocking: Once identified, the IPS can immediately block the traffic, preventing the attack from reaching its target.
High Accuracy in Targeted Threats: Attack signatures are tailored to match malicious activities precisely, making them effective for detecting and mitigating specific types of unwanted or harmful network traffic.
Attack signatures, therefore, serve as a primary layer of defense in identifying and managing unwanted network threats.
Question #41
Which SES advanced feature detects malware by consulting a training model composed of known good and known bad files?
- A . Signatures
- B . Reputation
- C . Artificial Intelligence
- D . Advanced Machine Learning
Correct Answer: D
D
Explanation:
The Advanced Machine Learning feature in Symantec Endpoint Security (SES) uses a sophisticated model trained on a large dataset of known good and known bad files to detect malware effectively. Here’s how it functions:
Training Model: The model is built from extensive data on benign and malicious files, allowing it to discern patterns that indicate a file’s potential harm.
Predictive Malware Detection: Advanced Machine Learning can detect new and evolving malware strains without relying solely on traditional signature-based methods, offering proactive protection. Real-Time Decision Making: When SES encounters a file, it consults this model to predict whether the file is likely harmful, enabling quick response to potential threats.
This feature strengthens SES’s ability to detect malware dynamically, enhancing endpoint security through intelligent analysis of file attributes.
D
Explanation:
The Advanced Machine Learning feature in Symantec Endpoint Security (SES) uses a sophisticated model trained on a large dataset of known good and known bad files to detect malware effectively. Here’s how it functions:
Training Model: The model is built from extensive data on benign and malicious files, allowing it to discern patterns that indicate a file’s potential harm.
Predictive Malware Detection: Advanced Machine Learning can detect new and evolving malware strains without relying solely on traditional signature-based methods, offering proactive protection. Real-Time Decision Making: When SES encounters a file, it consults this model to predict whether the file is likely harmful, enabling quick response to potential threats.
This feature strengthens SES’s ability to detect malware dynamically, enhancing endpoint security through intelligent analysis of file attributes.
Question #42
Files are blocked by hash in the deny list policy.
Which algorithm is supported, in addition to MD5?
- A . SHA2
- B . SHA256
- C . SHA256 "salted"
- D . MD5 "Salted"
Correct Answer: B
B
Explanation:
In Symantec Endpoint Protection (SEP), when files are blocked by hash in the deny list policy, SHA256 is supported in addition to MD5. SHA256 provides a more secure hashing algorithm compared to MD5 due to its longer hash length and higher resistance to collisions, making it effective for uniquely identifying and blocking malicious files based on their fingerprint.
B
Explanation:
In Symantec Endpoint Protection (SEP), when files are blocked by hash in the deny list policy, SHA256 is supported in addition to MD5. SHA256 provides a more secure hashing algorithm compared to MD5 due to its longer hash length and higher resistance to collisions, making it effective for uniquely identifying and blocking malicious files based on their fingerprint.
Question #43
What is the function of Symantec Insight?
- A . Provides reputation ratings for structured data
- B . Enhances the capability of Group Update Providers (GUP)
- C . Increases the efficiency and effectiveness of LiveUpdate
- D . Provides reputation ratings for binary executables
Correct Answer: D
D
Explanation:
Symantec Insight is a technology that delivers reputation ratings for binary executables. This system leverages data from Symantec’s Global Intelligence Network, which aggregates information from millions of users worldwide. Here’s how it works:
File Reputation Database: Symantec Insight assigns a reputation score to each executable based on various factors, including prevalence, origin, and behavior.
Dynamic Decision Making: By consulting these ratings, SEP can dynamically determine if a file is safe or potentially harmful, allowing or blocking files accordingly.
Reduced False Positives: Insight helps reduce false positives, as it can distinguish between widely used legitimate files and rare, potentially risky files.
This reputation-based approach enhances protection by preemptively identifying suspicious files without relying on traditional signature-based detection alone.
D
Explanation:
Symantec Insight is a technology that delivers reputation ratings for binary executables. This system leverages data from Symantec’s Global Intelligence Network, which aggregates information from millions of users worldwide. Here’s how it works:
File Reputation Database: Symantec Insight assigns a reputation score to each executable based on various factors, including prevalence, origin, and behavior.
Dynamic Decision Making: By consulting these ratings, SEP can dynamically determine if a file is safe or potentially harmful, allowing or blocking files accordingly.
Reduced False Positives: Insight helps reduce false positives, as it can distinguish between widely used legitimate files and rare, potentially risky files.
This reputation-based approach enhances protection by preemptively identifying suspicious files without relying on traditional signature-based detection alone.
Question #44
What does a ranged query return or exclude?
- A . Data matching the exact field names and their values
- B . Data matching a regular expression
- C . Data falling between two specified values of a given field
- D . Data based on specific values for a given field
Correct Answer: C
C
Explanation:
A ranged query in Symantec Endpoint Security returns or excludes data that falls between two specified values for a given field. This type of query is beneficial for filtering data within specific numeric or date ranges. For instance:
Numeric Ranges: Ranged queries can be used to filter data based on a range of values, such as
finding log entries with file sizes between certain values.
