After several failed logon attempts, the Symantec Endpoint Protection Manager (SEPM) has locked the default admin account. An administrator needs to make system changes as soon as possible to address an outbreak, but the admin account is the only account.
Which action should the administrator take to correct the problem with minimal impact to the existing environment?
- A . Wait 15 minutes and attempt to log on again
- B . Restore the SEPM from a backup
- C . Run the Management Server and Configuration Wizard to reconfigure the server
- D . Reinstall the SEPM
In which two areas can host groups be used? (Select two.)
- A . Locations
- B . Download Insight
- C . IPS
- D . Application and Device Control
- E . Firewall
Which Symantec Endpoint Protection technology blocks a downloaded program from installing browser plugins?
- A . Intrusion Prevention
- B . SONAR
- C . Tamper Protection
- D . Application and Device Control
Which Symantec Endpoint Protection defense mechanism provides protection against threats that propagate from system to system through the use of autorun.inf files?
- A . Host Integrity
- B . SONAR
- C . Application and Device Control
- D . Emulator
An administrator uses the search criteria displayed in the image below.
Which results are returned from the query?
- A . Only VMware Servers in the Default Group
- B . All Windows 2012 Servers in the Default Group
- C . Only Windows 2012 Servers that are Virtualized in the Default Group
- D . All Windows 2012 Servers and all Virtualized Servers in the Default Group
Which action should an administrator take to prevent users from using Windows Security Center?
- A . Set Disable antivirus alert within Windows Security Center to Disable
- B . Set Disable Windows Security Center to Always
- C . Set Disable Windows Security Center to Disable
- D . Set Disable antivirus alert within Windows Security Center to Never
Which two options are supported Symantec Endpoint Manager authentication types? (Select two.)
- A . Network Access Control
- B . Biometrics
- C . RSA SecurID
- D . MS-CHAP
- E . Microsoft Active Directory
C,E
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO81227.html
A Symantec Endpoint Protection (SEP) client uses a management server list with three management servers in the priority 1 list.
Which mechanism does the SEP client use to select an alternate management server if the currently selected management server is unavailable?
- A . The client chooses the next server alphabetically by server name.
- B . The client chooses another server alphabetically in the list randomly.
- C . The client chooses a server with the next highest IP address.
- D . The client chooses a server based on the lowest server load.
A Symantec Endpoint Protection (SEP) administrator creates a firewall policy to block FTP traffic and assigns the policy to all of the SEP clients. The network monitoring team informs the administrator that a client system is making an FTP connection to a server. While investigating the problem from the SEP client GUI, the administrator notices that there are zero entries pertaining to FTP traffic in the SET Traffic log or Packet log. While viewing the Network Activity dialog, there is zero inbound/outbound traffic for the FTP process.
What is the most likely reason?
- A . The server is in the IPS policy excluded hosts list.
- B . The block rule is below the blue line.
- C . Peer-to-peer authentication is allowing the traffic.
- D . The server has an IPS exception for that traffic.
Which setting can an administrator configure in the LiveUpdate policy?
- A . Linux Settings
- B . Frequency to download content
- C . Specific content revision to download from a Group Update Provider (GUP)
- D . Specific content policies to download
B
Explanation:
References: https://support.symantec.com/en_US/article.TECH104435.html
A Symantec Endpoint Protection Manager (SEPM) administrator notices performance issues with the SEPM server. The Client tab becomes unresponsive in the SEPM console and .DAT files accumulate in the “agentinfo” folder.
Which tool should the administrator use to gather log files to submit to Symantec Technical Support?
- A . collectLog.cmd
- B . LogExport.exe
- C . smc.exe
- D . ExportLog.vbs
A
Explanation:
References: https://support.symantec.com/en_US/article.TECH105955.html
Which two considerations must an administrator make when enabling Application Learning in an environment? (Select two.)
- A . Application Learning should be deployed on a small group of systems in the enterprise.
- B . Application Learning can generate significant CPU or memory use on a Symantec Endpoint Protection Manager.
- C . Application Learning is dependent on Insight.
- D . Application Learning requires a file fingerprint list to be created in advance.
- E . Application Learning can generate increased false positives.
A,B
Explanation:
References: https://support.symantec.com/en_US/article.TECH134367.html
Which task should an administrator perform to troubleshoot operation of the Symantec Endpoint Protection embedded database?
- A . Verify the sqlserver.exe service is running on port 1433
- B . Verify that dbsrv11.exe is listening on port 2638
- C . Check the database transaction logs in X:Program FilesMicrosoft SQL server
- D . Check whether the MSSQLSERVER service is running
B
Explanation:
References: https://support.symantec.com/en_US/article.TECH160964.html
An administrator changes the Virus and Spyware Protection policy for a specific group that disables Auto-Protect. The administrator assigns the policy and the client systems apply the corresponding policy serial number. Upon visual inspection of a physical client system, the policy serial number is correct.
