Broadcom 250-580 Endpoint Security Complete - R2 Technical Specialist Exam Practice Test

Page: 1 / 14
Total 150 questions
Question 1

Which SEP feature is required for using the SEDR Isolate function?



Answer : C

The Host Integrity Policy in Symantec Endpoint Protection (SEP) is required for using the Isolate function in Symantec Endpoint Detection and Response (SEDR). Host Integrity enables administrators to enforce security compliance on endpoints and is essential for isolation functions, ensuring that non-compliant or compromised systems are restricted from communicating with the network.

How Host Integrity Policy Supports Isolation:

By enforcing Host Integrity, SEP can ensure that endpoints adhere to security requirements before they are allowed network access, and if they do not comply, they can be isolated.

This policy provides the framework that integrates with SEDR's isolate function for responsive threat containment.

Why Other Options Are Not Suitable:

Host Isolation Policy (Option A) is not an actual SEP feature.

Application Control (Option B) manages application behavior but is not tied to endpoint isolation.

Application Detection (Option D) identifies applications but does not handle isolation.


Question 2

An administrator needs to increase the access speed for client files that are stored on a file server. Which configuration should the administrator review to address the read speed from the server?



Answer : A

To improve access speed for client files stored on a file server, the administrator should Enable Network Cache within the client's Virus and Spyware Protection policy. This setting allows client machines to cache scanned files from the network, thus reducing redundant scans and increasing read speed from the server.

How Network Cache Enhances Read Speed:

When Network Cache is enabled, previously scanned files are cached, allowing subsequent access without re-scanning, which decreases latency and improves access speed.

Why Other Options Are Less Effective:

Adding the server to a trusted host group (Option B) does not directly impact file read speeds.

Creating a firewall allow rule (Option C) allows connectivity but does not affect the speed of file access.

Enabling download randomization (Option D) only staggers update downloads and does not relate to read speeds from a file server.


Question 3

What type of policy provides a second layer of defense, after the Symantec firewall?



Answer : C

The Intrusion Prevention System (IPS) provides a second layer of defense after the Symantec firewall. While the firewall controls access and traffic flow at the network perimeter, IPS actively monitors and inspects incoming and outgoing traffic for signs of malicious activity, such as exploit attempts and suspicious network patterns.

How IPS Complements the Firewall:

The firewall acts as the first layer of defense, blocking unauthorized access based on rules and policies.

IPS then inspects allowed traffic in real-time, identifying and blocking attacks that may evade basic firewall rules, such as known exploits and abnormal network behaviors.

Why Other Options Are Less Effective:

Virus and Spyware (Option A) focuses on malware detection within files and programs, not network defense.

Host Integrity (Option B) is related to compliance, and System Lockdown (Option D) controls application execution but does not monitor network traffic.


Question 4

Which type of activity recorder does EDR provide?



Answer : B

Symantec Endpoint Detection and Response (EDR) provides an Endpoint activity recorder to monitor, log, and analyze behaviors on endpoints. This feature captures various endpoint activities such as process execution, file modifications, and network connections, which are essential for detecting and investigating potential security incidents.

Purpose of Endpoint Activity Recorder:

The endpoint activity recorder helps track specific actions and behaviors on endpoints, providing insights into potentially suspicious or malicious activity.

This data is valuable for incident response and for understanding how threats may have propagated across the network.

Why Other Options Are Not Suitable:

Virtual (Option A), Email (Option C), and Temporary (Option D) do not accurately represent the continuous and comprehensive nature of endpoint activity monitoring.


Question 5

A company deploys Symantec Endpoint Protection (SEP) to 50 virtual machines running on a single ESXi host.

Which configuration change can the administrator make to minimize sudden IOPS impact on the ESXi server while each SEP endpoint communicates with the Symantec Endpoint Protection Manager?



Answer : C

To minimize sudden IOPS impact on the ESXi server due to SEP endpoint communication, the administrator should increase the download randomization window. This configuration change helps spread out the timing of SEP updates across virtual machines, reducing the simultaneous I/O load on the server.

Effect of Download Randomization:

By increasing the randomization window, updates are downloaded at staggered intervals rather than all at once, lowering the burst IOPS demand.

This is especially beneficial in virtualized environments where multiple VMs are hosted on a single ESXi server, as it prevents performance degradation from high IOPS activity.

Why Other Options Are Less Effective:

Increasing Download Insight sensitivity (Option A) has no impact on IOPS.

Reducing the heartbeat interval (Option B) could increase communication frequency, potentially raising IOPS.

Reducing content revisions (Option D) affects storage size but does not control update IOPS.


Question 6

The Behavioral Heat Map indicates that a specific application and a specific behavior are never used together. What action can be safely set for the application behavior in a Behavioral Isolation policy?



Answer : A

In Symantec EDR's Behavioral Isolation policy, if the Behavioral Heat Map indicates that a specific application and a particular behavior are never used together, setting the action to Deny for that application behavior is a safe response. This prevents potential misuse by blocking the unusual behavior, which could indicate a security risk.

Rationale for Denying the Behavior:

If historical data shows that this behavior does not normally occur with the application, it suggests that any attempt to initiate it could be anomalous or malicious. Blocking this behavior helps prevent unexpected activities that could be exploited by threats.

Why Other Actions Are Less Appropriate:

Allow (Option B) would permit potentially risky behavior.

Delete (Option C) does not apply in this context, as it is not an action for behavior control.

Monitor (Option D) would only log the behavior but does not provide active protection, which is critical when the behavior is atypical.


Question 7

What are the two (2) locations where an Incident Responder should gather data for an After Actions Report in SEDR? (Select two)



Answer : A, C

For an After Actions Report in Symantec EDR, an Incident Responder should gather data from both the Incident Manager and Syslog:

Incident Manager:

This is the primary interface for tracking incidents, where responders can review incident details, timeline, response actions, and associated IoCs. It provides a full view of the case, including actions taken and the threat's impact on the environment.

Syslog:

Syslog captures logs and alerts from various network devices and security systems, providing valuable information on system events related to the incident. Collecting syslog data helps in analyzing broader network impacts and documenting incident response activities.

Why Other Options Are Less Suitable:

Policies (Option B) are not directly relevant to specific incident details.

Action Manager (Option D) tracks response actions but lacks the comprehensive case view provided by Incident Manager.

Endpoint Search (Option E) is a tool for querying endpoint data but is not a centralized reporting source.


Page:    1 / 14   
Total 150 questions