Broadcom Endpoint Security Complete - R2 Technical Specialist 250-580 Exam Practice Test

Answer : D

A Rootkit is a type of security threat that can persist across system reboots, making it difficult to detect and remove. Rootkits operate by embedding themselves deep within the operating system, often at the kernel level, and they can disguise their presence by intercepting and modifying standard operating system functionality. Here's how they maintain persistence:

Kernel-Level Integration: Rootkits modify core operating system files, allowing them to load during the boot process and remain active after reboots.

Stealth Techniques: By hiding from regular security checks, rootkits avoid detection by conventional anti-virus and anti-malware tools.

Persistence Mechanism: The modifications rootkits make ensure they start up again after each reboot, enabling continuous threat activity on the compromised system.

Due to their persistence and stealth, rootkits present significant challenges for endpoint security.

Answer : A

In the situation where the default admin account of the Symantec Endpoint Protection Manager (SEPM) is locked after several failed login attempts, the best course of action for the administrator is to wait 15 minutes and attempt to log on again. Here's why this approach is advisable:

Account Lockout Policy: Most systems, including SEPM, are designed with account lockout policies that temporarily disable accounts after a number of failed login attempts. Typically, these policies include a reset time (often around 15 minutes), after which the account becomes active again.

Minimal Disruption: Waiting for the account to automatically unlock minimizes disruption to the existing environment. This avoids potentially complex recovery processes or the need to restore from a backup, which could introduce additional complications or data loss.

Avoiding System Changes: Taking actions such as restoring the SEPM from a backup, reconfiguring the server, or reinstalling could lead to significant changes in the configuration and might cause further complications, especially if immediate action is needed to address an outbreak.

Prioritizing Response to Threats: While it's important to respond to security incidents quickly, maintaining the integrity of the SEPM configuration and ensuring a smooth recovery is also crucial. Waiting for the lockout period respects the system's security protocols and allows the administrator to regain access with minimal risk.

In summary, waiting for the lockout to expire is the most straightforward and least disruptive solution, allowing the administrator to resume critical functions without unnecessary risk to the SEPM environment.

Answer : D

In Symantec Endpoint Detection and Response (SEDR), the Block List feature allows administrators to manually block a specific file hash identified as malicious. By adding the hash of the malicious file to the Block List, SEDR ensures that the file cannot execute or interact with the network, preventing further harm. This manual blocking capability provides administrators with direct control over specific threats detected in their environment.

Answer : A, B

In the Discovery phase of a cyber attack, attackers attempt to map the network, identify vulnerabilities, and gather information. Firewall and Intrusion Prevention System (IPS) are the most effective security controls to mitigate threats associated with this phase:

Firewall: The firewall restricts unauthorized network access, blocking suspicious or unexpected traffic that could be part of reconnaissance efforts.

IPS: Intrusion Prevention Systems detect and prevent suspicious traffic patterns that might indicate scanning or probing activity, which are common in the Discovery phase.

Together, these controls limit attackers' ability to explore the network and identify potential vulnerabilities.

Answer : B

The Process Protection feature in Threat Defense for Active Directory (TDAD) prevents processes from performing certain actions that could indicate malicious activity. This includes disabling the process's ability to spawn other processes, overwrite memory, execute reconnaissance commands, or communicate over the network.

Functionality of Process Protection:

By restricting these high-risk actions, Process Protection reduces the chances of lateral movement, privilege escalation, or data exfiltration attempts within Active Directory.

This feature is critical in protecting AD environments from techniques commonly used in advanced persistent threats (APTs) and malware targeting AD infrastructure.

Comparison with Other Options:

Process Mitigation (Option A) generally refers to handling or reducing the effects of an attack but does not encompass all the control aspects of Process Protection.

Memory Analysis (Option C) and Threat Monitoring (Option D) involve observing and detecting threats rather than actively restricting process behavior.

Answer : B

In antimalware solutions, Level 5 intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of both false positives (legitimate files mistakenly flagged as threats) and false negatives (malicious files mistakenly deemed safe) may still occur.

This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.

Answer : B

The Process View feature in Symantec Endpoint Detection and Response (EDR) provides a detailed and comprehensive view of activities associated with an infected endpoint. It displays a graphical representation of processes, their hierarchies, and interactions, which helps security teams understand the behavior and spread of malware on the system.

Advantages of Process View:

Process View shows the relationship between different processes, including parent-child structures, which can reveal how malware propagates or persists on an endpoint.

This visualization is instrumental in tracking the full impact of an infection, helping administrators identify malicious activities linked to specific processes.

Why Other Options Are Less Suitable:

Entity View is more focused on broader data relationships, not specific infected process activities.

Full Dump and Endpoint Dump refer to memory or system dumps, which are useful for in-depth forensic analysis but do not provide an immediate, clear picture of endpoint activity.