合格させるSymantec 250-580試験最速合格 [Q18-Q43]

Share

合格させるSymantec 250-580試験最速合格

準備250-580問題解答で250-580試験問題集


Symantec 250-580 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • ICDm による脅威への対応: このセクションでは、ICDm セキュリティ制御ダッシュボードの使用に関連するスキルを評価します。受験者は、インシデントのライフサイクルと脅威の特定に必要な手順に焦点を当て、これらのダッシュボードの機能と環境内の脅威の特定における役割について説明します。
トピック 2
  • モバイルおよび最新デバイスのセキュリティ: このドメインは、モバイル デバイスのセキュリティ要件、特に ICDm 管理コンソール内のネットワーク整合性に関する要件に焦点を当てています。受験者は、最新デバイスの安全な操作を確保するためのネットワーク整合性ポリシーの構成について学習します。
トピック 3
  • SEP 階層化セキュリティによるファイルベースの攻撃の防止: この試験のセクションでは、SEP 内の階層化セキュリティ アプローチを使用してファイルベースの攻撃を防止する方法について説明します。
トピック 4
  • 脅威の状況と MITRE ATT&CK フレームワーク: このドメインはエンドポイント セキュリティ プロフェッショナルを対象としており、現在の脅威の状況と MITRE ATT&CK フレームワークを理解することに重点を置いています。候補者は、脅威を識別して分類する方法を理解し、セキュリティ インシデントに効果的に対応する能力を強化します。
トピック 5
  • エンドポイント保護のポリシーの理解: この試験のセクションでは、エンドポイント セキュリティ運用管理者のスキルを測定し、エンドポイント デバイスを保護するためにポリシーがどのように活用されるかについて説明します。受験者は、さまざまなポリシーの種類と、システムを脅威から保護する上でのそれらの役割について学習し、エンドポイント セキュリティにおけるポリシー管理の重要性を強調します。
トピック 6
  • ハイブリッド環境での作業: このドメインでは、Symantec Endpoint Protection Manager (SEPM) から ICDm コンソールへのポリシー移行のプロセスを評価します。
トピック 7
  • 攻撃対象領域の縮小: エンドポイント セキュリティ プロフェッショナルを対象としたこのセクションでは、SES Complete Behavioral Insights を使用した攻撃対象領域の縮小手法について説明します。

 

質問 # 18
Which SES feature helps to ensure that devices are compliant with a company's security standards?

  • A. Host Integrity
  • B. Intensive Protection
  • C. Trusted Updater
  • D. Adaptive Protection

正解:A

解説:
Host Integrityis a Symantec Endpoint Security (SES) feature that ensuresdevices are compliant with a company's security standards. It does this by verifying system configurations, checking for required software (like antivirus or firewall settings), and validating other compliance criteria specified by the organization.
* Functionality of Host Integrity:
* Host Integrity checks are designed to ensure that each endpoint meets the necessary security configurations before granting it network access.
* If a device is non-compliant, Host Integrity can enforce remediation steps, such as updating software or alerting administrators, to bring the device into compliance.
* Why Other Options Are Less Suitable:
* Intensive Protection(Option B) andAdaptive Protection(Option D) focus on active threat detection but not compliance enforcement.
* Trusted Updater(Option C) is for allowing specific software updates without triggering alerts, not for overall compliance checking.
References: Host Integrity is a key feature in SES that promotes adherence to security policies across devices, ensuring network-wide compliance.


質問 # 19
What prevention technique does Threat Defense for Active Directory use to expose attackers?

  • A. Packet Tracing
  • B. Process Monitoring
  • C. Honeypot Traps
  • D. Obfuscation

正解:C

解説:
Threat Defense for Active Directory (TDAD) employsHoneypot Trapsas a primary prevention technique to detect and expose attackers. These honeypot traps act as decoys within the network, mimicking legitimate Active Directory (AD) objects or data that would attract attackers aiming to gather AD information or exploit AD weaknesses.
* Honeypot Trap Functionality:
* Honeypot traps are strategically placed to appear as appealing targets, such as privileged accounts or critical directories, without being part of the actual AD infrastructure.
* When attackers interact with these traps, TDAD records their actions, which can then trigger alerts, allowing administrators to identify and monitor suspicious activities.
* Exposure and Mitigation:
* By enticing attackers to interact with fake assets, honeypot traps help expose malicious intentions and techniques. This information can be used for forensic analysis and to enhance future defenses.
* This technique allows organizations to expose potential threats proactively, before any real AD resources are compromised.
References: This approach is part of Symantec's Active Directory security strategies and utilizes honeypot mechanisms to deter and identify intruders in real-time.


