Question 1

An organization created a rule in the Application and Device Control policy to block peer-to-peer applications. What two other protection technologies can block and log such unauthorized application? (Choose two.)
A) Memory Exploit Mitigation
B) Virus and Spyware Protection
C) Custom IPS Signatures
D) Host Integrity
E) Firewall

Accepted Answer

Custom IPS Signatures can be used to detect and block specific application traffic patterns, including peer-to-peer applications. The Firewall can also block network traffic associated with unauthorized applications.

Question 2

What type of exceptions can an administrator create from the Symantec Endpoint Protection Manager for a Mac client?
A) Security Risk Exceptions - File
B) Security Risk Exceptions for both File or Folder
C) Security Risk Exceptions - Folder
D) Security Risk Exceptions - Extension

Accepted Answer

The answer of What type of exceptions can an administrator...

Question 3

An organization has four locations setup in their Symantec Endpoint Protection Environment to match the physical sites they have - NAM, LATAM, EMEA, and APAC. When users travel from site to site, they would like to control which SEPM a client connects to based on the client's proximity to the nearest SEPM server. The location is triggered by IP range assigned by the DHCP of that site. How can the organization utilize Locations to control which SEPM or set of SEPMs the clients connect to?
A) Assign the Management Server list to the Group with the appropriate SEPM order. (Each SEPM is on the same priority level)
B) Assign the Management Server list to the Location and Group with the appropriate SEPM order. (Each SEPM has its own priority level)
C) Assign the Management Server list to the Location with the appropriate SEPM order. (Each SEPM has its own priority level)
D) Assign the Management Server list to the Location under My Company. (Each SEPM is on the same priority level)

Accepted Answer

The answer of An organization has four locations setup in...

Question 4

Which content distribution method can distribute content to all client types and provides validation scheduling?
A) Group Update Provider
B) Internal LiveUpdate
C) Intelligent Updater
D) Management Server

Accepted Answer

The answer of Which content distribution method can distribute content...

Question 5

What two steps should an administrator take to troubleshoot firewall processing with the Symantec Endpoint Protection client? (Choose two.)
A) Create an exclusion in the Exceptions policy and reproduce the issue
B) Disable the Symantec Endpoint Protection client and reproduce the issue
C) Withdraw the assigned firewall policy and reproduce the issue
D) Add an "Allow All" traffic rule to the assigned firewall policy and reproduce the issue
E) Enable TSE debug on the Symantec Endpoint Protect client and reproduce the issue

Accepted Answer

The answer of What two steps should an administrator take...

Question 6

An organization's Limited Administrator needs to create an exclusion. When the Limited Administrator logs in, they do NOT see Exceptions listed as an option on the Policies page. What setting should a System Administrator enable so the Limited Administrator could see Exceptions and create an exclusion?
A) Edit the Limited Administrator properties and uncheck Do not allow editing of shared policies in the Access Rights tab Edit the Limited Administrator properties and uncheck Do not allow editing of shared policies in the Access Rights tab
B) Edit the Limited Administrator properties and link the Administrator to an Active Directory account with Administrator privileges in the Authentication tab and link the Administrator to an Active Directory account with Administrator privileges in the Authentication tab
C) Edit the Limited Administrator properties and ensure Exceptions is checked under Policy rights in Access Rights tab and ensure Exceptions is checked under Policy rights in
D) Edit the Limited Administrator properties and change to Administrator in the Access Rights tab and change to Administrator

Accepted Answer

The answer of An organization's Limited Administrator needs to create...

Question 7

An organization has several Symantec Endpoint Protection Management (SEPM) Servers without access to the Internet. The SEPM can only run LiveUpdate within a specified "maintenance window" outside of business hours. What content distribution method should the organization utilize?
A) Group Update Provider
B) External LiveUpdate
C) JDB file
D) Internal LiveUpdate

Accepted Answer

The answer of An organization has several Symantec Endpoint Protection...

Question 8

Where does an administrator review logs, after enabling debug logging for client communication on a SEP for Mac client?
A) /Library/Application Support/Symantec/SMC/log/syslog.log
B) /Library/Application Support/Symantec/SMC/debug/als_debug.log
C) /Library/Application Support/Symantec/SMC/debug/smc_debug.log
D) /Library/Application Support/Symantec/SMC/log/sylink.log

Accepted Answer

The debug logs for client communication on a SEP for Mac client are stored in the smc_debug.log file.