However, Auto-Protect is still enabled on the client system.
Which action should the administrator take to ensure that the desired setting is in place on the client?
- A . Restart the client system.
- B . Enable the padlock next to the setting in the policy.
- C . Run a command on the computer to Update Content
- D . Withdraw the Virus and Spyware Protection policy
What does SONAR use to reduce false positives?
- A . Virus and Spyware definitions
- B . Extended File Attributes (EFA) table
- C . File Fingerprint list
- D . Symantec Insight
D
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO80929.html
Which option is a characteristic of a Symantec Endpoint Protection (SEP) domain?
- A . Every administrator from one domain can view data in other domains.
- B . Each domain has its own management server and database.
- C . Data for each domain is stored in its own separate SEP database.
- D . Domains share the same management server and database.
D
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO80764.html
An administrator notices that some entries list that the Risk was partially removed. The administrator needs to determine whether additional steps are necessary to remediate the threat.
Where in the Symantec Endpoint Protection Manager console can the administrator find additional information on the risk?
- A . Infected and At Risk Computers report
- B . Risk log
- C . Notifications
- D . Computer Status report
B
Explanation:
References: https://support.symantec.com/en_US/article.TECH95543.html
An administrator reports that the Home, Monitors, and Report pages are absent in the Symantec Endpoint Protection Management console when the administrator logs on.
Which action should the administrator perform to correct the problem?
- A . Grant the Administrator Full Access to Root group of the organization
- B . Configure proxy settings for each server in the site
- C . Configure External Logging to Enable Transmission of Logs to a Syslog Server
- D . Grant View Reports permission to the administrator
An administrator is reviewing an Infected Clients Report and notices that a client repeatedly shows the same malware detection. Although the client remediates the files, the infection continues to display in the logs.
Which two functions should be enabled to automate enhanced remediation of a detected threat and its related side effects? (Select two.)
- A . Stop Service Automatically
- B . Stop and Reload AutoProtect
- C . Terminate Processes Automatically
- D . Risk Tracer
- E . Early Launch Anti-Malware Driver
A company deploys Symantec Endpoint Protection (SEP) to50 virtual machines running on a single ESXi host.
Which configuration change can the administrator make to minimize sudden IOPS impact on the ESXi server while each SEP endpoint communicates with the Symantec Endpoint Protection Manager?
- A . Reduce number of content revisions to keep
- B . Increase download randomization window
- C . Reduce the heartbeat interval
- D . Increase Download Insight sensitivity level
An administrator needs to add an Application Exception. When the administrator accesses the Application Exception dialog window, applications fail to appear.
What is the likely problem?
- A . The Symantec Endpoint Protection Manager is installed on a Domain Controller.
- B . The client computers already have exclusions for the applications.
- C . The Learn applications that run on the client computers setting is disabled.
- D . The clients are in a trusted Symantec Endpoint Protection domain.
An administrator is designing a new single site Symantec Endpoint Protection environment. Due to perimeter firewall bandwidth restrictions, the design needs to minimize the amount of traffic from content passing through the firewall.
Which source must the administrator avoid using?
- A . Group Update Provider (GUP)
- B . LiveUpdate Administrator (LUA)
- C . Symantec Endpoint Protection Manager
- D . Shared Insight Cache (SIC)
DRAG DROP
Match the following list of ports used by Symantec Endpoint Protection (SEP) to the defining characteristics by clicking and dragging the port on the left to the corresponding description on the right.
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO81103.html
The security status on the console home page is failing to alert a Symantec Endpoint Protection (SEP) administrator when virus definitions are out of date.
How should the SEP administrator enable the Security Status alert?
- A . Change the Notifications setting to “Show all notifications”
- B . Raise the Security Status thresholds
- C . Change the Action Summary display to “By number of computers”
- D . Lower the Security Status thresholds
D
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO81151.html
A company receives a high number of reports from users that files being downloaded from internal web servers are blocked. The Symantec Endpoint Protection administrator verifies that the Automatically trust any file downloaded from an intranet website option is enabled.
Which configuration can cause Insight to block the files being downloaded from the internal web servers?
- A . Virus and Spyware definitions are out of date.
- B . Local intranet zone is configured incorrectly on the Mac clients browser settings.
- C . Intrusion prevention is disabled.
- D . Local intranet zone is configured incorrectly on the Windows clients browser settings.
An administrator is using the SylinkDrop tool to update a Symantec Endpoint Protection client install on a system. The client fails to migrate to the new Symantec Endpoint Protection Manager (SEPM), which is defined correctly in the Sylink.xml file that was exported from the SEPM.
