Question #1
How does Smart Scan vary from conventional pattern-based anti-malware scanning?
- A . Smart Scan improves the capture rate for malware scanning by sending features of suspicious files to an cloud-based server where the features are compared to known malware samples.
- B . Smart Scan shifts much of the malware scanning functionality to an external Smart Protection Server.
- C . Smart Scan is performed in real time, where conventional scanning must be triggered manually, or run on a schedule.
- D . Smart Scan identifies files to be scanned based on the content of the file, not the exten-sion.
Correct Answer: B
B
Explanation:
Advantages of the Smart Scan pattern over the conventional pattern protection in OfficeScan (OSCE)
B
Explanation:
Advantages of the Smart Scan pattern over the conventional pattern protection in OfficeScan (OSCE)
Question #2
The Intrusion Prevention Protection Module is enabled and a Recommendation Scan is run to identify vulnerabilities on a Windows Server 2016 computer.
How can you insure that the list of recommendations is always kept up to date?
- A . Disabling, then re-enabling the Intrusion Prevention Protection Module will trigger a new Recommendation Scan to be run. New rules will be included in the results of this new scan.
- B . Recommendation Scans are only able to suggest Intrusion Prevention rules when the Protection Module is initially enabled.
- C . Enable "Ongoing Scans" to run a recommendation scan on a regular basis. This will identify new Intrusion Prevention rules to be applied.
- D . New rules are configured to be automatically sent to Deep Security Agents when Rec-ommendation Scans are run.
Correct Answer: C
Question #3
New servers are added to the Computers list in Deep Security Manager Web config by running a Discover operation.
What behavior can you expect for newly discovered computers?
- A . Any servers discovered in the selected Active Directory branch hosting a Deep Security Agent will be added to the Computers list.
- B . Any servers within the IP address range hosting a Deep Security Agent will be added to the Computers list.
- C . Any servers within the IP address range that are hosting Deep Security Agents will be added to the Computers list and will be automatically activated.
- D . Any servers within the IP address range will be added to the Computers list, regardless of whether they are hosting a Deep Security Agent or not.
Correct Answer: B
B
Explanation:
When running a Discovery operation with Automatically Resolve IPs to hostnames enabled, it is possible that the discovery operation will find hostnames where Deep Security Manager can not.
Discovery is able to fall back to using a WINS query or NetBIOS broadcast to resolve the hostname in addition to DNS. Deep Security Manager only supports hostname lookup via DNS.
• Computers identified with this method can be automatically assigned a group, but not a policy.
• Agent software found on those computers will NOT be automatically activated.
• If a computer is listed through other detection methods, it will NOT be listed in the results of this search.
Study Guide – pages (345, 80)
B
Explanation:
When running a Discovery operation with Automatically Resolve IPs to hostnames enabled, it is possible that the discovery operation will find hostnames where Deep Security Manager can not.
Discovery is able to fall back to using a WINS query or NetBIOS broadcast to resolve the hostname in addition to DNS. Deep Security Manager only supports hostname lookup via DNS.
• Computers identified with this method can be automatically assigned a group, but not a policy.
• Agent software found on those computers will NOT be automatically activated.
• If a computer is listed through other detection methods, it will NOT be listed in the results of this search.
Study Guide – pages (345, 80)
Question #4
Which of the following statements is true regarding Intrusion Prevention rules?
- A . Intrusion Prevention rules can block unrecognized software from executing.
- B . Intrusion Prevention rules check for the IP addresses of known malicious senders within a packet
- C . Intrusion Prevention rules can detect or block traffic associated with specific applications, such as Skype or file-sharing utilities.
- D . Intrusion Prevention rules monitor the system for changes to a baseline configuration.
Correct Answer: C
Question #5
The Firewall Protection Module is enabled on a server through the computer details.
What is default behavior of the Firewall if no rules are yet applied?
- A . All traffic is permitted through the firewall until either a Deny or Allow rule is assigned.
- B . A collection of default rules will automatically be assigned when the Firewall Protection Module is enabled.
- C . All traffic is blocked by the firewall until an Allow rule is assigned.
