オンライン250-580テストブレーン問題集とテストエンジン [Q39-Q61]

Share

オンライン250-580テストブレーン問題集とテストエンジン

リアルSymantec 250-580試験問題集には正解152問題と解答があります


Symantec 250-580 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Responding to Threats with ICDm: This section evaluates the skills related to using ICDm security control dashboards. Candidates will describe how these dashboards function and their role in identifying threats within an environment, focusing on the incident lifecycle and necessary steps for threat identification.
トピック 2
  • Threat Defense for Active Directory: This section measures skills related to Threat Defense for Active Directory installation and configuration. Candidates will describe the policies involved in protecting Active Directory environments, ensuring they understand how to secure critical organizational assets.
トピック 3
  • Preventing File-Based Attacks with SEP Layered Security: This section of the exam covers preventing file-based attacks using layered security approaches within SEP.
トピック 4
  • Understanding Policies for Endpoint Protection: This section of the exam measures the skills of Endpoint Security Operations Administrators and covers how policies are utilized to protect endpoint devices. Candidates will learn about the various policy types and their roles in safeguarding systems against threats, emphasizing the importance of policy management in endpoint security.
トピック 5
  • Mobile and Modern Device Security: This domain focuses on mobile device security requirements, particularly regarding Network Integrity within the ICDm management console. Candidates will learn about configuring Network Integrity policies to ensure secure operations for modern devices.

 

質問 # 39
An organization recently experienced an outbreak and is conducting a health check of the environment. What Protection Technology can the SEP team enable to control and monitor the behavior of applications?

  • A. Application Control
  • B. System Lockdown
  • C. Behavior Monitoring (SONAR)
  • D. Host Integrity

正解:A

解説:
Application Controlin Symantec Endpoint Protection (SEP) provides the SEP team with the ability to control and monitor the behavior of applications. This technology enables administrators to set policies that restrict or allow specific application behaviors, effectively controlling the environment and reducing risk from unauthorized or harmful applications. Here's how it works:
* Policy-Based Controls:Administrators can create policies that define which applications are allowed or restricted, preventing unauthorized applications from executing.
* Behavior Monitoring:Application Control can monitor application actions, detecting unusual or potentially harmful behaviors and alerting administrators.
* Enhanced Security:By controlling application behavior, SEP helps mitigate threats by preventing suspicious applications from affecting the environment, which is particularly valuable in post-outbreak recovery and ongoing health checks.
Application Control thus strengthens endpoint defenses by enabling real-time management of application behaviors.


質問 # 40
A company uses a remote administration tool that is detected as Hacktool.KeyLoggPro and quarantined by Symantec Endpoint Protection (SEP).
Which step can an administrator perform to continue using the remote administration tool without detection by SEP?

  • A. Create a SONAR exception for the tool
  • B. Create a Known Risk exception for the tool
  • C. Create an Application to Monitor exception for the tool
  • D. Create a Tamper Protect exception for the tool

正解:B

解説:
To allow the use of aremote administration tool detected as Hacktool.KeyLoggProwithout interference from SEP, the administrator should create aKnown Risk exceptionfor the tool. This exception type allows specific files or applications to bypass detection, thereby avoiding quarantine or blocking actions.
* Steps to Create a Known Risk Exception:
* In the SEP management console, navigate toPolicies > Exceptions.
* Choose to create aKnown Risk exceptionand specify the tool's executable file or file path to prevent SEP from identifying it as a threat.
* Why Known Risk Exception is Appropriate:
* This type of exception is designed for tools that SEP detects as potentially risky (like hacktools or keyloggers) but are authorized for legitimate use by the organization.
* Creating this exception allows the tool to operate without being flagged or quarantined.
* Reasons Other Options Are Less Effective:
* Tamper Protect exceptionsonly prevent SEP from being tampered with by other applications.
* Application to Monitor exceptionsmonitor applications without preventing quarantine actions.
* SONAR exceptionsare specific to behavior-based detections, not risk definitions.
References: Creating Known Risk exceptions is the recommended approach when allowing specific tools in SEP that may otherwise be detected as threats.