質問 # 20
When configuring Network Integrity, why is it a requirement to add trusted certificates?

  • A. To secure the connection to ICDm
  • B. To bypass an attacker's MITM proxy
  • C. To allow enterprise SSL decryption for security scanning
  • D. To allow a trusted VPN connection

正解:C

解説:
When configuringNetwork Integrityin Symantec Endpoint Security, it is essential toadd trusted certificates to allowenterprise SSL decryption for security scanning. This enables the inspection of encrypted traffic, which is critical for identifying threats or anomalies in SSL/TLS communications.
* Purpose of Trusted Certificates:
* Adding trusted certificates facilitates SSL decryption, allowing the security system to analyze encrypted data streams for potential threats without triggering security warnings or connection issues.
* Why Other Options Are Less Applicable:
* Securing connections to ICDm(Option B) andVPN connections(Option C) are not directly related to Network Integrity's focus on SSL decryption.
* Bypassing an attacker's MITM proxy(Option D) does not directly address the function of trusted certificates within Network Integrity.
References: Adding trusted certificates is necessary for enabling SSL decryption, which is crucial for comprehensive security scanning in Network Integrity.


質問 # 21
A Symantec Endpoint Protection (SEP) client uses a management server list with three management servers in the priority 1 list.
Which mechanism does the SEP client use to select an alternate management server if the currently selected management server is unavailable?

  • A. The client chooses the next server alphabetically by server name.
  • B. The client chooses another server in the list randomly.
  • C. The client chooses a server based on the lowest server load.
  • D. The client chooses a server with the next highest IP address.

正解:B

解説:
When aSymantec Endpoint Protection (SEP) clienthas multiplemanagement serverslisted in its priority 1 list and the currently selected management server becomes unavailable, the SEP clientrandomly selects another serverfrom the list. This randomized selection helps distribute load among the available servers and ensures continuity of management services.
* Mechanism of Random Selection:
* By choosing the next server randomly, SEP clients help balance the load across available servers, avoiding potential bottlenecks.
* This method also ensures that the client can quickly connect to an alternative server without requiring additional logic for server selection.
* Why Other Options Are Incorrect:
* SEP clients do not evaluateserver load(Option B), IP addresses (Option C), oralphabetical order (Option D) when selecting an alternate server.
References: The SEP client's randomized approach to selecting management servers ensures efficient load distribution and server availability.


質問 # 22
What does an Endpoint Activity Recorder (EAR) full dump consist of?

  • A. All of the recorded events that are in the SEDR database
  • B. All of the recorded events that occurred on an endpoint relating to a single process
  • C. All of the recorded events that occurred on an endpoint
  • D. All of the recorded events that occurred on an endpoint relating to a single file

正解:C

解説:
AnEndpoint Activity Recorder (EAR) full dumpconsists ofall recorded events that occurred on an endpoint. This comprehensive data capture includes every relevant activity, such as process executions, file accesses, and network connections, providing a full history of events on the endpoint for detailed forensic analysis.
* Purpose of EAR Full Dump:
* EAR full dumps offer a complete activity record for an endpoint, enabling incident responders to thoroughly investigate the behaviors and potential compromise pathways associated with that device.
* This level of detail is crucial for in-depth investigations, as it captures the entire context of actions on the endpoint rather than isolating to a single process or file.
* Why Other Options Are Incorrect:
* Options A and B suggest limiting the dump to events related to a single file or process, which does not represent a full dump.
* All events in the SEDR database(Option D) is inaccurate, as the full dump is specific to the events on a particular endpoint.
References: An EAR full dump includes all recorded events on an endpoint, offering a comprehensive activity log for investigation.


