Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Broadcom
  5. 250-580

Broadcom 250-580 Exam
Endpoint Security Complete - R2 Technical Specialist (Page 3 )

Updated On: 12-Jan-2026
Page 3 of 20
PDF with 150 Questions

An Incident Responder has determined that an endpoint is compromised by a malicious threat.
What SEDR feature would be utilized first to contain the threat?

  1. File Deletion
  2. Incident Manager
  3. Isolation
  4. Endpoint Activity Recorder

Answer(s): C

Explanation:

When an Incident Responder determines that an endpoint is compromised, the first action to contain the threat is to use the Isolation feature in Symantec Endpoint Detection and Response (SEDR). Isolation effectively disconnects the affected endpoint from the network, thereby preventing the malicious threat from communicating with other systems or spreading within the network environment. This feature enables the responder to contain the threat swiftly, allowing further investigation and remediation steps to be conducted without risk of lateral movement by the attacker.



If an administrator enables the setting to manage policies from the cloud, what steps must be taken to reverse this process?

  1. Navigate to ICDm > Enrollment and disable the setting
  2. Unenroll the SEPM > Disable the setting > Re-enroll the SEPM
  3. Revoke policies from ICDm
  4. Revoke policies from SEPM

Answer(s): B

Explanation:

If an administrator has enabled the setting to manage policies from the cloud and needs to reverse this, they must follow these steps:
Unenroll the SEPM (Symantec Endpoint Protection Manager) from the cloud management (ICDm). Disable the cloud policy management setting within the SEPM.
Re-enroll the SEPM back into the cloud if required.

This process ensures that policy control is reverted from cloud management to local management on the SEPM. By following these steps, administrators restore full local control over policies, disabling any cloud-based management settings previously in effect.



How would an administrator specify which remote consoles and servers have access to the management server?

  1. Edit the Server Properties and under the General tab, change the Server Communication Permission.
  2. Edit the Communication Settings for the Group under the Clients tab.
  3. Edit the External Communication Settings for the Group under the Clients tab.
  4. Edit the Site Properties and under the General tab, change the server priority.

Answer(s): A

Explanation:

To control which remote consoles and servers have access to the Symantec Endpoint Protection Management (SEPM) server, an administrator should edit the Server Properties and adjust the Server Communication Permission under the General tab. This setting specifies which remote systems are authorized to communicate with the management server, enhancing security by limiting access to trusted consoles and servers only. Adjusting the Server Communication Permission helps manage server access centrally and ensures only approved systems interact with the management server.



Which designation should an administrator assign to the computer configured to find unmanaged devices?

  1. Discovery Device
  2. Discovery Manager
  3. Discovery Agent
  4. Discovery Broker

Answer(s): C

Explanation:

In Symantec Endpoint Protection, the Discovery Agent designation is assigned to a computer responsible for identifying unmanaged devices within a network. This role is crucial for discovering endpoints that lack protection or are unmanaged, allowing the administrator to deploy agents or take appropriate action. Configuring a Discovery Agent facilitates continuous monitoring and helps ensure that all devices on the network are recognized and managed.



An administrator notices that some entries list that the Risk was partially removed. The administrator needs to determine whether additional steps are necessary to remediate the threat.
Where in the Symantec Endpoint Protection Manager console can the administrator find additional information on the risk?

  1. Risk log
  2. Computer Status report
  3. Notifications
  4. Infected and At-Risk Computers report

Answer(s): A

Explanation:

To gather more details about threats that were only partially removed, an administrator should consult the Risk log in the Symantec Endpoint Protection Manager (SEPM) console. The Risk log provides comprehensive information about detected threats, their removal status, and any remediation actions taken. By examining these logs, the administrator can determine if additional steps are required to fully mitigate the threat, ensuring that the endpoint is entirely secure and free of residual risks.



Which Endpoint Setting should an administrator utilize to locate unmanaged endpoints on a network subnet?

  1. Device Discovery
  2. Endpoint Enrollment
  3. Discover and Deploy
  4. Discover Endpoints

Answer(s): C

Explanation:

To locate unmanaged endpoints within a specific network subnet, an administrator should utilize the Discover and Deploy setting. This feature scans the network for endpoints without security management, enabling administrators to identify and initiate the deployment of Symantec Endpoint

Protection agents on unmanaged devices. This proactive approach ensures comprehensive coverage across the network, allowing for efficient detection and management of all endpoints within the organization.



Why is it important for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system during the Recovery phase?

  1. To create custom IPS signatures
  2. To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)
  3. To have a copy of the file for policy enforcement
  4. To document and preserve any pieces of evidence associated with the incident

Answer(s): D

Explanation:

During the Recovery phase of an incident response, it is critical for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post- incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.



An administrator changes the Virus and Spyware Protection policy for a specific group that disables Auto-Protect. The administrator assigns the policy and the client systems apply the corresponding policy serial number. Upon visual inspection of a physical client system, the policy serial number is correct. However, Auto-Protect is still enabled on the client system.
Which action should the administrator take to ensure that the desired setting is in place for the client?

  1. Restart the client system
  2. Run a command on the computer to Update Content
  3. Enable the padlock next to the setting in the policy
  4. Withdraw the Virus and Spyware Protection policy

Answer(s): C

Explanation:

If an administrator modifies the Virus and Spyware Protection policy to disable Auto-Protect, but finds it still enabled on the client, the likely cause is that the setting was not locked. In Symantec Endpoint Protection policies, enabling the padlock icon next to a setting ensures that the policy is enforced strictly, overriding local client configurations. Without this lock, clients may retain previous settings despite the new policy. Locking the setting guarantees that the desired configuration is applied consistently across all clients within the specified group.



Viewing page 3 of 20
Viewing questions 17 - 24 out of 150 questions



Post your Comments and Discuss Broadcom 250-580 exam prep with other Community members:

Join the 250-580 Discussion