質問 # 41
Which Incident View widget shows the parent-child relationship of related security events?

  • A. The Events Widget
  • B. The Process Lineage Widget
  • C. The Incident Graph Widget
  • D. The Incident Summary Widget

正解:B

解説:
TheProcess Lineage Widgetin the Incident View of Symantec Endpoint Security provides a visual representation of theparent-child relationshipamong related security events, such as processes or activities stemming from a primary malicious action. This widget is valuable for tracing the origins and propagation paths of potential threats within a system, allowing security teams to identify the initial process that triggered subsequent actions. By displaying this hierarchical relationship, the Process Lineage Widget supports in-depth forensic analysis, helping administrators understand how an incident unfolded and assess the impact of each related security event in context.


質問 # 42
The Behavioral Heat Map indicates that a specific application and a specific behavior are never used together.
What action can be safely set for the application behavior in a Behavioral Isolation policy?

  • A. Monitor
  • B. Deny
  • C. Delete
  • D. Allow

正解:B

解説:
In Symantec EDR's Behavioral Isolation policy, if theBehavioral Heat Mapindicates that a specific application and a particular behavior are never used together, setting the action toDenyfor that application behavior is a safe response. This prevents potential misuse by blocking the unusual behavior, which could indicate a security risk.
* Rationale for Denying the Behavior:
* If historical data shows that this behavior does not normally occur with the application, it suggests that any attempt to initiate it could be anomalous or malicious. Blocking this behavior helps prevent unexpected activities that could be exploited by threats.
* Why Other Actions Are Less Appropriate:
* Allow(Option B) would permit potentially risky behavior.
* Delete(Option C) does not apply in this context, as it is not an action for behavior control.
* Monitor(Option D) would only log the behavior but does not provide active protection, which is critical when the behavior is atypical.
References: Setting aDenyaction based on Behavioral Heat Map insights aligns with best practices for proactive threat prevention in Symantec EDR.


質問 # 43
Which term or expression is utilized when adversaries leverage existing tools in the environment?

  • A. living off the land
  • B. file-less attack
  • C. script kiddies
  • D. opportunistic attack

正解:A

解説:
Living off the land(LOTL) is a tactic where adversaries leverageexisting tools and resources within the environmentfor malicious purposes. This approach minimizes the need to introduce new, detectable malware, instead using trusted system utilities and software already present on the network.
* Characteristics of Living off the Land:
* LOTL attacks make use of built-in utilities, such as PowerShell or Windows Management Instrumentation (WMI), to conduct malicious operations without triggering traditional malware defenses.
* This method is stealthy and often bypasses signature-based detection, as the tools used are legitimate components of the operating system.
* Why Other Options Are Incorrect:
* Opportunistic attack(Option A) refers to attacks that exploit easily accessible vulnerabilities rather than using internal resources.
* File-less attack(Option B) is a broader category that includes but is not limited to LOTL techniques.
* Script kiddies(Option C) describes inexperienced attackers who use pre-made scripts rather than sophisticated, environment-specific tactics.
References: Living off the land tactics leverage the environment's own tools, making them difficult to detect and prevent using conventional anti-malware strategies.


質問 # 44
If an administrator enables the setting to manage policies from the cloud, what steps must be taken to reverse this process?

  • A. Revoke policies from ICDm
  • B. Revoke policies from SEPM
  • C. Navigate to ICDm > Enrollment and disable the setting
  • D. Unenroll the SEPM > Disable the setting > Re-enroll the SEPM

正解:D

解説:
If an administrator has enabled the setting to manage policies from the cloud and needs to reverse this, they must follow these steps:
* Unenroll the SEPM (Symantec Endpoint Protection Manager)from the cloud management (ICDm).
* Disable the cloud policy management settingwithin the SEPM.
* Re-enroll the SEPMback into the cloud if required.
This process ensures that policy control is reverted from cloud management to local management on the SEPM. By following these steps, administrators restore full local control over policies, disabling any cloud- based management settings previously in effect.


