Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Broadcom
  5. 250-580

Broadcom 250-580 Exam
Endpoint Security Complete - R2 Technical Specialist (Page 5 )

Updated On: 9-Feb-2026
Page 5 of 31
PDF with 150 Questions

An administrator changes the Virus and Spyware Protection policy for a specific group that disables Auto-Protect. The administrator assigns the policy and the client systems apply the corresponding policy serial number. Upon visual inspection of a physical client system, the policy serial number is correct. However, Auto-Protect is still enabled on the client system.
Which action should the administrator take to ensure that the desired setting is in place for the client?

  1. Restart the client system
  2. Run a command on the computer to Update Content
  3. Enable the padlock next to the setting in the policy
  4. Withdraw the Virus and Spyware Protection policy

Answer(s): C

Explanation:

If an administrator modifies the Virus and Spyware Protection policy to disable Auto-Protect, but finds it still enabled on the client, the likely cause is that the setting was not locked. In Symantec Endpoint Protection policies, enabling the padlock icon next to a setting ensures that the policy is enforced strictly, overriding local client configurations. Without this lock, clients may retain previous settings despite the new policy. Locking the setting guarantees that the desired configuration is applied consistently across all clients within the specified group.



In the virus and Spyware Protection policy, an administrator sets the First action to Clean risk and sets If first action fails to Delete risk.
Which two (2) factors should the administrator consider? (Select two.)

  1. The deleted file may still be in the Recycle Bin.
  2. IT Analytics may keep a copy of the file for investigation.
  3. False positives may delete legitimate files.
  4. Insight may back up the file before sending it to Symantec.
  5. A copy of the threat may still be in the quarantine.

Answer(s): C,E

Explanation:

When configuring a Virus and Spyware Protection policy with the actions to "Clean risk" first and "Delete risk" if cleaning fails, two important considerations are:
False Positives (C): There is a risk that legitimate files may be falsely identified as threats and deleted if the cleaning action fails. This outcome underscores the importance of careful policy configuration to avoid loss of important files.
Quarantine Copy (E): Even if a file is deleted, a copy might still remain in the quarantine. This backup allows for retrieval if the deletion was a false positive or if further analysis of the file is required for investigation purposes.
These considerations help administrators avoid unintended data loss and maintain flexibility for future review of quarantined threats.



What protection technology should an administrator enable to prevent double executable file names of ransomware variants like Cryptolocker from running?

  1. Download Insight
  2. Intrusion Prevention System
  3. SONAR
  4. Memory Exploit Mitigation

Answer(s): C

Explanation:

To prevent ransomware variants, such as Cryptolocker, from executing with double executable file names, an administrator should enable SONAR (Symantec Online Network for Advanced Response). SONAR detects and blocks suspicious behaviors based on file characteristics and real-time monitoring, which is effective in identifying malicious patterns associated with ransomware. By analyzing unusual behaviors, such as double executable file names, SONAR provides proactive protection against ransomware threats before they can cause harm to the system.



Which Indicator of Compromise might be detected as variations in the behavior of privileged users that indicate that their account is being used by someone else to gain a foothold in an environment?

  1. Mismatched Port - Application Traffic
  2. Irregularities in Privileged User Account Activity
  3. Surges in Database Read Volume
  4. Geographical Irregularities

Answer(s): B

Explanation:

An Indicator of Compromise (IOC), such as irregularities in privileged user account activity, can signal that a privileged account may be compromised and used maliciously. This can involve deviations from typical login times, unusual commands or requests, or access to resources not typically utilized by the user. Monitoring such anomalies can help detect when an attacker has gained access to a privileged account and is attempting to establish control within the environment.



Why is Active Directory a part of nearly every targeted attack?

  1. AD administration is managed by weak legacy APIs.
  2. AD is, by design, an easily accessed flat file name space directory database
  3. AD exposes all of its identities, applications, and resources to every endpoint in the network
  4. AD user attribution includes hidden elevated admin privileges

Answer(s): C

Explanation:

Active Directory (AD) is commonly targeted in attacks because it serves as a central directory for user identities, applications, and resources accessible across the network. This visibility makes it an attractive target for attackers to exploit for lateral movement, privilege escalation, and reconnaissance. Once compromised, AD provides attackers with significant insight into an organization's internal structure, enabling further exploitation and access to sensitive data.






Post your Comments and Discuss Broadcom 250-580 exam prep with other Community members:

Join the 250-580 Discussion