Question 9

An organization recently experienced an outbreak involving a threat that replicated over network shares. The SEP Administrator needs to heuristically scan file operations that target network drives. What options should an administrator enable in the Virus and Spyware Protection policy?
A) Browse to Early Launch Malware Driver and select Enable Symantec early launch malware Browse to Early Launch Malware Driver and select Enable Symantec early launch malware
B) Browse to Download Protection ? Download Insight and select Enable Download Insight to detect potential risks in downloaded files based on reputation Download Protection ? Download Insight Enable Download Insight to detect potential risks in downloaded files based on reputation
C) Browse to SONAR and enable Scan files on remote computers SONAR and enable Scan files on remote computers
D) Browse to Auto Protect ? Scan Details and enable Scan files on remote computers Auto Protect ? Scan Details

Accepted Answer

Enabling "Scan files on remote computers" in the Auto Protect Scan Details allows the SEP to heuristically scan file operations on network drives, which is necessary to detect threats replicating over network shares.

Question 10

An organization needs to be notified when certain types of events happen in their SEP environment. What notification type should the SEP Administrator create to see attacks and events that the firewall or Intrusion Protection System (IPS) detects?
A) Create a Client Security Notification that filters by Traffic Events Create a Client Security Notification that filters by Traffic Events
B) Create a Client Security Notification that filters by Compliance Events Compliance Events
C) Create a Client Security Notification that filters by Network and Host Mitigation Events Network and Host Mitigation Events
D) Create a Client Security Notification that filters by Packet Events Packet Events

Accepted Answer

The correct notification type is to filter by Network and Host Mitigation Events, as this will capture events detected by the firewall or Intrusion Protection System (IPS).

Question 11

What are two methods the SEP Administrator can use for gathering a fingerprint list? (Choose two.)
A) GatherSymantecInfo
B) DevViewer
C) Checksum
D) DeviceInf
E) Get File Fingerprint list command

Accepted Answer

The answer of What are two methods the SEP Administrator...

Question 12

What type of client remediation can an administrator perform in the SEPM with events in the Attack logs?
A) Free additional disk space by removing files from Quarantine
B) Review the operation status of client computers and enable protection technologies
C) Create a Firewall rule in the Firewall policy
D) Run Power Eraser remotely to resolve issues with heavily infected computers

Accepted Answer

The answer of What type of client remediation can an...

Question 13

An organization needs to ensure that SEP detects a malicious or potentially malicious file when downloaded via a text messaging client. What feature can an organization enable in the Virus and Spyware Protection policy and modify its sensitivity settings?
A) Global Scan Options
B) SONAR
C) Internet Email Auto Protect
D) Download Protection

Accepted Answer

Download Protection is a feature in SEP that can be configured to detect malicious files when they are downloaded, including through text messaging clients. Adjusting its sensitivity settings can help in identifying potentially harmful files.

Question 14

How should an administrator set up an alert to be notified when manual remediation is needed on an endpoint?
A) Add a System event notification and specify "Left Alone" for the action taken. Choose to log the notification and send an e-mail to the system administrators
B) Add a Single Risk Event notification and specify "Left Alone" for the action taken. Choose to log the notification and send an e-mail to the system administrators
C) Add a New risk detected notification and specify "Left Alone" for the action taken. Choose to log the notification and send an e-mail to the system administrators
D) Add a Client security alert notification and specify "Left Alone" for the action taken. Choose to log the notification and send an e-mail to the system administrators

Accepted Answer

A System event notification can be used to track when an action is taken on an endpoint, and can be configured to send an email notification when the action taken is "Left Alone".

Question 15

What SEPM report should an administrator utilize to view the files that Download Insight detected on your computers, after configuring Download Insight?
A) Risk Distribution
B) SONAR Detection Results
C) Download Risk Distribution
D) Risk Detections Count

Accepted Answer

The answer of What SEPM report should an administrator utilize...

Question 16

An organization has a small group of servers with large drive volumes. What setting in the Virus and Spyware Protection policy can the organization utilize when scheduling scans on these servers?
A) Use resumable scans
B) Use Shared Insight Cache
C) Adjust Auto Protect Settings
D) Randomize scheduled scans

Accepted Answer

Using resumable scans allows the scan to pause and resume, which is beneficial for servers with large drive volumes as it can help manage the scan process without overloading the system.

Question 17

An organization has a group of 500 SEP for Windows Clients running 12.1 RU5. The organization wants to migrate the clients to 14 RU1, but must minimize WAN bandwidth usage. What installation method should the organization use?
A) Push Deployment Wizard
B) Clients Install Package hosted on a local HTTP Server
C) Client Deployment Wizard
D) Auto Upgrade

Accepted Answer

Auto Upgrade allows the organization to distribute the upgrade package using the existing management infrastructure, minimizing WAN bandwidth usage by leveraging local distribution points.