質問 # 23
Which action is provided by Symantec EDR for the rapid remediation of impacted endpoints?

  • A. Automatically stopping suspicious behaviors & unknown threats
  • B. Block Listing or Allow Listing of specific files
  • C. Detonate Memory Exploits in conjunction with SEP
  • D. Quickly filtering for specific attributes

正解:B

解説:
Symantec Endpoint Detection and Response (EDR) providesBlock Listing or Allow Listingof specific files as a rapid remediation action. This feature enables administrators to quickly contain or permit files across endpoints based on identified threat intelligence, thereby reducing the risk of further spread or false positives.
* Use of Block Listing and Allow Listing:
* Block Listing ensures that identified malicious files are immediately prevented from executing on other endpoints, providing containment for known threats.
* Allow Listing, conversely, can be used for trusted files to prevent unnecessary interruptions if false positives occur.
* Why Other Options Are Less Relevant:
* Filtering for specific attributes(Option A) aids in identifying threats but is not a remediation action.
* Detonating Memory Exploits(Option B) is a separate analysis action, not direct remediation.
* Automatically stopping behaviors(Option C) pertains to behavior analysis rather than the specific action of listing files for rapid response.
References: The Block List and Allow List capabilities in Symantec EDR are key for efficient endpoint remediation and control over detected files.


質問 # 24
Why is it important for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system during the Recovery phase?

  • A. To have a copy of the file for policy enforcement
  • B. To document and preserve any pieces of evidence associated with the incident
  • C. To test the effectiveness of the current assigned policy settings in the Symantec Endpoint ProtectionManager (SEPM)
  • D. To create custom IPS signatures

正解:B

解説:
During theRecovery phaseof an incident response, it is critical for an Incident Responder to copy malicious files to theSEDR file storeor create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post-incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.


質問 # 25
A user is unknowingly about to connect to a malicious website and download a known threat within a .rar file.
All Symantec Endpoint Protection technologies are installed on the client's system.
In which feature set order must the threat pass through to successfully infect the system?

  • A. IPS, Firewall, Download Insight
  • B. Download Insight, IPS, Firewall
  • C. Firewall, IPS, Download Insight
  • D. Download Insight, Firewall, IPS

正解:C

解説:
When a user attempts to connect to a malicious website and download a known threat, the threat passes through SEP'sFirewall,Intrusion Prevention System (IPS), andDownload Insightin that order. This layered approach helps prevent threats at different stages of the attack chain.
* Threat Path Through SEP Protection Features:
* Firewall: Blocks or allows network connections based on policy, filtering initial traffic to potentially dangerous sites.
* IPS: Monitors and blocks known patterns of malicious activity, such as suspicious URLs or network behavior, providing another layer of defense.
* Download Insight: Analyzes file reputation and blocks known malicious files based on reputation data, which is especially effective for files within archives like .rar files.
* Why This Order is Effective:
* Each layer serves as a checkpoint: the Firewall controls network access, IPS scans for malicious traffic, and Download Insight assesses files for risk upon download, ensuring thorough protection.
* Why Other Orders Are Incorrect:
* Options with Download Insight or IPS preceding the Firewall do not match SEP's operational order of defense.
References: SEP's multi-layered protection approach involves firewall and IPS filtering prior to download reputation analysis, enhancing overall system security.


質問 # 26
What Threat Defense for Active Directory feature disables a process's ability to spawn another process, overwrite a part of memory, run recon commands, or communicate to the network?

  • A. Threat Monitoring
  • B. Process Protection
  • C. Memory Analysis
  • D. Process Mitigation

正解:B

解説:
TheProcess Protectionfeature in Threat Defense for Active Directory (TDAD) prevents processes from performing certain actions that could indicate malicious activity. This includesdisabling the process's ability to spawn other processes, overwrite memory, execute reconnaissance commands, or communicate over the network.
* Functionality of Process Protection:
* By restricting these high-risk actions, Process Protection reduces the chances of lateral movement, privilege escalation, or data exfiltration attempts within Active Directory.
* This feature is critical in protecting AD environments from techniques commonly used in advanced persistent threats (APTs) and malware targeting AD infrastructure.
* Comparison with Other Options:
* Process Mitigation(Option A) generally refers to handling or reducing the effects of an attack but does not encompass all the control aspects of Process Protection.
* Memory Analysis(Option C) andThreat Monitoring(Option D) involve observing and detecting threats rather than actively restricting process behavior.
References: The Process Protection feature in TDAD enforces strict behavioral controls on processes to enhance security within Active Directory environments.