質問 # 45
Which default role has the most limited permission in the Integrated Cyber Defense Manager?

  • A. Restricted Administrator
  • B. Server Administrator
  • C. Limited Administrator
  • D. Endpoint Console Domain Administrator

正解:A

解説:
TheRestricted Administratorrole in theIntegrated Cyber Defense Manager (ICDm)has themost limited permissionsamong the default roles. This role is intended for users who need access to basic functionality without any critical or high-level administrative capabilities, ensuring a lower risk of accidental or unauthorized changes.
* Role of Restricted Administrator:
* Restricted Administrators have highly constrained access, typically limited to viewing specific information and performing minimal actions.
* Why Other Roles Are Incorrect:
* Endpoint Console Domain Administrator(Option A) andServer Administrator(Option B) have broader permissions to manage endpoint settings and server configurations.
* Limited Administrator(Option D) has more permissions than Restricted Administrator, though still not full access.
References: The Restricted Administrator role provides minimal permissions, ensuring limited system access and reducing security risks associated with more privileged roles.


質問 # 46
Which report template type should an administrator utilize to create a daily summary of network threats detected?

  • A. Intrusion Prevention Report
  • B. Blocked Threats Report
  • C. Access Violation Report
  • D. Network Risk Report

正解:D

解説:
To create a daily summary of network threats detected, an administrator should use theNetwork Risk Report template. This report template provides a comprehensive overview of threats within the network, including:
* Summary of Threats Detected:It consolidates data on threats, providing a summary of recent detections across the network.
* Insight into Network Security Posture:The report helps administrators understand the types and frequency of network threats, enabling them to make informed decisions on security measures.
* Daily Monitoring:Using this report on a daily basis allows administrators to maintain an up-to-date view of the network's risk profile and respond promptly to emerging threats.
The Network Risk Report template is ideal for regular monitoring of network security events.


質問 # 47
Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an incident for an After Actions Report?

  • A. It ensures that the Incident is resolved, and the threat does not continue to spread to other parts of the environment.
  • B. It ensures that the Incident is resolved, and future threats are automatically remediated.
  • C. It ensures that the Incident is resolved, and the responder is able to close the incident in the SEDR manager.
  • D. It ensures that the Incident is resolved, and the responder can determine the best remediation method.

正解:D

解説:
ReviewingRelated Incidents and Eventsis crucial for an Incident Responder when preparing anAfter Actions Reportbecause it ensures that the Incident is fully resolved and allows the responder toidentify the most effective remediation method. This process provides a comprehensive understanding of the incident's impact and helps in implementing measures to prevent recurrence.
* Benefits of Reviewing Related Incidents and Events:
* By analyzing related incidents and events, the responder gains insights into the incident's scope, underlying causes, and any connections to other incidents, which can inform a more targeted and effective remediation strategy.
* This thorough review can also help uncover patterns or vulnerabilities that were exploited, guiding future preventative measures.
* Why Other Options Are Less Comprehensive:
* Options A and B focus on immediate resolution but do not cover the importance of identifying the best remediation methods.
* Option C relates to closing the incident but does not address the broader need for detailed remediation strategies.
References: Reviewing related incidents is a best practice in incident response for comprehensive resolution and informed remediation in Symantec EDR environments.


質問 # 48
Which of the following are considered entities in SES Complete?

