250-441 Online Practice Questions and Answers

Why is it important for an Incident Responder to analyze an incident during the Recovery phase?

A. To determine the best plan of action for cleaning up the infection

B. To isolate infected computers on the network and remediate the threat C. To gather threat artifacts and review the malicious code in a sandbox environment

D. To access the current security plan, adjust where needed, and provide reference materials in the event of a similar incident

Which best practice does Symantec recommend with the Endpoint Detection and Response feature?

A. Create a unique Cynic account to provide to ATP

B. Create a unique Symantec Messaging Gateway account to provide to ATP

C. Create a unique Symantec Endpoint Protection Manager (SEPM) administrator account to provide to ATP

D. Create a unique Email Security.cloud portal account to provide to ATP

An Incident Responder wants to investigate whether msscrt.pdf resides on any systems. Which search query and type should the responder run?

A. Database search filename "msscrt.pdf"

B. Database search msscrt.pdf

C. Endpoint search filename like msscrt.pdf

D. Endpoint search filename ="msscrt.pdf"

Which two widgets can an Incident Responder use to isolate breached endpoints from the Incident details page? (Choose two.)

A. Affected Endpoints

B. Dashboard

C. Incident Graph

D. Events View

E. Actions Bar

An Incident Responder runs an endpoint search on a client group with 100 endpoints. After one day, the responder sees the results for 90 endpoints.

What is a possible reason for the search only returning results for 90 of 100 endpoints?

A. The search expired after one hour

B. 10 endpoints are offline

C. The search returned 0 results on 10 endpoints

D. 10 endpoints restarted and cancelled the search

Which two steps must an Incident Responder take to isolate an infected computer in ATP? (Choose two.)

A. Close any open shares

B. Identify the threat and understand how it spreads

C. Create subnets or VLANs and configure the network devices to restrict traffic

D. Set executables on network drives as read only

E. Identify affected clients

An Incident Responder documented the scope of a recent outbreak by reviewing the incident in the ATP manager.

Which two entity relationship examples should the responder look for and document from the Incident Graph? (Choose two.)

A. An intranet website that is experiencing an increase in traffic from endpoints in a smaller branch office.

B. A server in the DMZ that was repeatedly accessed outside of normal business hours on the weekend.

C. A network share is repeatedly accessed during and after an infection indicating a more targeted attack.

D. A malicious file that was repeatedly downloaded by a Trojan or a downloader that infected multiple endpoints.

E. An external website that was the source of many malicious files.

Which stage of an Advanced Persistent Threat (APT) attack do attackers send information back to the home base?

A. Capture

B. Incursion

C. Discovery

D. Exfiltration

Which two questions can an Incident Responder answer when analyzing an incident in ATP? (Choose two.)

A. Does the organization need to do a healthcheck in the environment?

B. Are certain endpoints being repeatedly attacked?

C. Is the organization being attacked by this external entity repeatedly?

D. Do ports need to be blocked or opened on the firewall?

E. Does a risk assessment need to happen in the environment?

During a recent virus outbreak, an Incident Responder found that the Incident Response team was successful in identifying malicious domains that were communicating with the infected endpoints.

Which two options should the Incident Responder select to prevent endpoints from communicating with malicious domains? (Select two.)

A. Use the isolate command in ATP to move all endpoints to a quarantine network.

B. Blacklist suspicious domains in the ATP manager.

C. Deploy a High-Security Antivirus and Antispyware policy in the Symantec Endpoint Protection Manager (SEPM).

D. Create a firewall rule in the Symantec Endpoint Protection Manager (SEPM) or perimeter firewall that blocks traffic to the domain.

E. Run a full system scan on all endpoints.

What are the prerequisite products needed when deploying ATP: Endpoint, Network, and Email?

A. SEP and Symantec Messaging Gateway

B. SEP, Symantec Email Security.cloud, and Security Information and Event Management (SIEM)

C. SEP and Symantec Email Security.cloud

D. SEP, Symantec Messaging Gateway, and Symantec Email Security.cloud

An Incident Responder added a file's MD5 hash to the blacklist. Which component of SEP enforces the blacklist?

A. Bloodhound

B. System Lockdown

C. Intrusion Prevention

D. SONAR

Why is it important for an Incident Responder to copy malicious files to the ATP file store or create an image of the infected system during the Recovery phase?

A. To have a copy of the file policy enforcement

B. To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)

C. To create custom IPS signatures

D. To document and preserve any pieces of evidence associated with the incident

Which threat is an example of an Advanced Persistent Threat (APT)?

A. ILOVEYOU

B. Conficker

C. MyDoom

D. GhostNet

Which access credentials does an ATP Administrator need to set up a deployment of ATP: Endpoint, Network, and Email?

A. Email Security.cloud credentials for email correlation, credentials for the Symantec Endpoint Protection Manager (SEPM) database, and a System Administrator login for the SEPM

B. Active Directory login to the Symantec Endpoint Protection Manager (SEPM) database, and an Email Security.cloud login with full access

C. Symantec Endpoint Protection Manager (SEPM) login and ATP: Email login with service permissions

D. Credentials for the Symantec Endpoint Protection Manager (SEPM) database, and an administrator login for Symantec Messaging Gateway