What is the role of Cynic within the Advanced Threat Protection (ATP) solution?
A. Reputation-based security
B. Event correlation
C. Network detection component
D. Detonation/sandbox
An Incident Responder wants to run a database search that will list all client named starting with SYM. Which syntax should the responder use?
A. hostname like "SYM"
B. hostname "SYM"
C. hostname "SYM*"
D. hostname like "SYM*"
What occurs when an endpoint fails its Host Integrity check and is unable to remediate?
A. The endpoint automatically switches to using a Compliance location, where a Compliance policy is applied to the computer.
B. The endpoint automatically switches to using a System Lockdown location, where a System Lockdown policy is applied to the computer.
C. The endpoint automatically switches to using a Host Integrity location, where a Host Integrity policy is applied to the computer.
D. The endpoint automatically switches to using a Quarantine location, where a Quarantine policy is applied to the computer.
How can an Incident Responder generate events for a site that was identified as malicious but has NOT triggered any events or incidents in ATP?
A. Assign a High-Security Antivirus and Antispyware policy in the Symantec Endpoint Protection Manager (SEPM).
B. Run an indicators of compromise (IOC) search in ATP manager.
C. Create a firewall rule in the Symantec Endpoint Protection Manager (SEPM) or perimeter firewall that blocks traffic to the domain.
D. Add the site to a blacklist in ATP manager.
Which two widgets can an Incident Responder use to isolate breached endpoints from the Incident details page? (Choose two.)
A. Affected Endpoints
B. Dashboard
C. Incident Graph
D. Events View
E. Actions Bar
In which two locations should an Incident Responder gather data for an After Actions Report in ATP? (Choose two.)
A. Policies page
B. Action Manager
C. Syslog
D. Incident Manager
E. Indicators of compromise (IOC) search
Which Advanced Threat Protection (ATP) component best isolates an infected computer from the network?
A. ATP: Email
B. ATP: Endpoint
C. ATP: Network
D. ATP: Roaming
An Incident Responder documented the scope of a recent outbreak by reviewing the incident in the ATP manager.
Which two entity relationship examples should the responder look for and document from the Incident Graph? (Choose two.)
A. An intranet website that is experiencing an increase in traffic from endpoints in a smaller branch office.
B. A server in the DMZ that was repeatedly accessed outside of normal business hours on the weekend.
C. A network share is repeatedly accessed during and after an infection indicating a more targeted attack.
D. A malicious file that was repeatedly downloaded by a Trojan or a downloader that infected multiple endpoints.
E. An external website that was the source of many malicious files.
An ATP Administrator has deployed ATP: Network, Endpoint, and Email and now wants to ensure that all connections are properly secured.
Which connections should the administrator secure with signed SSL certificates?
A. ATP and the Symantec Endpoint Protection Manager (SEPM) ATP and SEP clients Web access to the GUI
B. ATP and the Symantec Endpoint Protection Manager (SEPM) ATP and SEP clients ATP and Email Security.cloud Web access to the GUI
C. ATP and the Symantec Endpoint Protection Manager (SEPM)
D. ATP and the Symantec Endpoint Protection Manager (SEPM) Web access to the GUI
Which two user roles allow an Incident Responder to blacklist or whitelist files using the ATP manager? (Choose two.)
A. Administrator
B. Controller
C. User
D. Incident Responder
E. Root
What should an Incident Responder do to mitigate a false positive?
A. Add to Whitelist
B. Run an indicators of compromise (IOC) search
C. Submit to VirusTotal
D. Submit to Cynic
An Incident Responder added a file's MD5 hash to the blacklist. Which component of SEP enforces the blacklist?
A. Bloodhound
B. System Lockdown
C. Intrusion Prevention
D. SONAR
Which two non-Symantec methods for restricting traffic are available to the Incident Response team? (Choose two.)
A. Temporarily disconnect the local network from the internet.
B. Create an Access Control List at the router to deny traffic.
C. Analyze traffic using Wireshark protocol analyzer to identify the source of the infection.
D. Create a DNS sinkhole server to block malicious traffic.
E. Isolate computers so they are NOT compromised by infected computers.
Which endpoint detection method allows for information about triggered processes to be displayed in ATP?
A. SONAR
B. Insight
C. System Lockdown
D. Antivirus
Which threat is an example of an Advanced Persistent Threat (APT)?
A. ILOVEYOU
B. Conficker
C. MyDoom
D. GhostNet