Black Friday Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

 
Home > Symantec > Symantec Certified Specialist > 250-441

250-441 Administration of Symantec Advanced Threat Protection 3.0 Question and Answers

Question # 4

In which scenario would it be beneficial for an organization to eradicate a threat from the environment by deleting it?

A.

The Incident Response team is identifying the scope of the infection and is gathering a list of infected systems.

B.

The Incident Response team is reviewing detections in the risk logs and assigning a High-Security Antivirus and Antispyware policy in the Symantec Endpoint Protection Manager (SEPM).

C.

The Incident Response team completed their analysis of the threat and added it to a blacklist.

D.

The Incident Response team is analyzing the file to determine if it is a threat or a false positive.

Full Access
Question # 5

Which two steps must an Incident Responder take to isolate an infected computer in ATP? (Choose two.)

A.

Close any open shares

B.

Identify the threat and understand how it spreads

C.

Create subnets or VLANs and configure the network devices to restrict traffic

D.

Set executables on network drives as read only

E.

Identify affected clients

Full Access
Question # 6

What is the minimum amount of RAM required for a virtual deployment of the ATP Manager in a production environment?

A.

48 GB

B.

64 GB

C.

16 GB

D.

32GB

Full Access
Question # 7

Which Advanced Threat Protection (ATP) component best isolates an infected computer from the network?

A.

ATP: Email

B.

ATP: Endpoint

C.

ATP: Network

D.

ATP: Roaming

Full Access
Question # 8

Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an

incident for an After Actions Report?

A.

It ensures that the Incident is resolved, and the responder can clean up the infection.

B.

It ensures that the Incident is resolved, and the responder can determine the best remediation method.

C.

It ensures that the Incident is resolved, and the threat is NOT continuing to spread to other parts of the

environment.

D.

It ensures that the Incident is resolved, and the responder can close out the incident in the ATP manager.

Full Access
Question # 9

An Incident Responder launches a search from ATP for a file hash. The search returns the results

immediately. The responder reviews the Symantec Endpoint Protection Manager (SEPM) command status and

does NOT see an indicators of compromise (IOC) search command.

How is it possible that the search returned results?

A.

The search runs and returns results in ATP and then displays them in SEPM.

B.

This is only an endpoint search.

C.

This is a database search; a command is NOT sent to SEPM for this type of search.

D.

The browser cached result from a previous search with the same criteria.

Full Access
Question # 10

Which level of privilege corresponds to each ATP account type?

Match the correct account type to the corresponding privileges.

Full Access
Question # 11

During a recent virus outlook, an Incident found that the incident Response team was successful in identifying malicious that were communicating with the infected endpoint.

Which two (2) options should be incident Responder select to prevent endpoints from communicating with malicious domains?

A.

Use the isolation command in ATP to move endpoint to quarantine network.

B.

Blacklist suspicious domain in the ATP manager.

C.

Deploy a high-Security antivirus and Antispyware policy in the Symantec Endpoint protection Manager (SEPM.)

D.

Create a firewall rule in the Symantec Endpoints Protection Manager (SEPM) or perimeter firewall that blocks

E.

traffic to the domain.

F.

Run a full system scan on all endpoints

Full Access
Question # 12

What should an Incident Responder do to mitigate a false positive?

A.

Add to Whitelist

B.

Run an indicators of compromise (IOC) search

C.

Submit to VirusTotal

D.

Submit to Cynic

Full Access
Question # 13

How does an attacker use a zero-day vulnerability during the Incursion phase?

A.

To perform a SQL injection on an internal server

B.

To extract sensitive information from the target

C.

To perform network discovery on the target

D.

To deliver malicious code that breaches the target

Full Access
Question # 14

Which two actions an Incident Responder take when downloading files from the ATP file store? (Choose two.)

A.

Analyze suspicious code with Cynic

B.

Email the files to Symantec Technical Support

C.

Double-click to open the files

D.

Diagnose the files as a threat based on the file names

E.

Submit the files to Security Response

Full Access
Copyright myexamcollection.com. All Right Reserved.