Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Broadcom
  5. 250-580

Free Broadcom 250-580 Exam Braindumps (page: 2)

96.4% Passing Rate DOWNLOAD PDF EXAM
150 Questions & Answers
Page 2 of 20

What EDR function minimizes the risk of an endpoint infecting other resources in the environment?

  1. Quarantine
  2. Block
  3. Deny List
  4. Firewall

Answer(s): A

Explanation:

The function of "Quarantine" in Endpoint Detection and Response (EDR) minimizes the risk of an infected endpoint spreading malware or malicious activities to other systems within the network environment. This is accomplished by isolating or restricting access of the infected endpoint to contain any threat within that specific machine. Here's how Quarantine functions as a protective measure:
Detection and Isolation: When EDR detects potential malicious behavior or files on an endpoint, it can automatically place the infected file or process in a "quarantine" area. This means the threat is separated from the rest of the system, restricting its ability to execute or interact with other resources.

Minimizing Spread: By isolating compromised files or applications, Quarantine ensures that malware or suspicious activities do not propagate to other endpoints, reducing the risk of a widespread infection.
Administrative Review: After an item is quarantined, administrators can review it to determine if it should be deleted or restored based on a false positive evaluation. This controlled environment allows for further analysis without risking network security. Endpoint-Specific Control: Quarantine is designed to act at the endpoint level, applying restrictions that affect only the infected system without disrupting other network resources. Using Quarantine as an EDR response mechanism aligns with best practices outlined in endpoint security documentation, such as Symantec Endpoint Protection, which emphasizes containment as a critical first response to threats. This approach supports the proactive defense strategy of limiting lateral movement of malware across a network, thus preserving the security and stability of the entire system.



What priority would an incident that may have an impact on business be considered?

  1. Low
  2. Critical
  3. High
  4. Medium

Answer(s): C

Explanation:

An incident that may have an impact on business is typically classified with a High priority in cybersecurity frameworks and incident response protocols. Here's a detailed rationale for this classification:
Potential Business Disruption: An incident that affects or threatens to affect business operations, even if indirectly, is assigned a high priority to ensure swift response. This classification prioritizes incidents that may not be immediately critical but could escalate if not addressed promptly. Risk of Escalation: High-priority incidents are situations that, while not catastrophic, have the potential to impact critical systems or compromise sensitive data, thus needing attention before they lead to severe business repercussions.
Rapid Response Requirement: Incidents labeled as high priority are flagged for immediate investigation and containment measures to prevent further business impact or operational downtime.
In this context, while Critical incidents involve urgent threats with immediate, severe effects (such as active data breaches), a High priority applies to incidents with significant risk or potential for business impact. This prioritization is essential for effective incident management, enabling resources to focus on potential risks to business continuity.



Which antimalware intensity level is defined by the following: "Blocks files that are most certainly bad or potentially bad files results in a comparable number of false positives and false negatives."

  1. Level 6
  2. Level 5
  3. Level 2
  4. Level 1

Answer(s): B

Explanation:

In antimalware solutions, Level 5 intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of both false positives (legitimate files mistakenly flagged as threats) and false negatives (malicious files mistakenly deemed safe) may still occur.
This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.



The SES Intrusion Prevention System has blocked an intruder's attempt to establish an IRC connection inside the firewall.
Which Advanced Firewall Protection setting should an administrator enable to prevent the intruder's system from communicating with the network after the IPS detection?

  1. Enable port scan detection
  2. Automatically block an attacker's IP address
  3. Block all traffic until the firewall starts and after the firewall stops
  4. Enable denial of service detection

Answer(s): B

Explanation:

To enhance security and prevent further attempts from the intruder after the Intrusion Prevention System (IPS) has detected and blocked an attack, the administrator should enable the setting to Automatically block an attacker's IP address. Here's why this setting is critical:
Immediate Action Against Threats: By automatically blocking the IP address of the detected attacker, the firewall can prevent any further communication attempts from that address. This helps to mitigate the risk of subsequent attacks or reconnections. Proactive Defense Mechanism: Enabling this feature serves as a proactive defense strategy, minimizing the chances of successful future intrusions by making it harder for the attacker to re- establish a connection to the network.
Reduction of Administrative Overhead: Automating this response allows the security team to focus on investigating and remediating the incident rather than manually tracking and blocking malicious IP addresses, thus optimizing incident response workflows.