質問 # 27
What information is required to calculate retention rate?

  • A. Number of endpoints, available bandwidth, available disk space, number of endpoint dumps, dump size
  • B. Number of endpoints, available bandwidth, number of days to retain, number of endpoint dumps, dump size
  • C. Number of endpoints, EAR data per endpoint per day, available disk space, number of endpoint dumps, dump size
  • D. Number of endpoints, EAR data per endpoint per day, number of days to retain, number of endpoint dumps, dump size

正解:D

解説:
To calculate theretention ratein Symantec Endpoint Security (SES), the following information is required:
* Number of Endpoints:Determines the total scope of data generation.
* EAR Data per Endpoint per Day:This is the Endpoint Activity Recorder data size generated daily by each endpoint.
* Number of Days to Retain:Defines the retention period for data storage, impacting the total data volume.
* Number of Endpoint Dumps and Dump Size:These parameters contribute to overall storage needs for log data and event tracking.
This data allows administrators to accurately project storage requirements and ensure adequate capacity for data retention.


質問 # 28
What protection technologies should an administrator enable to protect against Ransomware attacks?

  • A. SONAR, Firewall, Download Insight
  • B. IPS, SONAR, and Download Insight
  • C. IPS, Firewall, System Lockdown
  • D. Firewall, Host Integrity, System Lockdown

正解:B

解説:
To effectively protect againstRansomware attacks, an administrator should enable the following Symantec Endpoint Protection (SEP) technologies:
* IPS (Intrusion Prevention System):IPS detects and blocks network-based ransomware attacks, preventing exploitation attempts before they reach the endpoint.
* SONAR (Symantec Online Network for Advanced Response):SONAR provides real-time behavioral analysis, identifying suspicious activity characteristic of ransomware, such as unauthorized file modifications.
* Download Insight:This technology helps prevent ransomware by evaluating the reputation of files downloaded from the internet, blocking those with a high risk of infection.
Together, these technologies offer comprehensive protection against ransomware by covering network, behavior, and download-based threat vectors.


質問 # 29
An administrator notices that some entries list that the Risk was partially removed. The administrator needs to determine whether additional steps are necessary to remediate the threat.
Where in the Symantec Endpoint Protection Manager console can the administrator find additional information on the risk?

  • A. Infected and At-Risk Computers report
  • B. Notifications
  • C. Computer Status report
  • D. Risk log

正解:D

解説:
To gather more details about threats that were onlypartially removed, an administrator should consult the Risk login the Symantec Endpoint Protection Manager (SEPM) console. The Risk log provides comprehensive information about detected threats, their removal status, and any remediation actions taken. By examining these logs, the administrator can determine if additional steps are required to fully mitigate the threat, ensuring that the endpoint is entirely secure and free of residual risks.


質問 # 30
In what order should an administrator configure the integration between SEDR and Symantec Endpoint Protection in order to maximize their benefits?

  • A. ECC, Synapse, then Insight Proxy
  • B. Insight Proxy, Synapse, then ECC
  • C. Synapse, ECC, then Insight Proxy
  • D. ECC, Insight Proxy, then Synapse

正解:A

解説:
To integrateSymantec Endpoint Detection and Response (SEDR)withSymantec Endpoint Protection (SEP)effectively, the recommended configuration order isECC, Synapse, then Insight Proxy.
* Order of Configuration:
* ECC (Endpoint Communication Channel): This establishes the communication layer for SEDR and SEP integration, which is foundational for data exchange.
* Synapse: This integration uses data from ECC to correlate threat intelligence and provide context to detected threats.
* Insight Proxy: Configured last, Insight Proxy adds cloud-based file reputation lookups, enhancing detection capabilities with reputation scoring.
* Why This Order is Effective:
* Each component builds on the previous one, maximizing the value of integration by ensuring that foundational communication (ECC) is established before adding Synapse correlation and Insight Proxy reputation data.
References: Configuring ECC, Synapse, and Insight Proxy in this order is considered best practice for optimizing integration benefits between SEDR and SEP.


