Symantec.Braindumps.ST0-134.v2014-11-05.by.CLARA€¦ · 2014-11-05 · An administrator receives...

http://www.gratisexam.com/

Symantec.Braindumps.ST0-134.v2014-11-05.by.CLARA.451q

Number: ST0-134Passing Score: 800Time Limit: 110 minFile Version: 26.5


Exam Code: ST0-134

Exam Name: Symantec EndPoint Protection 12.1 Tcehnical Assessment


Exam A

QUESTION 1A financial company enforces a security policy that prevents banking system workstations from connecting to the Internet.Which Symantec Endpoint Protection technology is ineffective on this company's workstations?

A. InsightB. Intrusion PreventionC. Network Threat ProtectionD. Browser Intrusion Prevention

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 2In addition to performance improvements, which two benefits does Insight provide? (Select two.)

A. reputation scoring for documentsB. zero-day threat detectionC. protection against malicious java scriptsD. false positive mitigationE. blocking of malicious websites

Correct Answer: BDSection: (none)Explanation


QUESTION 3Which Symantec Endpoint Protection defense mechanism provides protection against threats that propagate from system to system through the use of autorun.inffiles?

A. Application and Device Control


B. SONARC. TruScanD. Host Integrity



QUESTION 4Which protection technology can detect botnet command and control traffic generated on the Symantec Endpoint Protection client machine?

A. InsightB. SONARC. Risk TracerD. Intrusion Prevention

Correct Answer: DSection: (none)Explanation


QUESTION 5Which technology can prevent an unknown executable from being downloaded through a browser session?

A. Browser Intrusion PreventionB. Download InsightC. Application ControlD. SONAR

Correct Answer: BSection: (none)Explanation



QUESTION 6Which Symantec Endpoint Protection technology blocks a downloaded program from installing browser plugins?


A. Intrusion PreventionB. SONARC. Application and Device ControlD. Tamper Protection

Correct Answer: CSection: (none)Explanation


QUESTION 7Which protection engine should be enabled to drop malicious vulnerability scans against a client system?

A. SONARB. Intrusion PreventionC. Tamper ProtectionD. Application and Device Control




QUESTION 8What is the file scan workflow order when Shared Insight Cache and reputation are enabled?

A. Symantec Insight > Shared Insight Cache server > local client Insight cacheB. local client Insight cache > Shared Insight Cache server > Symantec InsightC. Shared Insight Cache server > local client Insight cache > Symantec InsightD. local client Insight cache > Symantec Insight > Shared Insight Cache server



QUESTION 9What is a function of Symantec Insight?

A. provides reputation ratings for structured dataB. enhances the capability of Group Update Providers (GUP)C. increases the efficiency and effectiveness of LiveUpdateD. provides reputation ratings for binary executables



QUESTION 10Which Symantec Endpoint Protection component enables access to data through ad-hoc reports and charts with pivot tables?

A. Symantec Protection CenterB. Shared Insight Cache ServerC. Symantec Endpoint Protection ManagerD. IT Analytics




QUESTION 11Which Symantec Endpoint Protection Management (SEPM) database option is the default for deployments of fewer than 1,000 clients?

A. Embedded: Using the Sybase SQL Anywhere database that comes with the productB. On SEPM: Installing Microsoft SQL on the same server as the SEPMC. External to SEPM: Using a preexisting Microsoft SQL server in the environmentD. Embedded: Using the Microsoft SQL database that comes with the product



QUESTION 12Which two items are stored in the Symantec Endpoint Protection database? (Select two.)

A. Device Hardware IDsB. User Defined ScansC. Symantec Endpoint Protection Client for LinuxD. Symantec Endpoint Protection Client for MacintoshE. Active Directory Synced Logon Credentials

Correct Answer: ADSection: (none)Explanation


QUESTION 13


Which task should an administrator perform to troubleshoot operation of the Symantec Endpoint Protection embedded database?

A. verify that dbsrv11.exe is listening on port 2638B. check whether the MSSQLSERVER service is runningC. verify the sqlserver.exe service is running on port 1433D. check the database transaction logs in X:\Program Files\Microsoft SQL server



QUESTION 14What is a function of the Symantec Endpoint Protection client?

A. uploads logs to the Shared Insight CacheB. sends and receives application reputation ratings from LiveUpdateC. downloads virus content updates from Symantec InsightD. provides a Lotus Notes email scanner



QUESTION 15Which option is unavailable in the Symantec Endpoint Protection console Run a command on the group menu item?

