Question 1

Why is Active Directory a part of nearly every targeted attack?

Accepted Answer

C

Explanation: Active Directory (AD) is commonly targeted in attacks because it serves as a central directory for user identities, applications, and resources accessible across the network. This visibility makes it an attractive target for attackers to exploit for lateral movement, privilege escalation, and reconnaissance. Once compromised, AD provides attackers with significant insight into an organization’s internal structure, enabling further exploitation and access to sensitive data.

Question 2

What prevention technique does Threat Defense for Active Directory use to expose attackers?

Accepted Answer

C

Explanation: Threat Defense for Active Directory (TDAD) employs Honeypot Traps as a primary prevention technique to detect and expose attackers. These honeypot traps act as decoys within the network, mimicking legitimate Active Directory (AD) objects or data that would attract attackers aiming to gather AD information or exploit AD weaknesses. Honeypot Trap Functionality: Honeypot traps are strategically placed to appear as appealing targets, such as privileged accounts or critical directories, without being part of the actual AD infrastructure. When attackers interact with these traps, TDAD records their actions, which can then trigger alerts, allowing administrators to identify and monitor suspicious activities. Exposure and Mitigation: By enticing attackers to interact with fake assets, honeypot traps help expose malicious intentions and techniques. This information can be used for forensic analysis and to enhance future defenses. This technique allows organizations to expose potential threats proactively, before any real AD resources are compromised. Reference: This approach is part of Symantec’s Active Directory security strategies and utilizes honeypot mechanisms to deter and identify intruders in real-time​.

Question 3

In what order should an administrator configure the integration between SEDR and Symantec Endpoint Protection in order to maximize their benefits?

Accepted Answer

B

Explanation: To integrate Symantec Endpoint Detection and Response (SEDR) with Symantec Endpoint Protection (SEP) effectively, the recommended configuration order is ECC, Synapse, then Insight Proxy. Order of Configuration: ECC (Endpoint Communication Channel): This establishes the communication layer for SEDR and SEP integration, which is foundational for data exchange. Synapse: This integration uses data from ECC to correlate threat intelligence and provide context to detected threats. Insight Proxy: Configured last, Insight Proxy adds cloud-based file reputation lookups, enhancing detection capabilities with reputation scoring. Why This Order is Effective: Each component builds on the previous one, maximizing the value of integration by ensuring that foundational communication (ECC) is established before adding Synapse correlation and Insight Proxy reputation data. Reference: Configuring ECC, Synapse, and Insight Proxy in this order is considered best practice for optimizing integration benefits between SEDR and SEP​.

Question 4

What is the maximum number of SEPMs a single Management Platform is able to connect to?

Accepted Answer

A

Explanation: The maximum number of Symantec Endpoint Protection Managers (SEPMs) that a single Management Platform can connect to is 50. This limit ensures that the management platform can handle communication, policy distribution, and reporting across connected SEPMs without overloading the system. Significance of the 50 SEPM Limit: This limitation is in place to ensure stable performance and effective management, especially in large-scale deployments where multiple SEPMs are required to support extensive environments. Relevance in Large Enterprises: Organizations managing endpoints across multiple locations often use several SEPMs, and the platform’s 50-manager limit allows scalability while maintaining centralized management. Reference: The SEPM connection limits are documented as part of the architecture specifications for Symantec Endpoint Protection​.

Question 5

Performance on a SEPM is less than expected and generates intermittent errors. How could the system administrators be notified of performance issues?

Accepted Answer

D

Explanation: To notify administrators of performance issues on the SEPM, they should add a Server health alert. This type of alert is specifically designed to monitor the health of the SEPM, triggering notifications when performance drops or errors occur. Configuration Steps: Set up a Server health alert in the SEPM, specifying the conditions that define poor server health. Configure the alert frequency and designate an email address for notifications, ensuring that administrators receive timely updates. Why Other Options Are Incorrect: System event alerts (Option A) cover general system events but are less specific to performance. Authentication alerts (Option B) focus on login and access issues. Client security alerts (Option C) are related to endpoint security rather than SEPM server performance. Reference: Server health alerts are tailored for monitoring SEPM’s performance, making them the ideal choice for tracking server health​.