  • A. Domain, Endpoint, File
  • B. Domain, File, Process
  • C. Endpoint, File, Process
  • D. Domain, Endpoint, Process

正解:C

解説:
InSymantec Endpoint Security Complete (SES Complete), the primary entities tracked includeEndpoint, File, and Process. These entities represent the core components that SES Complete monitors and analyzes to detect, assess, and respond to potential threats.
* Roles of Each Entity:
* Endpoint: Represents devices within the environment, providing a focal point for security monitoring.
* File: Refers to individual files that may be subject to threat detection and response actions.
* Process: Encompasses active processes that could exhibit suspicious behaviors or be involved in attacks.
* Why Other Options Are Incorrect:
* Other combinations (Options B, C, and D) includeDomain, which is not classified as a primary entity within SES Complete.
References: SES Complete entities focus on Endpoint, File, and Process for in-depth monitoring and response.


質問 # 49
An organization has several Symantec Endpoint Protection Management (SEPM) Servers without access to the internet. The SEPM can only run LiveUpdate within a specified "maintenance window" outside of business hours.
What content distribution method should the organization utilize?

  • A. Internal LiveUpdate
  • B. JDB file
  • C. External LiveUpdate
  • D. Group Update Provider

正解:B

解説:
For organizations with Symantec Endpoint Protection Manager (SEPM) servers that do not have internet access and require updates only within a specific maintenance window, theJDB filemethod is an effective solution:
* Offline Content Distribution:JDB files can be downloaded on an internet-connected device and then manually transferred to SEPM, allowing it to update content offline.
* Flexible Timing:Since JDB files can be applied during the maintenance window, this method adheres to time restrictions, avoiding disruption during business hours.
Using JDB files ensures that SEPM remains updated in environments with limited connectivity or strict operational schedules.


質問 # 50
Which action is provided by Symantec EDR for the rapid remediation of impacted endpoints?

  • A. Automatically stopping suspicious behaviors & unknown threats
  • B. Block Listing or Allow Listing of specific files
  • C. Detonate Memory Exploits in conjunction with SEP
  • D. Quickly filtering for specific attributes

正解:B

解説:
Symantec Endpoint Detection and Response (EDR) providesBlock Listing or Allow Listingof specific files as a rapid remediation action. This feature enables administrators to quickly contain or permit files across endpoints based on identified threat intelligence, thereby reducing the risk of further spread or false positives.
* Use of Block Listing and Allow Listing:
* Block Listing ensures that identified malicious files are immediately prevented from executing on other endpoints, providing containment for known threats.
* Allow Listing, conversely, can be used for trusted files to prevent unnecessary interruptions if false positives occur.
* Why Other Options Are Less Relevant:
* Filtering for specific attributes(Option A) aids in identifying threats but is not a remediation action.
* Detonating Memory Exploits(Option B) is a separate analysis action, not direct remediation.
* Automatically stopping behaviors(Option C) pertains to behavior analysis rather than the specific action of listing files for rapid response.
References: The Block List and Allow List capabilities in Symantec EDR are key for efficient endpoint remediation and control over detected files.


質問 # 51
What Symantec Best Practice is recommended when setting up Active Directory integration with the Symantec Endpoint Protection Manager?

  • A. Ensure there is more than one Active Directory Server listed in the Server Properties.
  • B. Import the existing AD structure to organize clients in user mode.
  • C. Link the built-in Admin account to an Active Directory account.
  • D. Secure the management console by denying access to certain computers.

正解:B

解説:
When setting up Active Directory (AD) integration with Symantec Endpoint Protection Manager (SEPM), Symantec's best practice is toimport the existing AD structureto manage clients in user mode. This approach offers several benefits:
* Simplified Client Management:By importing the AD structure, SEPM can mirror the organizational structure already defined in AD, enabling easier management and assignment of policies to groups or organizational units.
* User-Based Policies:Organizing clients in user mode allows policies to follow users across devices, providing consistent protection regardless of where the user logs in.
* Streamlined Updates and Permissions:Integration with AD ensures that any changes in user accounts or groups are automatically reflected within SEPM, reducing administrative effort and potential errors in client organization.
This best practice enhances SEPM's functionality by leveraging the established structure in AD.