- D . All traffic is passed through the Firewall using a Bypass rule
Correct Answer: B
B
Explanation:
Deep Security provides a set of Firewall rules that can be applied to policies or directly to a com-puter.
These default rules provide coverage for typical scenarios.
Set up the Deep Security firewall
Explication: Study Guide – page (219)
B
Explanation:
Deep Security provides a set of Firewall rules that can be applied to policies or directly to a com-puter.
These default rules provide coverage for typical scenarios.
Set up the Deep Security firewall
Explication: Study Guide – page (219)
Question #6
What is the purpose of the Deep Security Notifier?
- A . The Deep Security Notifier is a application in the Windows System Tray that displays the Status of Deep Security Manager during policy and software updates.
- B . The Deep Security Notifier is a server components that collects log entries from man-aged computers for delivery to a configured SIEM device.
- C . The Deep Security Notifier is a server component used in agentless configurations to allow Deep Security Manager to notify managed computers of pending updates.
- D . The Deep Security Notifier is a application in the Windows System Tray that com-municates the state of Deep Security Agents and Relays to endpoint computers.
Correct Answer: D
D
Explanation:
The Deep Security Notifier is a Windows System Tray application which provides local notification when malware is detected or malicious URLs are blocked.
It may be installed separately on protected virtual machines, however the Anti-Malware Protection Module must be licensed and enabled on the virtual machine for the Deep Security Notifier to display information.
The Notifier displays pop-up user notifications when the Anti-Malware module begins a scan, or blocks malware or access to malicious web pages. The Notifier also provides a console utility that allows the user to view events.
Explication: Study Guide – page (442)
D
Explanation:
The Deep Security Notifier is a Windows System Tray application which provides local notification when malware is detected or malicious URLs are blocked.
It may be installed separately on protected virtual machines, however the Anti-Malware Protection Module must be licensed and enabled on the virtual machine for the Deep Security Notifier to display information.
The Notifier displays pop-up user notifications when the Anti-Malware module begins a scan, or blocks malware or access to malicious web pages. The Notifier also provides a console utility that allows the user to view events.
Explication: Study Guide – page (442)
Question #7
Which of the following statements is FALSE regarding Firewall rules using the Bypass action?
- A . Applying a Firewall rule using the Bypass action to traffic in one direction automatically applies the same action to traffic in the other direction.
- B . Firewall rules using the Bypass action do not generate log events.
- C . Firewall rules using the Bypass action allow incoming traffic to skip both Firewall and Intrusion Prevention analysis.
- D . Firewall rules using the Bypass action can be optimized, allowing traffic to flow as effi-ciently as if a Deep Security Agent was not there.
Correct Answer: A
A
Explanation:
Firewall-actions-priorities
A
Explanation:
Firewall-actions-priorities
Question #8
Your organization stores PDF and Microsoft Office files within the SAP Netweaver platform and requires these documents to be scanned for malware.
Which Deep Security component is required to satisfy this requirement?
- A . The Netweaver plug-in must be installed on the Deep Security Agent.
- B . A Smart Protection Server must be installed and configured to service the SAP Netweaver platform
- C . No extra components are required, this can be done by enabling the AntiMalware Pro-tection Module on the SAP Netweaver server.
- D . Deep Security Scanner is required.
Correct Answer: D
D
Explanation:
Deep Security Scanner provides integration with the SAP NetWeaver platform and performs an-timalware scans and reviews the information to identify potential threats in SAP systems.
Note: Deep Security Scanner is not supported on computers where the Deep Security Agent is enabled as a Relay.
Explication: Study Guide – page (26)
D
Explanation:
Deep Security Scanner provides integration with the SAP NetWeaver platform and performs an-timalware scans and reviews the information to identify potential threats in SAP systems.
Note: Deep Security Scanner is not supported on computers where the Deep Security Agent is enabled as a Relay.
Explication: Study Guide – page (26)
Question #9
A Deep Security administrator wishes to monitor a Windows SQL Server database and be alerted of any critical events which may occur on that server.
How can this be achieved using Deep Security?
- A . The administrator could install a Deep Security Agent on the server hosting the Win-dows Server 2016 database and enable the Integrity Monitoring Protection Module. A rule can be assigned to monitor the Windows SQL Server for any modifications to the server, with Alerts enabled.