Layered Security Approach: This setting complements other security measures, such as intrusion detection and port scan detection, creating a layered security approach that enhances overall network security.
Enabling automatic blocking of an attacker's IP address directly addresses the immediate risk posed by the detected intrusion and reinforces the organization's defense posture against future threats.



After several failed logon attempts, the Symantec Endpoint Protection Manager (SEPM) has locked the default admin account. An administrator needs to make system changes as soon as possible to address an outbreak, but the admin account is the only account.
Which action should the administrator take to correct the problem with minimal impact on the existing environment?

  1. Wait 15 minutes and attempt to log on again
  2. Restore the SEPM from a backup
  3. Run the Management Server and Configuration Wizard to reconfigure the server
  4. Reinstall the SEPM

Answer(s): A

Explanation:

In the situation where the default admin account of the Symantec Endpoint Protection Manager (SEPM) is locked after several failed login attempts, the best course of action for the administrator is to wait 15 minutes and attempt to log on again. Here's why this approach is advisable:
Account Lockout Policy: Most systems, including SEPM, are designed with account lockout policies that temporarily disable accounts after a number of failed login attempts. Typically, these policies include a reset time (often around 15 minutes), after which the account becomes active again. Minimal Disruption: Waiting for the account to automatically unlock minimizes disruption to the existing environment. This avoids potentially complex recovery processes or the need to restore from a backup, which could introduce additional complications or data loss. Avoiding System Changes: Taking actions such as restoring the SEPM from a backup, reconfiguring the server, or reinstalling could lead to significant changes in the configuration and might cause further complications, especially if immediate action is needed to address an outbreak. Prioritizing Response to Threats: While it's important to respond to security incidents quickly, maintaining the integrity of the SEPM configuration and ensuring a smooth recovery is also crucial.

Waiting for the lockout period respects the system's security protocols and allows the administrator to regain access with minimal risk.
In summary, waiting for the lockout to expire is the most straightforward and least disruptive solution, allowing the administrator to resume critical functions without unnecessary risk to the SEPM environment.



Which Incident View widget shows the parent-child relationship of related security events?

  1. The Incident Summary Widget
  2. The Process Lineage Widget
  3. The Events Widget
  4. The Incident Graph Widget

Answer(s): B

Explanation:

The Process Lineage Widget in the Incident View of Symantec Endpoint Security provides a visual representation of the parent-child relationship among related security events, such as processes or activities stemming from a primary malicious action. This widget is valuable for tracing the origins and propagation paths of potential threats within a system, allowing security teams to identify the initial process that triggered subsequent actions. By displaying this hierarchical relationship, the Process Lineage Widget supports in-depth forensic analysis, helping administrators understand how an incident unfolded and assess the impact of each related security event in context.



Which Symantec Endpoint Protection technology blocks a downloaded program from installing browser plugins?

  1. Intrusion Prevention
  2. SONAR
  3. Application and Device Control
  4. Tamper Protection

Answer(s): C

Explanation:

The Application and Device Control technology within Symantec Endpoint Protection (SEP) is responsible for blocking unauthorized software behaviors, such as preventing a downloaded program from installing browser plugins. This feature is designed to enforce policies that restrict specific actions by applications, which includes controlling program installation behaviors, access to certain system components, and interactions with browser settings. Application and Device Control effectively safeguards endpoints by stopping potentially unwanted or malicious modifications to the browser, thus protecting users from threats that may arise from unverified or harmful plugins.



Which type of event does operation:1 indicate in a SEDR database search?

  1. File Deleted.
  2. File Closed.
  3. File Open.
  4. File Created.

Answer(s): C

Explanation:

In a Symantec Endpoint Detection and Response (SEDR) database search, an event labeled with operation:1 corresponds to a File Open action. This identifier is part of SEDR's internal operation codes used to log file interactions.
When querying or analyzing events in the SEDR database, recognizing this code helps Incident Responders understand that the action recorded was an attempt to access or open a file on the endpoint, which may be relevant in tracking suspicious or malicious activities.






Post your Comments and Discuss Broadcom 250-580 exam prep with other Community members:

250-580 Exam Discussions & Posts