Summer Special Sale - Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 575363r9

Welcome To DumpsPedia

250-441 Sample Questions Answers

Questions 4

An Incident Responder discovers an incident where all systems are infected with a file that has the same name and different hash. As a result, the organism view has multiple entries for the malicious file.

What is causing this issue?

Options:

A.

This is a polymorphic threat

B.

This is a DDoS attack

C.

The file has multiple hashes

D.

The file is trying to phone home

Buy Now
Questions 5

Which default port does ATP use to communicate with the Symantec Endpoint Protection Manager (SEPM)

web services?

Options:

A.

8446

B.

8081

C.

8014

D.

1433

Buy Now
Questions 6

What impact does changing from Inline Block to SPAN/TAP mode have on blacklisting in ATP?

Options:

A.

ATP will continue to block previously blacklisted addresses but NOT new ones.

B.

ATP does NOT block access to blacklisted addresses unless block mode is enabled.

C.

ATP will clear the existing blacklists.

D.

ATP does NOT block access to blacklisted addresses unless TAP mode is enabled.

Buy Now
Questions 7

A network control point discovered a botnet phone-home attempt in the network stream.

Which detection method identified the event?

Options:

A.

Vantage

B.

Insight

C.

Antivirus

D.

Cynic

Buy Now
Questions 8

Which level of privilege corresponds to each ATP account type?

Match the correct account type to the corresponding privileges.

Options:

Buy Now
Questions 9

What are the prerequisite products needed when deploying ATP: Endpoint, Network, and Email?

Options:

A.

SEP and Symantec Messaging Gateway

B.

SEP, Symantec Email Security.cloud, and Security Information and Event Management (SIEM)

C.

SEP and Symantec Email Security.cloud

D.

SEP, Symantec Messaging Gateway, and Symantec Email Security.cloud

Buy Now
Questions 10

Which final steps should an Incident Responder take before using ATP to rejoin a remediated endpoint to the network, according to Symantec best practices?

Options:

A.

Run an additional antivirus scan with the latest definitions. If the scan comes back as clean, rejoin the

computer to the production network.

B.

Run Windows Update to patch the system with the latest service pack. Once the system is up-to-date,

rejoin the computer to the production network.

C.

Use SymDiag to run a Threat Scan Analysis on the machine. Once the analysis comes back as clean,

rejoin the computer to the production network.

D.

Upgrade the client to the latest version of SEP. Once the client is upgraded, rejoin the computer to the

production network.

Buy Now
Questions 11

Which action should an Incident Responder take to remediate false positives, according to Symantec best

practices?

Options:

A.

Blacklist

B.

Whitelist

C.

Delete file

D.

Submit file to Cynic

Buy Now
Questions 12

Which two tasks should an Incident Responder complete when recovering from an incident? (Choose two.)

Options:

A.

Rejoin healthy endpoints back to the network

B.

Blacklist any suspicious files found in the environment

C.

Submit any suspicious files to Cynic

D.

Isolate infected endpoints to a quarantine network

E.

Delete threat artifacts from the environment

Buy Now
Questions 13

What is the role of Vantage within the Advanced Threat Protection (ATP) solution?

Options:

A.

Network detection component

B.

Event correlation

C.

Reputation-based security

D.

Detonation/sandbox

Buy Now
Questions 14

During a recent virus outlook, an Incident found that the incident Response team was successful in identifying malicious that were communicating with the infected endpoint.

Which two (2) options should be incident Responder select to prevent endpoints from communicating with malicious domains?

Options:

A.

Use the isolation command in ATP to move endpoint to quarantine network.

B.

Blacklist suspicious domain in the ATP manager.

C.

Deploy a high-Security antivirus and Antispyware policy in the Symantec Endpoint protection Manager (SEPM.)

D.

Create a firewall rule in the Symantec Endpoints Protection Manager (SEPM) or perimeter firewall that blocks

E.

traffic to the domain.

F.

Run a full system scan on all endpoints

Buy Now
Questions 15

Which access credentials does an ARP Administrator need to set up a deployment of ATP: Endpoint , Network and Email?

Options:

A.

Email security. Cloud credential for email correlation, credential for the Symantec Endpoint Protection Manager (SEPM) database, and System Administrator logging for the SEPM.

B.

Active Directory logging to the Symantec endpoint Protection Manager (SEPM) database and an Email Security. Cloud login with full access

C.

Symantec Endpoint protection Manager (SEPM) login and ATP: Email login with service permissions

D.

Credentials for the Symantec Endpoint protection Manager (SEPM) database, and an administrator loging or Symantec Messaging Gateway

Buy Now
Questions 16

Why is it important for an Incident Responder to copy malicious files to the ATP file store or create an image of the infected system during the Recovery phase?

Options:

A.

To have a copy of the file policy enforcement

B.

To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)

C.

To create custom IPS signatures

D.