A. Disable SONARB. ScanC. Disable Network Threat ProtectionD. Update content and scan

Correct Answer: A


Section: (none)Explanation


QUESTION 16Which object in the Symantec Endpoint Protection Manager console describes the most granular level to which a policy can be assigned?

A. GroupB. ComputerC. UserD. Client



QUESTION 17Where can an administrator obtain the Sylink.xml file?

A. C:\Program Files\Symantec\Symantec Endpoint Protection\ folder on the clientB. C:\Program Files\Symantec\Symantec Endpoint Protection\Manager\data\inbox\agent\ folder on the Symantec Endpoint Protection ManagerC. by selecting the client group and exporting the communication settings in the Symantec Endpoint Protection Manager ConsoleD. by selecting the location and exporting the communication settings in the Symantec Endpoint Protection Manager Console



QUESTION 18An administrator edited a firewall policy from the Clients > Policies tab.? Later, the administrator is unable to find the modified policy under the Policies > Firewallpolicies list.


What is the likely cause?

A. The administrator has set the policy to shared.B. The administrator has set the policy to non-shared.C. The administrator failed to save the policy.D. The policy failed to deploy.



QUESTION 19An administrator is unable to delete a location. What is the likely cause?

A. The location currently contains clients.B. Criteria is defined within the location.C. The administrator has client control enabled.D. The location is currently assigned as the default location.



QUESTION 20Which two are policy types within the Symantec Endpoint Protection Manager? (Select two.)

A. ExceptionsB. Host ProtectionC. Shared InsightD. Intrusion PreventionE. Process Control




QUESTION 21What is a characteristic of a Symantec Endpoint Protection (SEP) domain?

A. Each domain has its own management server and database.B. Every administrator from one domain can view data in other domains.C. Data for each domain is stored in its own separate SEP database.D. Domains share the same management server and database.



QUESTION 22An organization employs laptop users who travel frequently. The organization needs to acquire log data from these Symantec Endpoint Protection clientsperiodically.This must happen without the use of a VPN.Internet routable traffic should be allowed to and from which component?

A. Group Update Provider (GUP)B. LiveUpdate Administrator Server (LUA)C. Symantec Endpoint Protection Manager (SEPM)D. IT Analytics Server (ITA)




QUESTION 23An administrator is responsible for the Symantec Endpoint Protection architecture of a large, multi-national company with three regionalized data centers. Theadministrator needs to collect data fromclients; however, the collected data must stay in the the local regional data center. Communication between the regionaldata centers is allowed 20 hours a day.How should the administrator architect this organization?

A. set up 3 domainsB. set up 3 sitesC. set up 3 locationsD. set up 3 groups



QUESTION 24A Symantec Endpoint Protection (SEP) Administrator is designing a new SEP architecture to ensure that clients continually maintain a current set of contentupdates. The criteria listed below must be considered.1. Client systems are located in a single physical site where they are commonly offline for up to 2 weeks at a time2. The Site consists of approximately 500 clients3. Content Updates must be as current as possible4. The embedded database must be used for the Symantec Endpoint Protection Manager


Which content update methodology minimizes the impact to the external Internet connection?

A. deploy an Internal LiveUpdate Administrator (LUA) and define the LiveUpdate Policy so the clients get their updates from the LUAB. change the product defaults to define content revisions to 42 and configure the LiveUpdate Policy so the clients get their updates from the Symantec Endpoint

Protection Manager


C. configure the Live Update Policy so the clients get their updates from a public Symantec LiveUpdate serverD. change the product defaults to define content revisions to 14 and configure the LiveUpdate Policy so the clients get their updates from a Group Update Provider

(GUP)



QUESTION 25An administrator is designing a new single site Symantec Endpoint Protection environment. Due to perimeter firewall bandwidth restrictions, the design needs tominimize the amount of traffic from content passing through the firewall.Which source must the administrator avoid using?

A. Symantec Endpoint Protection ManagerB. LiveUpdate Administrator (LUA)C. Group Update Provider (GUP)D. Shared Insight Cache (SIC)



QUESTION 26A company plans to install six Symantec Endpoint Protection Managers (SEPMs) spread evenly across two sites. The administrator needs to direct replicationactivity to SEPM3 server in Site 1 and SEPM4 in Site 2.Which two actions should the administrator take to direct replication activity to SEPM3 and SEPM4?(Select two.)