質問 # 31
What type of Threat Defense for Active Directory alarms are displayed after domain misconfigurations or hidden backdoors are detected?

  • A. Pass-The-Ticket
  • B. Credential Theft
  • C. Computer Information Gathering
  • D. Dark Corners

正解:D

解説:
Dark Cornersalarms are part of Threat Defense for Active Directory and are triggered when domain misconfigurations or hidden backdoors are detected within the directory environment. Here's how this alarm functions:
* Detection of Hidden Threats:Dark Corners identifies and alerts administrators to hidden vulnerabilities within the Active Directory, such as unauthorized access paths or misconfigurations that could be exploited.
* Security Assurance:By identifying these issues, administrators can proactively address and rectify potential risks that are otherwise challenging to detect.
* Improved Active Directory Security:The Dark Corners alarm helps ensure that backdoors and misconfigurations do not provide attackers with hidden access points, strengthening the overall security posture of Active Directory.
This feature allows for a deeper level of inspection within Active Directory, safeguarding against subtle yet critical security risks.


質問 # 32
Which SES security control protects a user against data leakage if they encounter a man-in-the-middle attack?

  • A. IPS
  • B. Firewall
  • C. VPN
  • D. IPv6 Tunneling

正解:A

解説:
TheIntrusion Prevention System (IPS)in Symantec Endpoint Security (SES) plays a crucial role in defending against data leakage during a man-in-the-middle (MITM) attack. Here's how IPS protects in such scenarios:
* Threat Detection:IPS monitors network traffic in real-time, identifying and blocking suspicious patterns that could indicate an MITM attack, such as unauthorized access attempts or abnormal packet patterns.
* Prevention of Data Interception:By blocking these threats, IPS prevents malicious actors from intercepting or redirecting user data, thus safeguarding against data leakage.
* Automatic Response:IPS is designed to respond immediately, ensuring that attacks are detected and mitigated before sensitive data can be compromised.
By providing proactive protection, IPS ensures that data remains secure even in the face of potential MITM threats.


質問 # 33
Files are blocked by hash in the deny list policy. Which algorithm is supported, in addition to MD5?

  • A. MD5 "Salted"
  • B. SHA256 "salted"
  • C. SHA2
  • D. SHA256

正解:D

解説:
In Symantec Endpoint Protection (SEP), when files are blocked by hash in the deny list policy,SHA256is supported in addition to MD5. SHA256 provides a more secure hashing algorithm compared to MD5 due to its longer hash length and higher resistance to collisions, making it effective for uniquely identifying and blocking malicious files based on their fingerprint.


質問 # 34
An organization has several Symantec Endpoint Protection Management (SEPM) Servers without access to the internet. The SEPM can only run LiveUpdate within a specified "maintenance window" outside of business hours.
What content distribution method should the organization utilize?

  • A. Internal LiveUpdate
  • B. External LiveUpdate
  • C. Group Update Provider
  • D. JDB file

正解:D

解説:
For organizations with Symantec Endpoint Protection Manager (SEPM) servers that do not have internet access and require updates only within a specific maintenance window, theJDB filemethod is an effective solution:
* Offline Content Distribution:JDB files can be downloaded on an internet-connected device and then manually transferred to SEPM, allowing it to update content offline.
* Flexible Timing:Since JDB files can be applied during the maintenance window, this method adheres to time restrictions, avoiding disruption during business hours.
Using JDB files ensures that SEPM remains updated in environments with limited connectivity or strict operational schedules.


質問 # 35
Which two (2) scan range options are available to an administrator for locating unmanaged endpoints? (Select two)

  • A. Entire Subnet
  • B. IP range within the subnet
  • C. Entire Network
  • D. Subnet Range
  • E. IP range within the network

正解:D、E

解説:
For locating unmanaged endpoints, administrators in Symantec Endpoint Protection Manager (SEPM) can use the following scan range options:
* IP Range within the Network:This option allows scanning of specific IP address ranges to locate devices that may not have SEP installed.
* Subnet Range:Administrators can scan within specific subnets, providing a focused range to detect unmanaged endpoints in targeted sections of the network.
These options enable precise scans, helping administrators efficiently identify and manage unmanaged devices.