Which settings must be provided with SylinkDrop to ensure the successful migration to a new Symantec Endpoint Protection environment with additional Group Level Security Settings?
- A . Cs “silent”
- B . Ct “Tamper Protect”
- C . Cp “password”
- D . Cr “reboot”
Which protection engine should an administrator enable in order to drop malicious vulnerability scans against a client system?
- A . SONAR
- B . Intrusion Prevention
- C . Application and Device Control
- D . Tamper Protection
Which two settings does an administrator enable to use the Risk Tracer Feature in the Virus and Spyware Protection policy? (Select two.)
- A . Firewall Policy
- B . Application and Device Control Policy
- C . Application Learning
- D . Tamper Protection
- E . IPS active response
A,E
Explanation:
References: https://support.symantec.com/en_US/article.TECH102539.html
Which action can an administrator take to improve the Symantec Endpoint Protection Manager (SEPM) dashboard performance and report accuracy?
- A . Rebuilding database indexes
- B . Lowering the client installation log entries
- C . Limiting the number of backups to keep
- D . Decreasing the number of content revisions to keep
Which two criteria should an administrator use when defining Location Awareness for the Symantec Endpoint Protection (SEP) client? (Select two.)
- A . SEP domain
- B . WINS server
- C . Network Speed
- D . NIC description
- E . geographic location
B,D
Explanation:
References: https://support.symantec.com/en_US/article.TECH97369.html
An administrator is troubleshooting a Symantec Endpoint Protection (SEP) replication.
Which component log should the administrator check to determine whether the communication between the two sites is working correctly?
- A . Tomcat
- B . Apache Web Server
- C . Group Update Provider (GUP)
- D . SQL Server
What is a function of Symantec Insight?
- A . Provides reputation ratings for binary executables
- B . Enhances the capability of Group Update Providers (GUP)
- C . Provides reputation ratings for structured data
- D . Increases the efficiency and effectiveness of LiveUpdate
Which two options are available when configuring DNS change detections for SONAR? (Select two.)
- A . Log
- B . Quarantine
- C . Block
- D . Active Response
- E . Trace
How are Insight results stored?
- A . Encrypted on the Symantec Endpoint Protection Client
- B . Unencrypted on the Symantec Endpoint Protection Manager
- C . Encrypted on the Symantec Endpoint Protection Manager
- D . Unencrypted on the Symantec Endpoint Protection Client
Which option is unavailable in the Symantec Endpoint Protection console to run a command on the group menu item?
- A . Disable SONAR
- B . Scan
- C . Disable Network Threat Protection
- D . Update content and scan
A Symantec Endpoint Protection administrator must block traffic from an attacking computer for a specific time period.
Where should the administrator adjust the time to block the attacking computer?
- A . In the group policy, under External Communication settings
- B . In the group policy, under Communication settings
- C . In the firewall policy, under Protection and Stealth
- D . In the firewall policy, under Built in Rules
Which option is a function of the Symantec Endpoint Protection client?
- A . Sends and receives application reputation ratings from LiveUpdate
- B . Uploads logs to the Shared Insight Cache
- C . Downloads virus content updates from Symantec Insight
- D . Provides a Lotus Notes email scanner
D
Explanation:
References: https://support.symantec.com/en_US/article.TECH95093.html
Which two instances could cause Symantec Endpoint Protection to be unable to remediate a file? (Select two.)
- A . Another scan is in progress.
- B . The detected file is in use.
- C . The file has good reputation.
- D . There are insufficient file permissions.
- E . The file is marked for deletion by Windows on restart.
A company has 10,000 Symantec Endpoint Protection (SEP) clients deployed using two Symantec Endpoint Protection Managers (SEPMs).
Which configuration is recommended to ensure that each SEPM is able to effectively handle the communications load with the SEP clients?
- A . Pull mode
- B . Push mode
- C . Server control mode
- D . Client control mode
An administrator is responsible for the Symantec Endpoint Protection architecture of a large, multinational company with three regionalized data centers. The administrator needs to collect data from clients; however, the collected data must stay in the local regional data center. Communication between the regional data centers is allowed 20 hours a day.
How should the administrator architect this organization?
- A . Set up 3 domains
- B . Set up 3 sites
- C . Set up 3 groups
- D . Set up 3 locations
A
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO80764.html
A Symantec Endpoint Protection (SEP) administrator receives multiple reports that machines are experiencing performance issues. The administrator discovers that the reports happen about the same time as the scheduled LiveUpdate.
Which setting should the SEP administrator configure to minimize I/O when LiveUpdate occurs?