To document and preserve any pieces of evidence associated with the incident

Buy Now
Questions 17

An Incident Responder documented the scope of a recent outbreak by reviewing the incident in the ATP

manager.

Which two entity relationship examples should the responder look for and document from the Incident Graph? (Choose two.)

Options:

A.

An intranet website that is experiencing an increase in traffic from endpoints in a smaller branch office.

B.

A server in the DMZ that was repeatedly accessed outside of normal business hours on the weekend.

C.

A network share is repeatedly accessed during and after an infection indicating a more targeted attack.

D.

A malicious file that was repeatedly downloaded by a Trojan or downloader that infected multiple

endpoints.

E.

An external website that was the source of many malicious files.

Buy Now
Questions 18

An Incident Responder wants to use a STIX file to run an indicate of components (IOC) search.

Which format must the administrator use for the file?

Options:

A.

.csv

B.

.xml

C.

.mht

D.

.html

Buy Now
Questions 19

ATP detects a threat phoning home to a command and control server and creates a new incident. The treat is NOT being detected by SEP, but the Incident Response team conducted an indicators of compromise (IOC) search for the machines that are contacting the malicious sites to gather more information.

Which step should the Incident Response team incorporate into their plan of action?

Options:

A.

Perform a healthcheck of ATP

B.

Create firewall rules in the Symantec Endpoint Protection Manager (SEPM) and the perimeter firewall

C.

Use ATP to isolate non-SEP protected computers to a remediation VLAN

D.

Rejoin the endpoints back to the network after completing a final virus scan

Buy Now
Questions 20

How can an Incident Responder generate events for a site that was identified as malicious but has NOT

triggered any events or incidents in ATP?

Options:

A.

Assign a High-Security Antivirus and Antispyware policy in the Symantec Endpoint Protection Manager

(SEPM).

B.

Run an indicators of compromise (IOC) search in ATP manager.

C.

Create a firewall rule in the Symantec Endpoint Protection Manager (SEPM) or perimeter firewall that

blocks traffic to the domain.

D.

Add the site to a blacklist in ATP manager.

Buy Now
Questions 21

A large company has 150,000 endpoints with 12 SEP sites across the globe. The company now wants to

implement ATP: Endpoint to improve their security. However, a consultant recently explained that the company needs to implement more than one ATP manager.

Why does the company need more than one ATP manager?

Options:

A.

An ATP manager can only connect to a SQL backend

B.

An ATP manager can only support 30,000 SEP clients

C.

An ATP manager can only support 10 SEP site connections.

D.

An ATP manager needs to be installed at each location where a Symantec Endpoint Protection Manager (SEPM) is located.

Buy Now
Questions 22

Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an

incident for an After Actions Report?

Options:

A.

It ensures that the Incident is resolved, and the responder can clean up the infection.

B.

It ensures that the Incident is resolved, and the responder can determine the best remediation method.

C.

It ensures that the Incident is resolved, and the threat is NOT continuing to spread to other parts of the

environment.

D.

It ensures that the Incident is resolved, and the responder can close out the incident in the ATP manager.

Buy Now
Questions 23

An ATP administrator is setting up correlation with Email Security cloud.

What is the minimum Email Security cloud account privilege required?

Options:

A.

Standard User Role -Port

B.

Standard User Role - Service

C.

Standard User Role - Support

D.

Standard User Role - Full Access

Buy Now
Questions 24

Which endpoint detection method allows for information about triggered processes to be displayed in ATP?

Options:

A.

SONAR

B.

Insight

C.

System Lockdown

D.

Antivirus

Buy Now
Questions 25

What is a benefit of using Microsoft SQL as the Symantec Endpoint Protection Manager (SEPM) database in regard to ATP?

Options:

A.

It allows for Microsoft Incident Responders to assist in remediation

B.

ATP can access the database using a log collector on the SEPM host

C.

It allows for Symantec Incident Responders to assist in remediation

D.

ATP can access the database without any special host system requirements

Buy Now
Questions 26

An Incident Responder runs an endpoint search on a client group with 100 endpoints. After one day, the

responder sees the results for 90 endpoints.

What is a possible reason for the search only returning results for 90 of 100 endpoints?

Options:

A.

The search expired after one hour

B.

10 endpoints are offline

C.

The search returned 0 results on 10 endpoints

D.

10 endpoints restarted and cancelled the search

Buy Now
Questions 27

What is the main constraint an ATP Administrator should consider when choosing a network scanner model?

Options:

A.

Throughput

B.

Bandwidth

C.

Link speed

D.

Number of users

Buy Now
Questions 28

Which threat is an example of an Advanced Persistent Threat (APT)?

Options:

A.

Zeus

B.

Melissa

C.

Duqu

D.

Code Red

Buy Now
Exam Code: 250-441
Exam Name: Administration of Symantec Advanced Threat Protection 3.0
Last Update: Jun 17, 2024
Questions: 96
$64  $159.99
$48  $119.99
$40  $99.99
buy now 250-441