Broadcom 250-580 Endpoint Security Complete - R2 Technical Specialist Exam Practice Test

Answer : B

The Administrator role is required to use LiveShell in Symantec's Integrated Cyber Defense Manager (ICDm). LiveShell allows administrators to open a command-line interface on endpoints, providing direct access for troubleshooting and incident response.

Why Administrator Role is Necessary:

LiveShell grants high-level access to endpoints, so it is limited to users with Administrator privileges to prevent misuse and ensure only authorized personnel can initiate command-line sessions on endpoints.

Why Other Roles Are Incorrect:

Security Analyst (Option A) and Viewer (Option C) do not have the necessary permissions to execute commands on endpoints.

Any (Option D) is incorrect because LiveShell access is restricted to the Administrator role for security reasons.

Answer : B

When a user attempts to connect to a malicious website and download a known threat, the threat passes through SEP's Firewall, Intrusion Prevention System (IPS), and Download Insight in that order. This layered approach helps prevent threats at different stages of the attack chain.

Threat Path Through SEP Protection Features:

Firewall: Blocks or allows network connections based on policy, filtering initial traffic to potentially dangerous sites.

IPS: Monitors and blocks known patterns of malicious activity, such as suspicious URLs or network behavior, providing another layer of defense.

Download Insight: Analyzes file reputation and blocks known malicious files based on reputation data, which is especially effective for files within archives like .rar files.

Why This Order is Effective:

Each layer serves as a checkpoint: the Firewall controls network access, IPS scans for malicious traffic, and Download Insight assesses files for risk upon download, ensuring thorough protection.

Why Other Orders Are Incorrect:

Options with Download Insight or IPS preceding the Firewall do not match SEP's operational order of defense.

Answer : C

When a device fails a Host Integrity check in Symantec Endpoint Protection (SEP), it is quarantined. This means that the device's access to network resources may be restricted to prevent potential security risks from spreading within the network. Quarantine helps contain devices that do not meet the configured security standards, protecting the overall network integrity.

Purpose of Quarantine on Host Integrity Failure:

Host Integrity checks ensure that endpoint devices comply with security policies, such as having up-to-date antivirus signatures or required patches.

If a device fails this check, quarantine limits its network connectivity, enabling remediation actions without exposing the network to possible risks from the non-compliant device.

Why Other Options Are Less Suitable:

Antimalware scans (Option A) and device restarts (Option B) are not default responses to integrity check failures.

Administrative notifications (Option D) may be logged but do not provide containment as quarantine does.

Answer : A

Lateral Movement is the type of security threat used by attackers to exploit vulnerable applications and move across systems within a network. This technique allows attackers to gain access to multiple systems by exploiting vulnerabilities in applications, thereby advancing deeper into the network.

Understanding Lateral Movement:

Lateral movement involves exploiting software vulnerabilities to access additional systems and data resources.

Attackers use this method to spread their influence within a compromised network, often leveraging application vulnerabilities to pivot to other systems.

Why Other Options Are Incorrect:

Privilege Escalation (Option B) focuses on gaining higher access rights on a single system.

Credential Access (Option C) involves stealing login credentials rather than exploiting applications.

Command and Control (Option D) refers to the communication between compromised devices and an attacker's server, not the exploitation of applications.

Answer : A

To reduce the risk of unauthorized access when administrators forget to log off, the setting 'Allow users to save credentials when logging on' should be disabled in Symantec Endpoint Protection Manager (SEPM). Disabling this option ensures that administrators are required to enter their credentials each time they access the SEPM console, preventing automatic logins and reducing the chance of someone else gaining access without permission.

Purpose of Disabling Saved Credentials:

By preventing credential saving, SEPM forces each administrator to authenticate manually on every session, thus improving security.

This setting is particularly useful in shared environments, as it prevents the console from retaining login information when an administrator fails to log out.

Why Other Options Are Less Relevant:

Delete clients that have not connected (Option B) pertains to endpoint clients, not administrator logins.

Lock account after unsuccessful attempts (Option C) protects against brute-force attempts but does not address saved credentials.

Allow administrators to reset passwords (Option D) is related to password management rather than login persistence.

Answer : B

To integrate Symantec Endpoint Detection and Response (SEDR) with Symantec Endpoint Protection (SEP) effectively, the recommended configuration order is ECC, Synapse, then Insight Proxy.

Order of Configuration:

ECC (Endpoint Communication Channel): This establishes the communication layer for SEDR and SEP integration, which is foundational for data exchange.

Synapse: This integration uses data from ECC to correlate threat intelligence and provide context to detected threats.

Insight Proxy: Configured last, Insight Proxy adds cloud-based file reputation lookups, enhancing detection capabilities with reputation scoring.

Why This Order is Effective:

Each component builds on the previous one, maximizing the value of integration by ensuring that foundational communication (ECC) is established before adding Synapse correlation and Insight Proxy reputation data.

Answer : B

For troubleshooting Symantec Endpoint Protection (SEP) replication, the administrator should check the Tomcat logs. Tomcat handles the SEP management console's web services, including replication communication between different SEP sites.

Role of Tomcat in SEP Replication:

Tomcat provides the HTTP/S services used for SEP Manager-to-Manager communication during replication. Checking these logs helps verify if there are issues in the web services layer that might prevent replication.

Why Other Logs Are Less Relevant:

Apache Web Server is not typically involved in SEP's internal replication.

SQL Server manages data storage but does not handle the replication communications directly.

Group Update Provider (GUP) is related to client content distribution, not site-to-site replication.