Broadcom 250-580 Endpoint Security Complete - R2 Technical Specialist Exam Practice Test
Page: 1 / 14 Total 150 questions
Want more questions? Get Premium Access. ()
Question 1
Which option should an administrator utilize to temporarily or permanently block a file?
Answer : D
To temporarily or permanently block a file, the administrator should use the Deny List option. Adding a file to the Deny List prevents it from executing or being accessed on the system, providing a straightforward way to block suspicious or unwanted files.
Functionality of Deny List:
Files on the Deny List are effectively blocked from running, which can be applied either temporarily or permanently depending on security requirements.
This list allows administrators to manage potentially malicious files by preventing them from executing across endpoints.
Why Other Options Are Not Suitable:
Delete (Option A) is a one-time action and does not prevent future attempts to reintroduce the file.
Hide (Option B) conceals files but does not restrict access.
Encrypt (Option C) secures the file's data but does not prevent access or execution.
Question 2
An organization would like to use a content distribution method that centrally controls content types and versions. Almost all of their endpoints are running Windows.
What type of content distribution method should be used?
Answer : C
For centralized control over content types and versions, the organization should use an Internal LiveUpdate Server. This content distribution method allows administrators to centrally manage which updates and definitions are available for endpoints, providing flexibility and control over update timing and content.
Benefits of an Internal LiveUpdate Server:
This server enables administrators to decide which content versions to distribute to endpoints, ensuring that all clients are updated consistently according to the organization's policies.
It supports Windows environments efficiently, distributing required updates without relying on external sources.
Why Other Options Are Less Suitable:
Management Server (Option A) can provide content updates but does not offer the same centralized version control.
Group Update Provider (Option B) distributes content locally within groups but lacks centralized control over content versions.
External LiveUpdate Server (Option D) pulls updates directly from Symantec, limiting internal control over version and content type.
Question 3
What permissions does the Security Analyst Role have?
Answer : B
The Security Analyst Role in Symantec Endpoint Protection has permissions to search endpoints, trigger dumps, and get & quarantine files. These permissions allow security analysts to investigate potential threats, gather data for further analysis, and isolate malicious files as needed.
Capabilities of the Security Analyst Role:
Search Endpoints: Analysts can perform searches across endpoints to locate suspicious files or artifacts.
Trigger Dumps: This allows analysts to create memory dumps or other forensic data for in-depth investigation.
Get & Quarantine Files: Analysts can quarantine files directly from endpoints, thereby mitigating threats and preventing further spread.
Why Other Options Are Incorrect:
Enrolling new sites (Option A) and creating device groups or policies (Options C and D) are typically reserved for administrators with broader access rights rather than for security analysts.
Question 4
An administrator needs to identify infected computers that require a restart to finish remediation of a threat. What steps in the SEPM should an administrator perform to identify and restart the systems?
Answer : A
To identify computers that need a restart for completing threat remediation, the administrator should:
Steps for Identification and Action:
View the Computer Status log in the Symantec Endpoint Protection Manager (SEPM) to see if any computers are flagged as needing a restart.
Once identified, the administrator can go to the Risk log and run a command to initiate a restart on those systems, thereby completing the remediation process.
Why This Method is Effective:
The Computer Status log provides comprehensive information on the current state of each endpoint, including whether a restart is pending.
Risk log commands enable administrators to remotely trigger actions such as reboots on endpoints impacted by malware.
Why Other Options Are Incorrect:
Other options suggest using logs like SONAR or Attack logs to trigger restarts, which do not provide the necessary functionality for identifying and restarting systems in need of final remediation.
Question 5
Which other items may be deleted when deleting a malicious file from an endpoint?
Answer : A
When a malicious file is deleted from an endpoint, registry entries that point to that file may also be deleted as part of the remediation process. Removing associated registry entries helps ensure that remnants of the malicious file do not remain in the system, which could otherwise allow the malware to persist or trigger errors if the system attempts to access the deleted file.
Why Registry Entries are Deleted:
Malicious software often creates registry entries to establish persistence on an endpoint. Deleting these entries as part of the file removal process prevents potential reinfection and removes any references to the deleted file, which aids in full remediation.
Why Other Options Are Incorrect:
Incidents related to the file (Option B) are tracked separately and typically remain in logs for historical reference.
SEP Policies (Option C) are not associated with specific files and thus are unaffected by file deletion.
Files and libraries that point to the file (Option D) are not automatically deleted; only direct registry entries related to the file are addressed.
Question 6
What does a medium-priority incident indicate?
Answer : A
A medium-priority incident in Symantec's framework indicates that the incident may have an impact on the business. This priority level suggests that while the incident is not immediately critical, it still poses a potential risk to business operations and should be addressed.
Understanding Medium-Priority Impact:
Medium-priority incidents are not severe enough to cause immediate operational disruption but may still affect business processes or data security if left unresolved.
Prompt action is recommended to prevent escalation or downstream effects on business functions.
Why Other Options Are Incorrect:
Business outage (Option B) would likely be classified as high priority.
No impact on critical operations (Option C) would suggest a lower priority.
Safe to ignore (Option D) does not reflect the importance of addressing medium-priority incidents.
Question 7
Which SEP feature is required for using the SEDR Isolate function?
Answer : C
The Host Integrity Policy in Symantec Endpoint Protection (SEP) is required for using the Isolate function in Symantec Endpoint Detection and Response (SEDR). Host Integrity enables administrators to enforce security compliance on endpoints and is essential for isolation functions, ensuring that non-compliant or compromised systems are restricted from communicating with the network.
How Host Integrity Policy Supports Isolation:
By enforcing Host Integrity, SEP can ensure that endpoints adhere to security requirements before they are allowed network access, and if they do not comply, they can be isolated.
This policy provides the framework that integrates with SEDR's isolate function for responsive threat containment.
Why Other Options Are Not Suitable:
Host Isolation Policy (Option A) is not an actual SEP feature.
Application Control (Option B) manages application behavior but is not tied to endpoint isolation.
Application Detection (Option D) identifies applications but does not handle isolation.
All Official Question Types