Question 6

What type of Threat Defense for Active Directory alarms are displayed after domain misconfigurations or hidden backdoors are detected?

Accepted Answer

D

Explanation: Dark Corners alarms are part of Threat Defense for Active Directory and are triggered when domain misconfigurations or hidden backdoors are detected within the directory environment. Here’s how this alarm functions: Detection of Hidden Threats: Dark Corners identifies and alerts administrators to hidden vulnerabilities within the Active Directory, such as unauthorized access paths or misconfigurations that could be exploited. Security Assurance: By identifying these issues, administrators can proactively address and rectify potential risks that are otherwise challenging to detect. Improved Active Directory Security: The Dark Corners alarm helps ensure that backdoors and misconfigurations do not provide attackers with hidden access points, strengthening the overall security posture of Active Directory. This feature allows for a deeper level of inspection within Active Directory, safeguarding against subtle yet critical security risks.

Question 7

Which type of security threat continues to threaten endpoint security after a system reboot?

Accepted Answer

D

Explanation: A Rootkit is a type of security threat that can persist across system reboots, making it difficult to detect and remove. Rootkits operate by embedding themselves deep within the operating system, often at the kernel level, and they can disguise their presence by intercepting and modifying standard operating system functionality. Here’s how they maintain persistence: Kernel-Level Integration: Rootkits modify core operating system files, allowing them to load during the boot process and remain active after reboots. Stealth Techniques: By hiding from regular security checks, rootkits avoid detection by conventional anti-virus and anti-malware tools. Persistence Mechanism: The modifications rootkits make ensure they start up again after each reboot, enabling continuous threat activity on the compromised system. Due to their persistence and stealth, rootkits present significant challenges for endpoint security.

Question 8

An organization recently experienced an outbreak and is conducting a health check of the
environment. What Protection Technology can the SEP team enable to control and monitor the
behavior of applications?

Accepted Answer

C

Explanation: Application Control in Symantec Endpoint Protection (SEP) provides the SEP team with the ability to control and monitor the behavior of applications. This technology enables administrators to set policies that restrict or allow specific application behaviors, effectively controlling the environment and reducing risk from unauthorized or harmful applications. Here’s how it works: Policy-Based Controls: Administrators can create policies that define which applications are allowed or restricted, preventing unauthorized applications from executing. Behavior Monitoring: Application Control can monitor application actions, detecting unusual or potentially harmful behaviors and alerting administrators. Enhanced Security: By controlling application behavior, SEP helps mitigate threats by preventing suspicious applications from affecting the environment, which is particularly valuable in post- outbreak recovery and ongoing health checks. Application Control thus strengthens endpoint defenses by enabling real-time management of application behaviors.

Question 9

What permissions does the Security Analyst Role have?

Accepted Answer

B

Explanation: The Security Analyst Role in Symantec Endpoint Protection has permissions to search endpoints, trigger dumps, and get & quarantine files. These permissions allow security analysts to investigate potential threats, gather data for further analysis, and isolate malicious files as needed. Capabilities of the Security Analyst Role: Search Endpoints: Analysts can perform searches across endpoints to locate suspicious files or artifacts. Trigger Dumps: This allows analysts to create memory dumps or other forensic data for in-depth investigation. Get & Quarantine Files: Analysts can quarantine files directly from endpoints, thereby mitigating threats and preventing further spread. Why Other Options Are Incorrect: Enrolling new sites (Option A) and creating device groups or policies (Options C and D) are typically reserved for administrators with broader access rights rather than for security analysts. Reference: The Security Analyst Role focuses on investigative and response actions, such as searching, dumping, and quarantining files​.

Question 10

Which other items may be deleted when deleting a malicious file from an endpoint?