- B . The administrator could install a Deep Security Agent on the server hosting the Win-dows Server 2016 database and enable the Log Inspection Protection Module. A rule can be assigned to monitor the Windows SQL Server for any critical events, with Alerts enabled.
- C . The administrator could install a Deep Security Agent on the server hosting the Win-dows Server 2016 database and enable the Intrusion Prevention Protection Module. A Recommendation Scan can be run and any suggested rule can be assigned to monitor the Windows SQL Server for any vulnerabilities, with Alerts enabled.
- D . This can not be achieved using Deep Security. Instead, the administrator could set up log forwarding within Window SQL Server 2016 and the administrator could monitor the logs within the syslog device.
Correct Answer: B
Question #10
Which of the following statements is false regarding Firewall rules using the Bypass action?
- A . Applying a Firewall rule using the Bypass action to traffic in one direction automatically applies the same action to traffic in the other direction.
- B . Firewall rules using the Bypass action do not generate log events.
- C . Firewall rules using the Bypass action allow incoming traffic to skip both Firewall and Intrusion Prevention analysis.
- D . Firewall rules using the Bypass action can be optimized, allowing traffic to flow as effi-ciently as if a Deep Security Agent was not there.
Correct Answer: A
A
Explanation:
Firewall rules using Bypass have the following noteworthy characteristics:
• Bypass skips both Firewall and Intrusion Prevention analysis.
• Since stateful inspection is for bypassed traffic, bypassing traffic in one direction does not automatically bypass the response in the other direction. As a result firewall rules using Bypass are always created in pairs, one for incoming traffic and another for outgoing.
• Firewall rules using Bypass will not be logged. This is not a configurable behavior.
• Some firewall rules using Bypass are optimized, in that traffic will flow as efficiently as if the Deep Security Agent/Deep Security Virtual Appliance was not there.
Explication: Study Guide – page (236)
A
Explanation:
Firewall rules using Bypass have the following noteworthy characteristics:
• Bypass skips both Firewall and Intrusion Prevention analysis.
• Since stateful inspection is for bypassed traffic, bypassing traffic in one direction does not automatically bypass the response in the other direction. As a result firewall rules using Bypass are always created in pairs, one for incoming traffic and another for outgoing.
• Firewall rules using Bypass will not be logged. This is not a configurable behavior.
• Some firewall rules using Bypass are optimized, in that traffic will flow as efficiently as if the Deep Security Agent/Deep Security Virtual Appliance was not there.
Explication: Study Guide – page (236)
Question #11
Which of the following correctly identifies the order of the steps used by the Web Reputation Protection Module to determine if access to a web site should be allowed?
- A . Checks the cache. 2. Checks the Deny list. 3. Checks the Approved list. 4. If not found in any of the above, retrieves the credibility score from Rating Server. 5. Evaluates the credibility score against the Security Level to determine if access to the web site should be allowed.
- B . Checks the cache. 2. Checks the Approved list. 3. Checks the Deny list. 4. If not found in any of the above, retrieves the credibility score from the Rating Server. 5. Evaluates the credibility score against the Security Level to determine if access to the web site should be allowed.
- C . Checks the Deny list. 2. Checks the Approved list. 3. Checks the cache. 4. If not found in any of the above, retrieves the credibility score from Rating Server. 5. Evaluates the credibility score against the Security Level to determine if access to the web site should be allowed.
- D . Checks the Approved list. 2. Checks the Deny list. 3. Checks the cache. 4. If not found in any of the above, retrieves the credibility score from the Rating Server. 5. Evaluates the credibility score against the Security Level to determine if access to the web site should be allowed.
Correct Answer: D
Question #12
The "Protection Source when in Combined Mode" settings are configured for a virtual machine as in the exhibit. You would like to enable Application Control on this virtual machine, but there is no corresponding setting displayed.
Why?
- A . In the example displayed in the exhibit, no activation code was entered for Application Control. Since the Protection Module is not licensed, the corresponding settings are not displayed.
- B . These settings are used when both an host-based agent and agentless protection are available for the virtual machine. Since Application Control is not supported in agentless installations, there is no need for the setting.