- A . Disable Allow user-defined scans to run when the scan author is logged off
- B . Change the LiveUpdate schedule
- C . Disable Run an Active Scan when new definitions arrive
- D . Change the Administrator-defined scan schedule
Which action must a Symantec Endpoint Protection administrator take before creating custom Intrusion Prevention signatures?
- A . Define signature variables
- B . Enable signature logging
- C . Change the custom signature order
- D . Create a Custom Intrusion Prevention Signature library
D
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO80877.html
Which tool should the administrator run before starting the Symantec Endpoint Protection Manager upgrade according to best practices?
- A . CollectLog.cmd
- B . DBValidator.bat
- C . LogExport.cmd
- D . Upgrade.exe
B
Explanation:
References: https://support.symantec.com/en_US/article.TECH240591.html
A company allows users to create firewall rules. During the course of business, users are accidentally adding rules that block a custom internal application.
Which steps should the Symantec Endpoint Protection administrator take to prevent users from blocking the custom application?
- A . Create an Allow All Firewall rule for the fingerprint of the file and place it at the bottom of the firewall rules above the blue line
- B . Create an Allow firewall rule for the application and place it at the bottom of the firewall rules below the blue line
- C . Create an Allow for the network adapter type used by the application and place it at the top of the firewall rules below the blue line.
- D . Create an Allow Firewall rule for the application and place it at the top of the firewall rules above the blue line.
A
Explanation:
References: https://support.symantec.com/en_US/article.TECH104433.html
Which action does SONAR take before convicting a process?
- A . Checks the reputation of the process
- B . Restarts the system
- C . Quarantines the process
- D . Blocks suspicious behavior
An administrator is re-adding an existing Replication Partner to the local Symantec Endpoint Protection Manager site.
Which two parameters are required to re-establish this replication partnership? (Select two.)
- A . Remote site Encryption Password
- B . Remote server IP Address and port
- C . Remote SQL database account credentials
- D . Remote server Administrator credentials
- E . Remote site Domain ID
B,D
Explanation:
References: https://support.symantec.com/en_US/article.TECH104455.html
A company uses a remote administration tool that is detected and quarantined by Symantec Endpoint Protection (SEP).
Which step can an administrator perform to continue using the remote administration tool without detection by SEP?
- A . Create a Tamper Protect exception for the tool
- B . Create a SONAR exception for the tool
- C . Create an Application to Monitor exception for the tool
- D . Create a Known Risk exception for the tool
A Symantec Endpoint Protection (SEP) administrator performed a disaster recovery without a database backup.
In which file should the SEP administrator add “scm.agent.groupcreation=true” to enable the automatic creation of client groups?
- A . conf.properties
- B . httpd.conf
- C . settings.conf
- D . catalina.out
A
Explanation:
References: https://support.symantec.com/en_US/article.TECH160736.html
Why does Power Eraser need Internet access?
- A . Validate root certificates on all portable executables (PXE) files
- B . Leverage Symantec Insight
- C . Ensure the Power Eraser tool is the latest release
- D . Look up CVE vulnerabilities
B
Explanation:
References: https://support.symantec.com/en_US/article.TECH134803.html
Why is Notepad unable to save the changes to the file in the image below?
- A . SONAR High Risk detection is set to Block
- B . SONAR is set to block host file modifications.
- C . Tamper Protection is preventing Notepad from modifying the host file.
- D . System Lockdown is enabled.
Which package type should an administrator use to reduce a SEP environment’s footprint when considering that new SEP 14 clients will be installed on point of sale terminals?
- A . Default Standard Client
- B . Default Embedded or VDI client
- C . Default dark network client
- D . Custom Standard client
B
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO125381.html
CORRECT TEXT
An administrator plans to implement a multi-site Symantec Endpoint Protection (SEP) deployment. The administrator needs to determine whether replication is viable without having to make network firewall changes or change defaults in SEP.
Which port should the administrator verify is open on the path of communication between the two proposed sites? (Type the port number.)
Explanation:
References: https://support.symantec.com/en_US/article.HOWTO81103.html
A company needs to configure an Application and Device Control policy to block read/write access to all USB removable media on its Symantec Endpoint Protection (SEP) systems.
Which tool should an administrator use to format the GUID and device IDs as required by SEP?
- A . CheckSum.exe
- B . DevViewer.exe
- C . TaskMgr.exe
- D . DeviceTree.exe
An administrator is recovering from a Symantec Endpoint Manager (SEPM) site failure.
Which file should the administrator use during an install of SEPM to recover the lost environment according to Symantec Disaster Recovery Best Practice documentation?
- A . Original installation log
- B . Sylink.xml file from the SEPM
- C . Settings.properties file
- D . Recovery_timestamp file
D
Explanation:
References: https://support.symantec.com/en_US/article.TECH160736.html