Accepted Answer

A

Explanation: When a malicious file is deleted from an endpoint, registry entries that point to that file may also be deleted as part of the remediation process. Removing associated registry entries helps ensure that remnants of the malicious file do not remain in the system, which could otherwise allow the malware to persist or trigger errors if the system attempts to access the deleted file. Why Registry Entries are Deleted: Malicious software often creates registry entries to establish persistence on an endpoint. Deleting these entries as part of the file removal process prevents potential reinfection and removes any

Question 11

Which Firewall rule components should an administrator configure to block facebook.com use during business hours?

Accepted Answer

C

Explanation: To block facebook.com use during business hours, the SEP administrator should configure the Action, Hosts(s), and Schedule components within the Firewall rule. Explanation of Each Component: Action: Set to "Block" to deny access to the specified site. Hosts(s): Specify facebook.com as the target host, ensuring that all traffic to this domain is blocked. Schedule: Define the rule to apply only during business hours, ensuring that access is restricted within the designated time frame. Why Other Options Are Incorrect: Network Interface and Network Service (Options A and B) are not specific to blocking domain access. Application (Options B and D) is unnecessary if the goal is to block access based on domain and schedule. Reference: Configuring Action, Hosts, and Schedule within SEP firewall rules enables precise access control based on time and target domain​.

Question 12

How would an administrator specify which remote consoles and servers have access to the management server?

Accepted Answer

A

Explanation: To control which remote consoles and servers have access to the Symantec Endpoint Protection Management (SEPM) server, an administrator should edit the Server Properties and adjust the Server Communication Permission under the General tab. This setting specifies which remote systems are authorized to communicate with the management server, enhancing security by limiting access to trusted consoles and servers only. Adjusting the Server Communication Permission helps manage server access centrally and ensures only approved systems interact with the management server.

Question 13

Which SES security control protects a user against data leakage if they encounter a man-in-the- middle attack?

Accepted Answer

B

Explanation: The Intrusion Prevention System (IPS) in Symantec Endpoint Security (SES) plays a crucial role in defending against data leakage during a man-in-the-middle (MITM) attack. Here’s how IPS protects in such scenarios: Threat Detection: IPS monitors network traffic in real-time, identifying and blocking suspicious patterns that could indicate an MITM attack, such as unauthorized access attempts or abnormal packet patterns. Prevention of Data Interception: By blocking these threats, IPS prevents malicious actors from intercepting or redirecting user data, thus safeguarding against data leakage. Automatic Response: IPS is designed to respond immediately, ensuring that attacks are detected and mitigated before sensitive data can be compromised. By providing proactive protection, IPS ensures that data remains secure even in the face of potential MITM threats.

Question 14

Files are blocked by hash in the deny list policy. Which algorithm is supported, in addition to MD5?

Accepted Answer

B

Explanation: In Symantec Endpoint Protection (SEP), when files are blocked by hash in the deny list policy, SHA256 is supported in addition to MD5. SHA256 provides a more secure hashing algorithm compared to MD5 due to its longer hash length and higher resistance to collisions, making it effective for uniquely identifying and blocking malicious files based on their fingerprint.

Question 15

Which ICDm role is required in order to use LiveShell?

Accepted Answer

B

Explanation: The Administrator role is required to use LiveShell in Symantec’s Integrated Cyber Defense Manager (ICDm). LiveShell allows administrators to open a command-line interface on endpoints, providing direct access for troubleshooting and incident response. Why Administrator Role is Necessary: LiveShell grants high-level access to endpoints, so it is limited to users with Administrator privileges to prevent misuse and ensure only authorized personnel can initiate command-line sessions on endpoints. Why Other Roles Are Incorrect: Security Analyst (Option A) and Viewer (Option C) do not have the necessary permissions to execute commands on endpoints. Any (Option D) is incorrect because LiveShell access is restricted to the Administrator role for security reasons. Reference: Administrator permissions are required to utilize LiveShell, ensuring only authorized users can access endpoint command interfaces for troubleshooting or response​.

Free Broadcom 250-580 Actual Exam Questions