Symantec Symantec Certified Specialist 250-441 Questions & Answers

• Question 31:

  Which National Institute of Standards and Technology (NIST) cybersecurity function is defined as "finding incursions"?

  A. Protect

  B. Identify

  C. Respond

  D. Detect

  Correct Answer: B

• Question 32:

  Which two ATP control points are able to report events that are detected using Vantage? Enter the two control point names:

  A. ATP: network ATP: Endpoint

  Correct Answer: A

  Reference: https://support.symantec.com/en_US/article.HOWTO126027.html

• Question 33:

  An ATP administrator is setting up an Endpoint Detection and Response connection.

  Which type of authentication is allowed?

  A. Active Directory authentication

  B. SQL authentication

  C. LDAP authentication

  D. Symantec Endpoint Protection Manager (SEPM) authentication

  Correct Answer: A

• Question 34:

  Refer to the exhibit. An Incident Responder wants to see what was detected on a specific day by the IPS engine.

  Which item must the responder choose from the drop-down menu?

  

  A. Insight

  B. Cynic

  C. Vantage

  D. Blacklist

  Correct Answer: A

• Question 35:

  Which two questions can an Incident Responder answer when analyzing an incident in ATP? (Choose two.)

  A. Does the organization need to do a healthcheck in the environment?

  B. Are certain endpoints being repeatedly attacked?

  C. Is the organization being attacked by this external entity repeatedly?

  D. Do ports need to be blocked or opened on the firewall?

  E. Does a risk assessment need to happen in the environment?

  Correct Answer: BE

• Question 36:

  In which scenario should an Incident Responder manually submit a file to the Cynic portal?

  A. There is a file on a USB that an Incident Responder wants to analyze in a sandbox.

  B. An Incident Responder is unable to remember the password to the .zip archive.

  C. The file has generated multiple incidents in the ATP manager and an Incident Responder wants to blacklist the file.

  D. The file is a legitimate application and an Incident Responder wants to report it to Symantec as a false positive.

  Correct Answer: D

  Reference: https://support.symantec.com/content/unifiedweb/en_US/article.HOWTO124806.html

• Question 37:

  What is the role of Vantage within the Advanced Threat Protection (ATP) solution?

  A. Network detection component

  B. Event correlation

  C. Reputation-based security

  D. Detonation/sandbox

  Correct Answer: A

  Reference: https://support.symantec.com/en_US/article.HOWTO119277.html

• Question 38:

  Which two actions can an Incident Responder take in the Cynic portal? (Choose two.)

  A. Configure a SIEM feed from the portal to the ATP environment

  B. Configure email reports on convictions

  C. Submit false positive and false negative files

  D. Query hashes

  E. Submit hashes to Insight

  Correct Answer: DE

• Question 39:

  An Incident Responder discovers an incident where all systems are infected with a file that has the same name and different hash. As a result, the organism view has multiple entries for the malicious file.

  What is causing this issue?

  A. This is a polymorphic threat

  B. This is a DDoS attack

  C. The file has multiple hashes

  D. The file is trying to phone home

  Correct Answer: A

• Question 40:

  An Incident Responder launches a search from ATP for a file hash. The search returns the results immediately. The responder reviews the Symantec Endpoint Protection Manager (SEPM) command status and does NOT see an indicators of compromise (IOC) search command.

  How is it possible that the search returned results?

  A. The search runs and returns results in ATP and then displays them in SEPM.

  B. This is only an endpoint search.

  C. This is a database search; a command is NOT sent to SEPM for this type of search.

  D. The browser cached result from a previous search with the same criteria.

  Correct Answer: A