質問 # 36
Which device page should an administrator view to track the progress of an issued device command?

  • A. Command Status
  • B. Activity Update
  • C. Recent Activity
  • D. Command History

正解:A

解説:
TheCommand Statuspage is where an administrator should track theprogress of issued device commandsin Symantec Endpoint Security. This page provides:
* Real-Time Command Updates:It shows the current status of commands, such as "Pending,"
"Completed," or "Failed," providing immediate insights into the command's execution.
* Detailed Progress Tracking:Command Status logs offer details on each command, enabling the administrator to confirm that actions, such as scans, updates, or reboots, have been successfully processed by the endpoint.
The Command Status page is essential for effective device management, as it helps administrators monitor and verify the outcome of their issued commands.


質問 # 37
Which type of security threat continues to threaten endpoint security after a system reboot?

  • A. script
  • B. memory attack
  • C. Rootkit
  • D. file-less

正解:C

解説:
ARootkitis a type of security threat that can persist across system reboots, making it difficult to detect and remove. Rootkits operate by embedding themselves deep within the operating system, often at the kernel level, and they can disguise their presence by intercepting and modifying standard operating system functionality. Here's how they maintain persistence:
* Kernel-Level Integration:Rootkits modify core operating system files, allowing them to load during the boot process and remain active after reboots.
* Stealth Techniques:By hiding from regular security checks, rootkits avoid detection by conventional anti-virus and anti-malware tools.
* Persistence Mechanism:The modifications rootkits make ensure they start up again after each reboot, enabling continuous threat activity on the compromised system.
Due to their persistence and stealth, rootkits present significant challenges for endpoint security.


質問 # 38
Which security control is complementary to IPS, providing a second layer of protection against network attacks?

  • A. Antimalware
  • B. Network Protection
  • C. Host Integrity
  • D. Firewall

正解:D

解説:
TheFirewallprovides a complementary layer of protection to Intrusion Prevention System (IPS) in Symantec Endpoint Protection.
* Firewall vs. IPS:
* While IPS detects and blocks network-based attacks by inspecting traffic for known malicious patterns, the firewall controls network access by monitoring and filtering inbound and outbound traffic based on policy rules.
* Together, these tools protect against a broader range of network threats. IPS is proactive in identifying malicious traffic, while the firewall prevents unauthorized access.
* Two-Layer Defense Mechanism:
* The firewall provides control over which ports, protocols, and applications can access the network, reducing the attack surface.
* When combined with IPS, the firewall blocks unauthorized connections, while IPS actively inspects and prevents malicious content within allowed traffic.
* Why Other Options Are Not Complementary:
* Host Integrity focuses on compliance and configuration validation rather than direct network traffic protection.
* Network Protection and Antimalware are essential but do not function as second-layer defenses for IPS within network contexts.
References: Symantec Endpoint Protection's network protection strategies outline the importance of firewalls in conjunction with IPS for comprehensive network defense.


質問 # 39
Which action can an administrator take to improve the Symantec Endpoint Protection Manager (SEPM) dashboard performance and report accuracy?

  • A. Limiting the number of backups to keep
  • B. Rebuilding database indexes
  • C. Decreasing the number of content revisions to keep
  • D. Lowering the client installation log entries

正解:B

解説:
To improveSymantec Endpoint Protection Manager (SEPM) dashboard performance and report accuracy, an administrator canrebuild database indexes. Indexes help in organizing the database for faster data retrieval, which enhances both the speed of dashboard displays and the accuracy of reporting.
* Effect of Rebuilding Database Indexes:
* Rebuilding indexes optimizes the database's performance by ensuring data is stored in an accessible and efficient manner. This directly impacts the responsiveness of the SEPM dashboard and improves reporting speed and accuracy.
* Why Other Options Are Less Effective:
* Decreasing content revisions(Option A) andlimiting backups(Option D) reduce disk usage but do not affect database performance.
* Lowering client installation log entries(Option B) may reduce logging but does not directly improve dashboard performance.
References: Rebuilding database indexes is a standard maintenance task in SEPM to enhance dashboard and reporting performance.