Question 18

What Symantec Endpoint Protection component facilitates distributing content clients that have a poor connection to the Symantec Endpoint Protection Manager (SEPM)?
A) Group Update Provider
B) SEPM Replication
C) LiveUpdate Administrator
D) Shared Insight Cache Server

Accepted Answer

The Group Update Provider (GUP) is a component that helps distribute content updates to clients with poor connectivity to the SEPM by acting as an intermediary to reduce bandwidth usage.

Question 19

What two core technologies does Symantec Endpoint Protection firewall utilize? (Choose two.)
A) Circuit-level gateway
B) Packet filtering
C) Stateful
D) Application-level gateway
E) Deep packet inspection

Accepted Answer

Symantec Endpoint Protection firewall utilizes packet filtering and stateful inspection as its core technologies to monitor and control network traffic.

Question 20

An organization is troubleshooting a SONAR false positive and has created an exclusion for the in-house application generating the detection. How can the organization use Process Explorer to verify that the exclusion works?
A) Use Process Explorer to see if secars.dll is still there. If secars.dll is still present in the application as an injected process, ensure the updated policy is applied to the group Use Process Explorer to see if secars.dll is still there. If is still present in the application as an injected process, ensure the updated policy is applied to the group
B) Use Process Explorer to see if UMEngx86.dll is still there. If UMEngx86.dll is still present in the application as an injected process, ensure the updated policy is applied to the group UMEngx86.dll
C) Use Process Explorer to see if IPSFFPI.dll is still there. If IPSFFPI.dll is still present in the application as an injected process, ensure the updated policy is applied to the group IPSFFPI.dll
D) Use Process Explorer to see if sysfer.dll is still there. If sysfer.dll is still present in the application as an injected process, ensure the updated policy is applied to the group sysfer.dll

Accepted Answer

Sysfer.dll is associated with Symantec Endpoint Protection, and its presence as an injected process would indicate that the exclusion policy might not have been applied correctly.

Exam 2: Administration of Symantec Email Security.cloud (v1)

An organization created a rule in the Application and Device Control policy to block peer-to-peer applications. What two other protection technologies can block and log such unauthorized application? (Choose two.)

What type of exceptions can an administrator create from the Symantec Endpoint Protection Manager for a Mac client?

Which content distribution method can distribute content to all client types and provides validation scheduling?

What two steps should an administrator take to troubleshoot firewall processing with the Symantec Endpoint Protection client? (Choose two.)

An organization has several Symantec Endpoint Protection Management (SEPM) Servers without access to the Internet. The SEPM can only run LiveUpdate within a specified "maintenance window" outside of business hours. What content distribution method should the organization utilize?

Where does an administrator review logs, after enabling debug logging for client communication on a SEP for Mac client?

An organization recently experienced an outbreak involving a threat that replicated over network shares. The SEP Administrator needs to heuristically scan file operations that target network drives. What options should an administrator enable in the Virus and Spyware Protection policy?

An organization needs to be notified when certain types of events happen in their SEP environment. What notification type should the SEP Administrator create to see attacks and events that the firewall or Intrusion Protection System (IPS) detects?

What are two methods the SEP Administrator can use for gathering a fingerprint list? (Choose two.)

What type of client remediation can an administrator perform in the SEPM with events in the Attack logs?

An organization needs to ensure that SEP detects a malicious or potentially malicious file when downloaded via a text messaging client. What feature can an organization enable in the Virus and Spyware Protection policy and modify its sensitivity settings?

How should an administrator set up an alert to be notified when manual remediation is needed on an endpoint?

What SEPM report should an administrator utilize to view the files that Download Insight detected on your computers, after configuring Download Insight?

An organization has a small group of servers with large drive volumes. What setting in the Virus and Spyware Protection policy can the organization utilize when scheduling scans on these servers?

An organization has a group of 500 SEP for Windows Clients running 12.1 RU5. The organization wants to migrate the clients to 14 RU1, but must minimize WAN bandwidth usage. What installation method should the organization use?

What Symantec Endpoint Protection component facilitates distributing content clients that have a poor connection to the Symantec Endpoint Protection Manager (SEPM) ?

What two core technologies does Symantec Endpoint Protection firewall utilize? (Choose two.)

An organization is troubleshooting a SONAR false positive and has created an exclusion for the in-house application generating the detection. How can the organization use Process Explorer to verify that the exclusion works?