質問 # 52
An administrator decides to migrate an SES Complete hybrid environment to a fully cloud-managed one.
After cleaning up on-premise group structure and policies. What is the next recommended step for migration?

  • A. Migrate the agents from ICDm
  • B. Import unique policies in ICDm
  • C. Export unique policies from SEPM
  • D. Enroll the SEPM in ICDm

正解:C

解説:
When migrating an SES Complete hybrid environment to a fully cloud-managed setup, the next recommended step after cleaning up the on-premises group structure and policies is toexport unique policies from SEPM. This ensures:
* Policy Continuity:Exporting policies from SEPM preserves any unique configurations that need to be replicated or adapted in the cloud environment.
* Preparation for Import to ICDm:These exported policies can then be imported into ICDm, facilitating a smoother transition without losing specific policy customizations.
This step is crucial for maintaining consistent security policy enforcement as the environment transitions to cloud management.


質問 # 53
Which Firewall rule components should an administrator configure to blockfacebook.comuse during business hours?

  • A. Host(s), Network Interface, and Network Service
  • B. Action, Application, and Schedule
  • C. Application, Host(s), and Network Service
  • D. Action, Hosts(s), and Schedule

正解:D

解説:
Toblock facebook.com use during business hours, the SEP administrator should configure theAction, Hosts (s), and Schedulecomponents within the Firewall rule.
* Explanation of Each Component:
* Action: Set to "Block" to deny access to the specified site.
* Hosts(s): Specify facebook.com as the target host, ensuring that all traffic to this domain is blocked.
* Schedule: Define the rule to apply only during business hours, ensuring that access is restricted within the designated time frame.
* Why Other Options Are Incorrect:
* Network InterfaceandNetwork Service(Options A and B) are not specific to blocking domain access.
* Application(Options B and D) is unnecessary if the goal is to block access based on domain and schedule.
References: Configuring Action, Hosts, and Schedule within SEP firewall rules enables precise access control based on time and target domain.


質問 # 54
Which antimalware intensity level is defined by the following: "Blocks files that are most certainly bad or potentially bad files results in a comparable number of false positives and false negatives."

  • A. Level 1
  • B. Level 2
  • C. Level 5
  • D. Level 6

正解:C

解説:
In antimalware solutions,Level 5intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of bothfalsepositives (legitimate files mistakenly flagged as threats) andfalse negatives(malicious files mistakenly deemed safe) may still occur.
This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.


質問 # 55
What is an appropriate use of a file fingerprint list?

  • A. Allow files to bypass Intrusion Prevention detection
  • B. Prevent Antivirus from scanning a file
  • C. Allow unknown files to be downloaded with Insight
  • D. Prevent programs from running

正解:D

解説:
Afile fingerprint listis used to prevent specific programs from running by identifying them through unique file attributes (such as hashes). This list allows administrators to create block rules based on known malicious or unwanted file fingerprints, ensuring these programs cannot execute on the system. This approach is particularly effective in enforcing application control and preventing unauthorized software from running.


質問 # 56
Which two (2) instances could cause Symantec Endpoint Protection to be unable to remediate a file? (Select two.)

  • A. The detected file is in use.
  • B. Another scan is in progress.
  • C. The file is marked for deletion by Windows on restart.
  • D. The file has good reputation.
  • E. There are insufficient file permissions.

正解:A、E

解説:
Symantec Endpoint Protection (SEP) may beunable to remediate a filein certain situations. Two primary reasons for this failure are:
* The detected file is in use(Option B): When a file is actively being used by the system or an application, SEP cannot remediate or delete it until it is no longer in use. Active files are locked by the operating system, preventing modification.
* Insufficient file permissions(Option C): SEP needs adequate permissions to access and modify files. If SEP does not have the necessary permissions for the detected file, it cannot perform remediation.
Why Other Options Are Incorrect:
* Another scan in progress(Option A) does not directly prevent remediation.
* File marked for deletion on restart(Option D) would typically allow SEP to complete the deletion upon reboot.
* File with good reputation(Option E) is less likely to be flagged for remediation but would not prevent it if flagged.
References: File in-use status and insufficient permissions are common causes of remediation failure in SEP environments.