A. install SEPM3 and SEPM4 after the other SEPMsB. install the SQL Server databases on SEPM3 and SEPM4C. ensure SEPM3 and SEPM4 are defined as the top priority server in the Site SettingsD. ensure SEPM3 and SEPM4 are defined as remote servers in the replication partner configuration install IT Analytics on SEPM3 and SEPM4


Correct Answer: CDSection: (none)Explanation


QUESTION 27A multi-national company has two Symantec Endpoint Protection Managers and one database. An office in Germany with 50 clients needs Symantec EndpointProtection (SEP). German regulations require the client's data remain localized for use in Germany.Which SEP components should the administrator install in Germany?

A. SEP client software with a dedicated Group Update Provider (GUP)B. SEP client software with an Internal LiveUpdate serverC. A second isolated SEP site with SEP client softwareD. A second replicated SEP site with SEP client software



QUESTION 28In Symantec Endpoint Protection 12.1 Enterprise Edition, what happens when the license expires?

A. LiveUpdate stops.B. Group Update Providers (GUP) stop.C. Symantec Insight is disabled.D. Content updates continue.




QUESTION 29An administrator receives a browser certificate warning when accessing the Symantec Endpoint Protection Manager (SEPM) Web console.Where can the administrator obtain the certificate?

A. SEPM console Licenses sectionB. Admin > Servers > Configure SecureID AuthenticationC. SEPM console Admin TasksD. SEPM Web Access



QUESTION 30An administrator needs to configure Secure Socket Layer (SSL) communication for clients. In the httpd.conf file, located on the Symantec Endpoint ProtectionManager (SEPM), the administrator removes the hashmark (#) from the text string displayed below.#Include conf/ssl/sslForcClients.confWhich two tasks must the administrator perform to complete the SSL configuration? (Select two.)

A. edit site.properties and change the port to 443B. restart the Symantec Endpoint Protection Manager Webserver serviceC. change the default certificates on the SEPM and rebootD. change the Management Server List and enable HTTPsE. change the port in Clients > Group > Policies > Settings > Communication Settings and force the clients to reconnect



QUESTION 31Which two items should an administrator enter?in the License Activation Wizard to activate a license? (Select two.)

A. password for the Symantec Licensing Site


B. purchase order numberC. serial numberD. Symantec License fileE. credit card number



QUESTION 32A client is unable to communicate with the Symantec Endpoint Protection Manager (SEPM) Server.The administrator decides to use the Communications Update Package Deployment in the Client Deployment Wizard.Which two options are available using the Communications Update Package Deployment? (Select two.)

A. Policy ModeB. SEPM Server MigrationC. Client RebootD. Content UpdateE. Password Protection

Correct Answer: AESection: (none)Explanation


QUESTION 33Which two criteria should an administrator use when defining Location Awareness for the Symantec Endpoint Protection (SEP) client? (Select two.)

A. NIC descriptionB. SEP domainC. geographic locationD. WINS serverE. Network Speed




QUESTION 34A managed service provider (MSP) is managing Symantec Endpoint Protection for a number of independent companies. Each company has administrators who willlog in from time to time to add new clients. Administrators must be prevented from seeing the existence of other companies in the console.What should an administrator create for each independent company?

A. DomainB. LocationC. GroupD. Site



QUESTION 35What are two supported Symantec Endpoint Protection Manager authentication types? (Select two.)

A. Microsoft Active DirectoryB. MS-CHAPC. RSA SecurIDD. BiometricsE. Network Access Control

Correct Answer: ACSection: (none)Explanation



QUESTION 36In which two areas can host groups be used? (Select two.)

A. Application and Device ControlB. FirewallC. LocationsD. IPSE. Download Insight



QUESTION 37Which tool should an administrator use to discover and deploy the Symantec Endpoint Protection client to new computers?

A. Unmanaged DetectorB. Client Deployment WizardC. Communication Update Package DeploymentD. Symantec Endpoint Discovery Tool



QUESTION 38A Symantec Endpoint Protection (SEP) administrator is remotely deploying SEP clients, but the clients are failing to install on Windows XP.What are two possible reasons for preventing installation? (Select two.)

A. Windows firewall is enabled.B. Internet Connection firewall is disabled.


C. Administrative file shares are enabled.D. Simple file sharing is enabled.E. Clients are configured for DHCP.



QUESTION 39A large software company runs a small engineering department that is remotely located over a slow WAN connection.Which option should the company use to install an exported Symantec Endpoint Protection (SEP) package to the remote site using the smallest amount of networkbandwidth?