質問 # 40
How does an administrator view all devices impacted by a suspicious file?

  • A. From the Alerts and Events list, select Files; then, from the file list, select Devices.
  • B. From the Discovered Items list, select the file; then, from the Details page, select Devices.
  • C. From the Discovered Items list, select Devices.
  • D. From the Alerts and Event list, select Device.

正解:B

解説:
To view all devices impacted by asuspicious file, the administrator should go to theDiscovered Items list, select the specific file, and then view the impacted devices from theDetails page.
* Steps to View Impacted Devices:
* Navigate to theDiscovered Items listwithin the management console.
* Locate and select the suspicious file in question to open itsDetails page.
* On the Details page, a list of devices associated with the file is displayed, providing insights into which endpoints are potentially impacted by the suspicious activity.
* Why Other Options Are Less Suitable:
* Options A and B do not provide the specific device list for a selected file.
* Option D is incorrect as it implies selecting by device first rather than by suspicious file.
References: The Discovered Items list and file-specific Details page allow administrators to trace a file's footprint across multiple devices.


質問 # 41
Which protection technology can detect botnet command and control traffic generated on the Symantec Endpoint Protection client machine?

  • A. Intrusion Prevention
  • B. Risk Tracer
  • C. SONAR
  • D. Insight

正解:A

解説:
Intrusion Preventionis the protection technology within Symantec Endpoint Protection that can detectbotnet command and control (C&C) traffic. By analyzing network traffic patterns and identifying knownC&C communication characteristics, Intrusion Prevention can block suspicious network connections indicative of botnet activity.
* How Intrusion Prevention Detects Botnet Traffic:
* Intrusion Prevention monitors outbound and inbound traffic for signatures associated with botnet C&C protocols.
* It can block connections to known malicious IPs or domains, effectively disrupting the communication between the botnet client and its controller.
* Why Other Options Are Incorrect:
* Insight(Option A) focuses on file reputation rather than network traffic.
* SONAR(Option B) detects behavior-based threats on the endpoint but not specifically C&C traffic.
* Risk Tracer(Option C) identifies the source of detected threats but does not directly detect botnet network traffic.
References: Intrusion Prevention is a key component in detecting and blocking botnet C&C traffic, preventing compromised endpoints from communicating with attackers.


質問 # 42
What EDR function minimizes the risk of an endpoint infecting other resources in the environment?

  • A. Firewall
  • B. Deny List
  • C. Block
  • D. Quarantine

正解:D

解説:
The function of "Quarantine" in Endpoint Detection and Response (EDR) minimizes the risk of an infected endpoint spreading malware or malicious activities to other systems within the network environment. This is accomplished by isolating or restricting access of the infected endpoint to contain any threat within that specific machine. Here's how Quarantine functions as a protective measure:
* Detection and Isolation: When EDR detects potential malicious behavior or files on an endpoint, it can automatically place the infected file or process in a "quarantine" area. This means the threat is separated from the rest of the system, restricting its ability to execute or interact with other resources.
* Minimizing Spread: By isolating compromised files or applications, Quarantine ensures that malware or suspicious activities do not propagate to other endpoints, reducing the risk of a widespread infection.
* Administrative Review: After an item is quarantined, administrators can review it to determine if it should be deleted or restored based on a false positive evaluation. This controlled environment allows for further analysis without risking network security.
* Endpoint-Specific Control: Quarantine is designed to act at the endpoint level, applying restrictions that affect only the infected system without disrupting other network resources.
Using Quarantine as an EDR response mechanism aligns with best practices outlined in endpoint security documentation, such as Symantec Endpoint Protection, which emphasizes containment as a critical first response to threats. This approach supports the proactive defense strategy of limiting lateral movement of malware across a network, thus preserving the security and stability of the entire system.


質問 # 43
......

リアルSymantec 250-580試験問題 [更新されたのは2025年]:https://jp.fast2test.com/250-580-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어