Broadcom 250-580 Endpoint Security Complete - R2 Technical Specialist Exam Practice Test

Answer : D

Living off the land (LOTL) is a tactic where adversaries leverage existing tools and resources within the environment for malicious purposes. This approach minimizes the need to introduce new, detectable malware, instead using trusted system utilities and software already present on the network.

Characteristics of Living off the Land:

LOTL attacks make use of built-in utilities, such as PowerShell or Windows Management Instrumentation (WMI), to conduct malicious operations without triggering traditional malware defenses.

This method is stealthy and often bypasses signature-based detection, as the tools used are legitimate components of the operating system.

Why Other Options Are Incorrect:

Opportunistic attack (Option A) refers to attacks that exploit easily accessible vulnerabilities rather than using internal resources.

File-less attack (Option B) is a broader category that includes but is not limited to LOTL techniques.

Script kiddies (Option C) describes inexperienced attackers who use pre-made scripts rather than sophisticated, environment-specific tactics.

Answer : B

To ensure that users cannot inadvertently block a custom internal application, the Symantec Endpoint Protection (SEP) administrator should create an Allow Firewall rule for the application and place it at the bottom of the firewall rules, above the blue line.

Explanation of Firewall Rule Placement:

Placing the allow rule above the blue line ensures it remains prioritized in SEP's firewall policy, meaning that user-created rules cannot override it.

This setup guarantees that the internal application is allowed through the firewall without disruption, while users can still create other firewall rules without affecting this critical application.

Why Other Options Are Less Effective:

Placing the rule below the blue line (Option A) would allow user-created rules to override it.

Creating an Allow All rule (Option C) could inadvertently allow other unnecessary traffic, which is a security risk.

Setting a rule based on network adapter type (Option D) does not guarantee that it will cover all instances of the custom application.

Answer : C

A single Symantec Endpoint Detection and Response (SEDR) Manager can support up to 100,000 endpoints. This maximum capacity allows the SEDR Manager to handle endpoint data processing, monitoring, and response for large-scale environments.

Scalability and Management:

SEDR Manager is designed to manage endpoint security for extensive networks efficiently. Supporting up to 100,000 endpoints provides enterprises with a centralized solution for comprehensive threat detection and response.

Why Other Options Are Incorrect:

200,000 endpoints (Option A) exceeds the designed capacity.

25,000 and 50,000 endpoints (Options B and D) are below the actual maximum capacity for a single SEDR Manager.

Answer : D

For AD Synchronization to function correctly, the AD Gateway Service Account on the AD Gateway device must be assigned as a Domain User. This role provides sufficient permissions to read Active Directory information for synchronization without requiring elevated privileges.

Role of the Domain User Account:

Domain User permissions allow the service account to access and synchronize necessary AD data, ensuring that the integration functions without unnecessary security risks associated with higher-level permissions.

Why Other Account Types Are Not Suitable:

Local Standard and Local Administrator (Options A and B) do not have the required permissions for domain-wide AD access.

Domain Administrator (Option C) provides excessive permissions, which are not needed for basic synchronization and could introduce unnecessary security risks.

Answer : D

SONAR (Symantec Online Network for Advanced Response) checks the reputation of a process before convicting it. This reputation-based approach evaluates the trustworthiness of the process by referencing Symantec's database, which is compiled from millions of endpoints, allowing SONAR to make informed decisions about whether the process is likely benign or malicious.

Reputation Checking in SONAR:

Before taking action, SONAR uses reputation data to reduce the likelihood of false positives, which ensures that legitimate processes are not incorrectly flagged as threats.

This check provides an additional layer of accuracy to SONAR's behavioral analysis.

Why Other Options Are Incorrect:

Quarantining (Option A) and blocking behavior (Option B) occur after SONAR has convicted a process, not before.

Restarting the system (Option C) is not part of SONAR's process analysis workflow.

Answer : C

To view all devices impacted by a suspicious file, the administrator should go to the Discovered Items list, select the specific file, and then view the impacted devices from the Details page.

Steps to View Impacted Devices:

Navigate to the Discovered Items list within the management console.

Locate and select the suspicious file in question to open its Details page.

On the Details page, a list of devices associated with the file is displayed, providing insights into which endpoints are potentially impacted by the suspicious activity.

Why Other Options Are Less Suitable:

Options A and B do not provide the specific device list for a selected file.

Option D is incorrect as it implies selecting by device first rather than by suspicious file.

Answer : C

For Windows 10 in S mode, applications and agents like the Symantec Endpoint Security Complete (SESC) Network Integrity agent must be obtained from trusted sources, specifically the Microsoft Store. Windows 10 in S mode restricts installations to apps from the Microsoft Store to enhance security, thus requiring the SESC agent to be distributed through this channel.

Why the Microsoft Store:

Windows 10 in S mode is designed to only allow apps verified by Microsoft to ensure a controlled and secure environment.

By providing the Network Integrity agent through the Microsoft Store, Symantec ensures that it complies with S mode's security restrictions.

Why Other Options Are Not Suitable:

SESC Installation files (Option A), MDM distribution (Option B), and ICDm package (Option D) do not comply with Windows 10 S mode requirements.