A. a SEP package using Basic contentB. a SEP package using a policy defined Single Group Update Provider (GUP)C. a SEP package using a policy defined Multiple Group Update Provider (GUP) listD. a SEP package using the Install Packages tab



QUESTION 40A company deploys Symantec Endpoint Protection client to its sales staff who travel across the country.Which deployment method should the company use to notify its sales staff to install the client?

A. Push modeB. Client Deployment WizardC. Pull modeD. Unmanaged Detector

Correct Answer: BSection: (none)


Explanation


QUESTION 41Which systems can be identified for deployment using the Find Computers option when using the Client Deployment Wizard?

A. Mac OSB. Linux C. Windows 2000D. Windows 2008 - 64bit OS



QUESTION 42A client is unable to connect to the Symantec Endpoint Protection Manager (SEPM) to retrieve the latest policy.Which action should an administrator take to identify when the client last connected to the SEPM?

A. view the Control log on the ClientB. view the System log on the ClientC. view the Computer Status > Client Online Status report on the SEPMD. .view the Computer Status > Client With Latest Policy report on the SEPM



QUESTION 43A company deploys Symantec Endpoint Protection (SEP) to 50 virtual machines running on a single ESXi host.Which configuration change can the administrator make to minimize sudden IOPS impact on the ESXi server while each SEP endpoint communicates with theSymantec Endpoint Protection Manager?


A. increase Download Insight sensitivity levelB. reduce the heartbeat intervalC. increase download randomization windowD. reduce number of content revisions to keep



QUESTION 44Where in the Symantec Endpoint Protection (SEP) management console will a SEP administrator find the option to allow all users to enable and disable the clientfirewall?

A. Client User Interface Control SettingsB. Overview in Firewall PolicyC. Settings in Intrusion Prevention PolicD. System Lockdown in Group Policy



QUESTION 45A company has 10,000 Symantec Endpoint Protection (SEP) clients deployed using two Symantec Endpoint Protection Managers (SEPMs).Which configuration is recommended to ensure that each SEPM is able to effectively handle the communications load with the SEP clients?

A. Push modeB. Client control modeC. Server control modeD. Pull mode

Correct Answer: D




QUESTION 46A Symantec Endpoint Protection (SEP) client uses a management server list with three management servers in the priority 1 list.Which mechanism does the SEP client use to select an alternate management server if the currently selected management server is unavailable?

A. The client chooses another server in the list randomly.B. The client chooses a server based on the lowest server load.C. The client chooses a server with the next highest IP address.D. The client chooses the next server alphabetically by server name.



QUESTION 47A system running Symantec Endpoint Protection is assigned to a group with client user interface control settings set to mixed mode with Auto-Protect options set toClient. The user on the system is unable to turn off Auto-Protect.What is the likely cause of this problem?

A. Tamper protection is enabled.B. System Lockdown is enabled.C. Application and Device Control is configured.D. The padlock on the enable Auto-Protect option is locked.




QUESTION 48Which action does the Shared Insight Cache (SIC) server take when the whitelist reaches maximum capacity?

A. The SIC server allocates additional memory for the whitelist as needed.B. The SIC server will start writing the cache to disk.C. The SIC server will remove the least recently used items based on the prune size.D. The SIC server will remove items with the fewest number of votes.



QUESTION 49Which feature reduces the impact of Auto-Protect on a virtual client guest operating system?

A. Network Shared Insight CacheB. Virtual Image ExceptionC. Scan RandomizationD. Virtual Shared Insight Cache



QUESTION 50Which policy should an administrator modify to enable Virtual Image Exception (VIE) functionality?

A. Host Integrity Policy



B. Virus and Spyware Protection PolicyC. Exceptions PolicyD. Application and Device Control Policy



QUESTION 51Multiple Windows virtual clients running on an ESX server need to be scanned daily by a scheduled scan.Which feature should an administrator use to improve scan performance on the clients?

A. Virtual Image exceptionsB. Centralized Scan exceptionsC. Download InsightD. Tamper Protection



QUESTION 52The LiveUpdate Download Schedule is set to the default on the Symantec Endpoint Protection Manager (SEPM).How many content revisions must the SEPM keep to ensure clients that check in to the SEPM every 10 days receive xdelta content packages instead of full contentpackages?


A. 10B. 20C. 30D. 60



QUESTION 53Which client log shows that a client is downloading content from its designated source?