- C . In the example displayed in the exhibit, the Application Control Protection Module has not yet been enabled. Once it is enabled for this virtual machine, the corresponding settings are displayed.
- D . In the example displayed in the exhibit, the VMware Guest Introspection Service has not yet been installed. This service is required to enable Application Control in agentless installations.
Correct Answer: B
Question #13
What is the purpose of the Deep Security Relay?
- A . Deep Security Relays distribute load to the Deep Security Manager nodes in a high-availability implementation.
- B . Deep Security Relays forward policy details to Deep Security Agents and Virtual Ap-pliances immediately after changes to the policy are applied.
- C . Deep Security Relays maintain the caches of policies applied to Deep Security Agents on protected computers to improve performance.
- D . Deep Security Relays are responsible for retrieving security and software updates and distributing them to Deep Security Manager, Agents and Virtual Appliances.
Correct Answer: D
Question #14
As the administrator in a multi-tenant environment, you would like to monitor the usage of security services by tenants? Which of the following are valid methods for monitoring the usage of the system by the tenants?
- A . Generate a Chargeback report in Deep Security manager Web console.
- B . All the choices listed here are valid.
- C . Use the Representational State Transfer (REST) API to collect usage data from the tenants.
- D . Monitor usage by the tenants from the Statistics tab in the tenant Properties window.
Correct Answer: B
B
Explanation:
Deep Security Manager records data about tenant usage. This information is displayed in the Ten-ant Protection Activity widget on the Dashboard, the Statistics tab in tenant Properties, and the Chargeback report.
This information can also be accessed through the Status Monitoring REST API which can be enabled or disabled from the Administration > Advanced > System Settings > Advanced
> Status Monitoring API. multi-tenancy
Explication: Study Guide – page (422)
B
Explanation:
Deep Security Manager records data about tenant usage. This information is displayed in the Ten-ant Protection Activity widget on the Dashboard, the Statistics tab in tenant Properties, and the Chargeback report.
This information can also be accessed through the Status Monitoring REST API which can be enabled or disabled from the Administration > Advanced > System Settings > Advanced
> Status Monitoring API. multi-tenancy
Explication: Study Guide – page (422)
Question #15
Recommendation scans can detect applications and/or vulnerabilities on servers on the network.
Which of the following Protection Modules make use of Recommendation scans?
- A . Firewall, Application Control, and Integrity Monitoring
- B . Intrusion Prevention, Firewall, Integrity Monitoring and Log Inspection
- C . Log Inspection, Application Control, and Intrusion Prevention
- D . Intrusion Prevention, Integrity Monitoring, and Log Inspection
Correct Answer: D
D
Explanation:
Recommendation Scans can suggest rules for the following Protection Modules:
• Intrusion Prevention
• Integrity Monitoring
• Log Inspection
Explication: Study Guide – page (161)
D
Explanation:
Recommendation Scans can suggest rules for the following Protection Modules:
• Intrusion Prevention
• Integrity Monitoring
• Log Inspection
Explication: Study Guide – page (161)
Question #16
How can you prevent a file from being scanned for malware?
- A . Enable "File Types scanned by IntelliScan" in the Malware Scan Configuration prop-erties in the Deep Security Manager Web console. Click "Scan All Except" and type the filename to exclude from the scan.
- B . Edit the "Scan Exclusions" section of the dsa.properties configuration file on the Deep Security Agent computer to include the file name. Save the configuration file and restart the Deep Security Agent service.
- C . Add the file to the Exclusions list in the Malware Scan Configuration.
- D . Add the file to the Exclusions list in the "Allowed Spyware/Grayware Configuration".
Correct Answer: C
Question #17
Which of the following Firewall rule actions will allow data packets to pass through the Firewall Protection Module without being subjected to analysis by the Intrusion Prevention Protection Module?
- A . Deny
- B . Bypass
- C . Allow
- D . Force Allow
Correct Answer: B
Question #18
Which of the following statements is true regarding the Log Inspection Protection Module?
- A . Deep Security Agents forward Log Inspection Event details to Deep Security Manager in real time.
- B . Log Inspection can only examine new Events and cannot examine logs entries created before the Protection Module was enabled.