Date Ranges: Similarly, ranged queries can isolate data entries within a specific date range, which is useful for time-bound analysis.
This functionality allows for more targeted data retrieval, making it easier to analyze and report specific subsets of data.
C
Explanation:
A ranged query in Symantec Endpoint Security returns or excludes data that falls between two specified values for a given field. This type of query is beneficial for filtering data within specific numeric or date ranges. For instance:
Numeric Ranges: Ranged queries can be used to filter data based on a range of values, such as
finding log entries with file sizes between certain values.
Date Ranges: Similarly, ranged queries can isolate data entries within a specific date range, which is useful for time-bound analysis.
This functionality allows for more targeted data retrieval, making it easier to analyze and report specific subsets of data.
Question #45
Which type of security threat continues to threaten endpoint security after a system reboot?
- A . file-less
- B . memory attack
- C . script
- D . Rootkit
Correct Answer: D
D
Explanation:
A Rootkit is a type of security threat that can persist across system reboots, making it difficult to detect and remove. Rootkits operate by embedding themselves deep within the operating system, often at the kernel level, and they can disguise their presence by intercepting and modifying standard operating system functionality. Here’s how they maintain persistence:
Kernel-Level Integration: Rootkits modify core operating system files, allowing them to load during the boot process and remain active after reboots.
Stealth Techniques: By hiding from regular security checks, rootkits avoid detection by conventional anti-virus and anti-malware tools.
Persistence Mechanism: The modifications rootkits make ensure they start up again after each reboot, enabling continuous threat activity on the compromised system.
Due to their persistence and stealth, rootkits present significant challenges for endpoint security.
D
Explanation:
A Rootkit is a type of security threat that can persist across system reboots, making it difficult to detect and remove. Rootkits operate by embedding themselves deep within the operating system, often at the kernel level, and they can disguise their presence by intercepting and modifying standard operating system functionality. Here’s how they maintain persistence:
Kernel-Level Integration: Rootkits modify core operating system files, allowing them to load during the boot process and remain active after reboots.
Stealth Techniques: By hiding from regular security checks, rootkits avoid detection by conventional anti-virus and anti-malware tools.
Persistence Mechanism: The modifications rootkits make ensure they start up again after each reboot, enabling continuous threat activity on the compromised system.
Due to their persistence and stealth, rootkits present significant challenges for endpoint security.
Question #46
What information is required to calculate storage requirements?
- A . Number of endpoints, available bandwidth, available disk space, number of endpoint dumps, dump size
- B . Number of endpoints, EAR data per endpoint per day, number of days to retain, number of endpoint dumps, dump size
- C . Number of endpoints, available bandwidth, number of days to retain, number of endpoint dumps, dump size
- D . Number of endpoints, EAR data per endpoint per day, available disk space, number of endpoint dumps, dump size
Correct Answer: B
B
Explanation:
Calculating storage requirements for Symantec Endpoint Security (SES) involves gathering specific
information related to data retention and event storage needs. The required information includes:
Number of Endpoints: Determines the scale of data to be managed.
EAR Data per Endpoint per Day: Refers to the Endpoint Activity Recorder (EAR) data generated by each endpoint daily, affecting storage usage.
Number of Days to Retain: Indicates the data retention period, which impacts the total volume of stored data.
Number of Endpoint Dumps and Dump Size: These parameters define the size and number of memory dumps, which are essential for forensic analysis and troubleshooting.
This information allows accurate calculation of storage needs, ensuring adequate capacity for logs, dumps, and activity data.
B
Explanation:
Calculating storage requirements for Symantec Endpoint Security (SES) involves gathering specific
information related to data retention and event storage needs. The required information includes:
Number of Endpoints: Determines the scale of data to be managed.
EAR Data per Endpoint per Day: Refers to the Endpoint Activity Recorder (EAR) data generated by each endpoint daily, affecting storage usage.
Number of Days to Retain: Indicates the data retention period, which impacts the total volume of stored data.
Number of Endpoint Dumps and Dump Size: These parameters define the size and number of memory dumps, which are essential for forensic analysis and troubleshooting.
This information allows accurate calculation of storage needs, ensuring adequate capacity for logs, dumps, and activity data.
Question #47
The LiveUpdate Download Schedule is set to the default on the Symantec Endpoint Protection Manager (SEPM).
How many content revisions must the SEPM keep to ensure clients that check in to the SEPM every 10 days receive xdelta content packages instead of full content packages?
- A . 10
- B . 20
- C . 30
- D . 60
Correct Answer: C
C
Explanation:
To ensure that clients checking in every 10 days receive xdelta content packages instead of full content packages, 30 content revisions must be retained on the Symantec Endpoint Protection Manager (SEPM). Here’s why:
Incremental Updates: xdelta packages are incremental updates that only download changes since the last update, conserving bandwidth and speeding up client updates.
Content Revision Retention: SEPM needs to retain a sufficient number of content revisions to allow clients that check in intermittently (such as every 10 days) to download incremental rather than full content packages.