質問 # 57
Which two (2) scan range options are available to an administrator for locating unmanaged endpoints? (Select two)

  • A. Entire Subnet
  • B. Subnet Range
  • C. IP range within the network
  • D. IP range within the subnet
  • E. Entire Network

正解:B、C

解説:
For locating unmanaged endpoints, administrators in Symantec Endpoint Protection Manager (SEPM) can use the following scan range options:
* IP Range within the Network:This option allows scanning of specific IP address ranges to locate devices that may not have SEP installed.
* Subnet Range:Administrators can scan within specific subnets, providing a focused range to detect unmanaged endpoints in targeted sections of the network.
These options enable precise scans, helping administrators efficiently identify and manage unmanaged devices.


質問 # 58
What is the result of disjointed telemetry collection methods used within an organization?

  • A. Attacks continue to spread during investigation
  • B. Back of orchestration across controls
  • C. Investigators lack granular visibility
  • D. False positives are seen

正解:C

解説:
Disjointed telemetry collection within an organization can result ina lack of granular visibilityfor investigators. Here's why this is problematic:
* Incomplete Data:Disjointed collection methods lead to fragmented data, making it difficult for security teams to get a complete picture of incidents.
* Reduced Investigation Efficiency:Without granular and cohesive telemetry, investigators struggle to trace the attack's path accurately, slowing down response times.
* Increased Risk of Missing Key Indicators:Critical indicators of compromise may be overlooked, allowing threats to persist or re-emerge in the environment.
Unified telemetry is essential for thorough and efficient investigations, as it provides the detailed insights necessary to understand and mitigate threats fully.


質問 # 59
How would an administrator specify which remote consoles and servers have access to the management server?

  • A. EdittheExternal Communication Settingsfor the Group under theClients tab.
  • B. Edit theSite Propertiesand under theGeneral tab,change the server priority.
  • C. Edit theServer Propertiesand under theGeneral tab,change theServer Communication Permission.
  • D. Edit theCommunication Settingsfor the Group under theClients tab.

正解:C

解説:
To control which remote consoles and servers have access to theSymantec Endpoint Protection Management (SEPM) server, an administrator should edit theServer Propertiesand adjust theServer Communication Permissionunder the General tab. This setting specifies which remote systems are authorized to communicate with the management server, enhancing security by limiting access to trusted consoles and servers only. Adjusting the Server Communication Permission helps manage server access centrally and ensures only approved systems interact with the management server.


質問 # 60
What happens when a device fails a Host Integrity check?

  • A. An antimalware scan is initiated
  • B. An administrative notification is logged
  • C. The device is quarantined
  • D. The device is restarted

正解:C

解説:
When a devicefails a Host Integrity checkin Symantec Endpoint Protection (SEP), it isquarantined. This means that the device's access to network resources may be restricted to prevent potential security risks from spreading within the network. Quarantine helps contain devices that do not meet the configured security standards, protecting the overall network integrity.
* Purpose of Quarantine on Host Integrity Failure:
* Host Integrity checks ensure that endpoint devices comply with security policies, such as having up-to-date antivirus signatures or required patches.
* If a device fails this check, quarantine limits its network connectivity, enabling remediation actions without exposing the network to possible risks from the non-compliant device.
* Why Other Options Are Less Suitable:
* Antimalware scans(Option A) anddevice restarts(Option B) are not default responses to integrity check failures.
* Administrative notifications(Option D) may be logged but do not provide containment as quarantine does.
References: Quarantining non-compliant devices is a standard response to Host Integrity check failures, ensuring network protection while remediation occurs.


質問 # 61
......

有効な250-580テスト解答とSymantec 250-580試験PDF:https://jp.fast2test.com/250-580-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어