- C . Log Inspection can only examine Deep Security log information.
- D . The Log Inspection Protection Module is supported in both Agent-based and Agentless implementations.
Correct Answer: B
Question #19
Which of the following statements is true regarding the Intrusion Prevention Protection Module?
- A . The Intrusion Prevention Protection Module blocks or allows traffic based on header information within data packets.
- B . The Intrusion Prevention Protection Module analyzes the payload within incoming and outgoing data packets to identify content that can signal an attack.
- C . The Intrusion Prevention Protection Module can identify changes applied to protected objects, such as the Hosts file, or the Windows Registry.
- D . The Intrusion Prevention Protection Module can prevent applications from executing, allowing an organization to block unallowed software.
Correct Answer: B
B
Explanation:
deep-security-protection-modules
B
Explanation:
deep-security-protection-modules
Question #20
Based on the policy configuration displayed in the exhibit, which of the following statements is true?
- A . Changes to any of the Deep Security policies will be send to the Deep Security Agents as soon as the changes are saved.
- B . Administrators with access to the protected Server will be able to uninstall the Deep Security Agent through Windows Control Panel.
- C . Deep Security Agents will send event information to Deep Security Manager every 10 minutes.
- D . If the Deep Security Manager does not receive a message from the Deep Security agent every 20 minutes, an alert will be raised.
Correct Answer: B
Question #21
The maximum disk space limit for the Identified Files folder is reached.
What is the expected Deep Security Agent behavior in this scenario?
- A . Any existing files are in the folder are compressed and forwarded to Deep Security Manager to free up disk space.
- B . Deep Security Agents will delete any files that have been in the folder for more than 60 days.
- C . Files will no longer be able to be quarantined. Any new files due to be quarantined will be deleted instead.
- D . Deep Security Agents will delete the oldest files in this folder until 20% of the allocated space is available.
Correct Answer: D
D
Explanation:
If the limit is reached, the oldest files will be deleted first until 20% of allocated space is freed up.
Explication: Study Guide – page (203)
D
Explanation:
If the limit is reached, the oldest files will be deleted first until 20% of allocated space is freed up.
Explication: Study Guide – page (203)
Question #22
The details for an event are displayed in the exhibit. Based on these details, which Protection Module generated the event?
- A . Firewall
- B . Intrusion Prevention
- C . Log Inspection
- D . Integrity Monitoring
Correct Answer: C
Question #23
Which of the following statements is true regarding Deep Security Manager-todatabase com-munication?
- A . Deep Security Manager-to-database traffic is not encrypted by default, but can be en-abled by modifying settings in the ssl.properties file.
- B . Deep Security Manager-to-database traffic is encrypted by default, but can be disabled by modifying settings in the dsm.properties file.
- C . Deep Security Manager-to-database traffic is encrypted by default but can be disabled by modifying settings in the db.properties file.
- D . Deep Security Manager-to-database traffic is not encrypted by default, but can be en-abled by modifying settings in the dsm.properties file.
Correct Answer: D
Question #24
Which of the following statements is true regarding the use of the Firewall Protection Module in Deep Security?
- A . The Firewall Protection Module can check files for certain characteristics such as compression and known exploit code.
- B . The Firewall Protection Module can identify suspicious byte sequences in packets.
- C . The Firewall Protection Module can detect and block Cross Site Scripting and SQL In-jection attacks.
- D . The Firewall Protection Module can prevent DoS attacks coming from multiple systems.
Correct Answer: D
Question #25
Which of the following statements is false regarding the Log Inspection Protection Module?
- A . Custom Log Inspections rules can be created using the Open Source Security (OSSEC) standard.
- B . Deep Security Manager collects Log Inspection Events from Deep Security Agents at every heartbeat.
- C . The Log Inspection Protection Module is supported in both agent-based and agentless environments.
- D . Scan for Recommendations identifies Log Inspection rules that Deep Security should implement.
Correct Answer: C
C
Explanation:
Log Inspection requires running some analysis on the computer and is not supported in Agentless deployments.
Explication: Study Guide – page (310)
C
Explanation:
Log Inspection requires running some analysis on the computer and is not supported in Agentless deployments.
Explication: Study Guide – page (310)