Default Retention Recommendation: Retaining 30 content revisions ensures that clients are covered for up to 10 days of updates, meeting the requirement for xdelta delivery.
This setup optimizes resource usage by reducing the load on network and client systems.
C
Explanation:
To ensure that clients checking in every 10 days receive xdelta content packages instead of full content packages, 30 content revisions must be retained on the Symantec Endpoint Protection Manager (SEPM). Here’s why:
Incremental Updates: xdelta packages are incremental updates that only download changes since the last update, conserving bandwidth and speeding up client updates.
Content Revision Retention: SEPM needs to retain a sufficient number of content revisions to allow clients that check in intermittently (such as every 10 days) to download incremental rather than full content packages.
Default Retention Recommendation: Retaining 30 content revisions ensures that clients are covered for up to 10 days of updates, meeting the requirement for xdelta delivery.
This setup optimizes resource usage by reducing the load on network and client systems.
Question #48
Which two (2) criteria are used by Symantec Insight to evaluate binary executables? (Select two.)
- A . Sensitivity
- B . Prevalence
- C . Confidentiality
- D . Content
- E . Age
Correct Answer: BE
BE
Explanation:
Symantec Insight uses Prevalence and Age as two primary criteria to evaluate binary executables. These metrics help determine the likelihood that a file is either benign or malicious based on its behavior across a broad user base:
Prevalence: This metric assesses how widely a file is used across Symantec’s global community. Files with higher prevalence are generally more likely to be safe, while rare files may pose higher risks. Age: The age of a file is also considered. Older files with a stable reputation are less likely to be malicious, whereas newer, unverified files are scrutinized more closely.
Using these criteria, Symantec Insight provides reliable reputation ratings for binary files, enhancing endpoint security by preemptively identifying potential threats.
BE
Explanation:
Symantec Insight uses Prevalence and Age as two primary criteria to evaluate binary executables. These metrics help determine the likelihood that a file is either benign or malicious based on its behavior across a broad user base:
Prevalence: This metric assesses how widely a file is used across Symantec’s global community. Files with higher prevalence are generally more likely to be safe, while rare files may pose higher risks. Age: The age of a file is also considered. Older files with a stable reputation are less likely to be malicious, whereas newer, unverified files are scrutinized more closely.
Using these criteria, Symantec Insight provides reliable reputation ratings for binary files, enhancing endpoint security by preemptively identifying potential threats.
Question #49
What must be entered before downloading a file from ICDm?
- A . Name
- B . Password
- C . Hash
- D . Date
Correct Answer: C
C
Explanation:
Before downloading a file from the Integrated Cyber Defense Manager (ICDm), the hash of the file must be entered. The hash serves as a unique identifier for the file, ensuring that the correct file is downloaded and verifying its integrity. Here’s why this is necessary:
File Verification: By entering the hash, users confirm they are accessing the correct file, which prevents accidental downloads of unrelated or potentially harmful files.
Security Measure: The hash requirement adds an additional layer of security, helping to prevent unauthorized downloads or distribution of sensitive files.
This practice ensures accurate and secure file management within ICDm.
C
Explanation:
Before downloading a file from the Integrated Cyber Defense Manager (ICDm), the hash of the file must be entered. The hash serves as a unique identifier for the file, ensuring that the correct file is downloaded and verifying its integrity. Here’s why this is necessary:
File Verification: By entering the hash, users confirm they are accessing the correct file, which prevents accidental downloads of unrelated or potentially harmful files.
Security Measure: The hash requirement adds an additional layer of security, helping to prevent unauthorized downloads or distribution of sensitive files.
This practice ensures accurate and secure file management within ICDm.
Question #50
Which report template type should an administrator utilize to create a daily summary of network threats detected?
- A . Intrusion Prevention Report
- B . Blocked Threats Report
- C . Network Risk Report
- D . Access Violation Report
Correct Answer: C
C
Explanation:
To create a daily summary of network threats detected, an administrator should use the Network Risk Report template. This report template provides a comprehensive overview of threats within the network, including:
Summary of Threats Detected: It consolidates data on threats, providing a summary of recent detections across the network.
Insight into Network Security Posture: The report helps administrators understand the types and frequency of network threats, enabling them to make informed decisions on security measures. Daily Monitoring: Using this report on a daily basis allows administrators to maintain an up-to-date view of the network’s risk profile and respond promptly to emerging threats.
The Network Risk Report template is ideal for regular monitoring of network security events.
C
Explanation:
To create a daily summary of network threats detected, an administrator should use the Network Risk Report template. This report template provides a comprehensive overview of threats within the network, including:
Summary of Threats Detected: It consolidates data on threats, providing a summary of recent detections across the network.
Insight into Network Security Posture: The report helps administrators understand the types and frequency of network threats, enabling them to make informed decisions on security measures. Daily Monitoring: Using this report on a daily basis allows administrators to maintain an up-to-date view of the network’s risk profile and respond promptly to emerging threats.
The Network Risk Report template is ideal for regular monitoring of network security events.