Broadcom Endpoint Security Complete - R2 Technical Specialist 250-580 Exam Questions

Answer : D

The Firewall provides a complementary layer of protection to Intrusion Prevention System (IPS) in Symantec Endpoint Protection.

Firewall vs. IPS:

While IPS detects and blocks network-based attacks by inspecting traffic for known malicious patterns, the firewall controls network access by monitoring and filtering inbound and outbound traffic based on policy rules.

Together, these tools protect against a broader range of network threats. IPS is proactive in identifying malicious traffic, while the firewall prevents unauthorized access.

Two-Layer Defense Mechanism:

The firewall provides control over which ports, protocols, and applications can access the network, reducing the attack surface.

When combined with IPS, the firewall blocks unauthorized connections, while IPS actively inspects and prevents malicious content within allowed traffic.

Why Other Options Are Not Complementary:

Host Integrity focuses on compliance and configuration validation rather than direct network traffic protection.

Network Protection and Antimalware are essential but do not function as second-layer defenses for IPS within network contexts.

Answer : C

To minimize sudden IOPS impact on the ESXi server due to SEP endpoint communication, the administrator should increase the download randomization window. This configuration change helps spread out the timing of SEP updates across virtual machines, reducing the simultaneous I/O load on the server.

Effect of Download Randomization:

By increasing the randomization window, updates are downloaded at staggered intervals rather than all at once, lowering the burst IOPS demand.

This is especially beneficial in virtualized environments where multiple VMs are hosted on a single ESXi server, as it prevents performance degradation from high IOPS activity.

Why Other Options Are Less Effective:

Increasing Download Insight sensitivity (Option A) has no impact on IOPS.

Reducing the heartbeat interval (Option B) could increase communication frequency, potentially raising IOPS.

Reducing content revisions (Option D) affects storage size but does not control update IOPS.

Answer : C

To view all devices impacted by a suspicious file, the administrator should go to the Discovered Items list, select the specific file, and then view the impacted devices from the Details page.

Steps to View Impacted Devices:

Navigate to the Discovered Items list within the management console.

Locate and select the suspicious file in question to open its Details page.

On the Details page, a list of devices associated with the file is displayed, providing insights into which endpoints are potentially impacted by the suspicious activity.

Why Other Options Are Less Suitable:

Options A and B do not provide the specific device list for a selected file.

Option D is incorrect as it implies selecting by device first rather than by suspicious file.

Answer : C

The Push Discovery process in Symantec Endpoint Protection requires the LocalAccountTokenFilterPolicy registry value to be configured on Windows endpoints. This registry setting enables remote management and discovery operations by allowing administrator credentials to pass correctly when discovering and deploying SEP clients.

Purpose of LocalAccountTokenFilterPolicy:

By adding this value to the Windows registry, administrators ensure that SEP can discover endpoints on the network and initiate installations or other management tasks without being blocked by local account filtering.

How to Configure the Registry:

The administrator should add LocalAccountTokenFilterPolicy in the Windows Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and set it to 1.

This configuration allows for remote actions essential for Push Discovery.

Reasoning Against Other Options:

Push Enrollment and Device Enrollment are distinct processes and do not require this registry setting.

Auto Discovery passively finds systems and does not rely on registry changes for remote access.

Answer : B

Symantec Endpoint Detection and Response (EDR) provides an Endpoint activity recorder to monitor, log, and analyze behaviors on endpoints. This feature captures various endpoint activities such as process execution, file modifications, and network connections, which are essential for detecting and investigating potential security incidents.

Purpose of Endpoint Activity Recorder:

The endpoint activity recorder helps track specific actions and behaviors on endpoints, providing insights into potentially suspicious or malicious activity.

This data is valuable for incident response and for understanding how threats may have propagated across the network.

Why Other Options Are Not Suitable:

Virtual (Option A), Email (Option C), and Temporary (Option D) do not accurately represent the continuous and comprehensive nature of endpoint activity monitoring.

Answer : C

Threat Defense for Active Directory (TDAD) employs Honeypot Traps as a primary prevention technique to detect and expose attackers. These honeypot traps act as decoys within the network, mimicking legitimate Active Directory (AD) objects or data that would attract attackers aiming to gather AD information or exploit AD weaknesses.

Honeypot Trap Functionality:

Honeypot traps are strategically placed to appear as appealing targets, such as privileged accounts or critical directories, without being part of the actual AD infrastructure.

When attackers interact with these traps, TDAD records their actions, which can then trigger alerts, allowing administrators to identify and monitor suspicious activities.

Exposure and Mitigation:

By enticing attackers to interact with fake assets, honeypot traps help expose malicious intentions and techniques. This information can be used for forensic analysis and to enhance future defenses.

This technique allows organizations to expose potential threats proactively, before any real AD resources are compromised.

Answer : B, C

For locating unmanaged endpoints, administrators in Symantec Endpoint Protection Manager (SEPM) can use the following scan range options:

IP Range within the Network: This option allows scanning of specific IP address ranges to locate devices that may not have SEP installed.

Subnet Range: Administrators can scan within specific subnets, providing a focused range to detect unmanaged endpoints in targeted sections of the network.

These options enable precise scans, helping administrators efficiently identify and manage unmanaged devices.