A. Risk LogB. System LogC. SesmLu.logD. Log.LiveUpdate



QUESTION 54Which setting can an administrator configure in the LiveUpdate Policy?

A. specific content revision to download from a Group Update Provider (GUP)B. specific content policies to downloadC. Linux SettingsD. frequency to download content

Correct Answer: DSection: (none)


Explanation


QUESTION 55Which two sources can a Macintosh client use to download content? (Select two.)

A. Symantec Endpoint Protection ManagerB. Group Update Provider (GUP)C. Internal LiveUpdate serverD. Default Management serverE. Symantec LiveUpdate server

Correct Answer: CESection: (none)Explanation


QUESTION 56Which ports on the company firewall must an administrator open to avoid problems when connecting to Symantec Public LiveUpdate servers?

A. 25, 80, and 2967B. 2967, 8014, and 8443C. 21, 443, and 2967D. 21, 80, and 443



QUESTION 57A company has a small number of systems in their Symantec Endpoint Protection Manager (SEPM) group with federal mandates that AntiVirus definitions undergoa two week testing period. After being loaded on the client, the tested virus definitions must remain unchanged on the client systems until the next set of virus


definitions have completed testing. All other clients must remain operational on the most recent definition sets. An internal LiveUpdate Server has been consideredas too expensive to be a solution for this company.What should be modified on the SEPM to meet this mandate?

A. The LiveUpdate Settings policy for this group should be modified to use an Explicit Group Update Provider.B. The LiveUpdate Content policy for this group should be modified to use a specific definition revision.C. The SEPM site LiveUpdate settings should be modified so the Number of content revisions to keep is set to 1.D. The SEPM site LiveUpdate settings should be modified so the Number of content revisions to keep is set to 14.



QUESTION 58An exception needs to be created for a file named "RunMe.exe" in a user's Windows 7 "My Documents" folder. The user's login name is Bob.Which method should be used?

A. create a file exception for "RunMe.exe" with a Prefix Variable of [USERNAME]B. create a file exception for "[Drive]:\Users\Bob\My Documents\RunMe.exe"C. create a file exception for "*\RunMe.exe"D. create a file exception for "RunMe.exe" with a Prefix Variable of %USERPROFILE%



QUESTION 59Which exception type can be configured?

A. Parent ProcessB. Browser ObjectC. MAC AddressD. Trusted Web Domain




QUESTION 60An administrator needs to add an Application Exception. When the administrator accesses the Application Exception dialog window, applications fail to appear.What is the likely problem?

A. The Learn applications that run on the client computers setting is disabled.B. The client computers already have exclusions for the applications.C. The Symantec Endpoint Protection Manager is installed on a Domain Controller.D. The clients are in a trusted Symantec Endpoint Protection domain.



QUESTION 61A company uses a remote administration tool that is detected and quarantined by Symantec Endpoint Protection (SEP).Which step can an administrator perform to continue using the remote administration tool without detection by SEP?

A. create a Tamper Protect exception for the toolB. create an Application to Monitor exception for the toolC. create a Known Risk exception for the toolD. create a SONAR exception for the tool




QUESTION 62A company receives a high number of reports from users that files being downloaded from internal web servers are blocked. The Symantec Endpoint Protectionadministrator verifies that the Automatically trust any file downloaded from an intranet website option is enabled.Which configuration can cause Insight to block the files being downloaded from the internal web servers?

A. Intrusion Prevention is disabled.B. Local intranet zone is configured incorrectly on the Windows clients browser settings.C. Local intranet zone is configured incorrectly on the Mac clients browser settings.D. Virus and Spyware Definitions are out of date.



QUESTION 63Which action should an administrator take to prevent users from using Windows Security Center?

A. set Disable antivirus alert within Windows Security Center to DisableB. set Disable antivirus alert within Windows Security Center to NeverC. set Disable Windows Security Center to DisableD. set Disable Windows Security Center to Always



QUESTION 64An administrator is reviewing an Infected Clients Report and notices that a client repeatedly shows the same malware detection. Although the client remediates thefiles, the infection continues to display in the logs.Which two functions should be enabled to automate enhanced remediation of a detected threat and its related side effects? (Select two.)

A. Risk Tracer


B. Terminate Processes AutomaticallyC. Early Launch Anti-Malware DriverD. Stop Service AutomaticallyE. Stop and Reload AutoProtect



QUESTION 65An administrator configures the scan duration for a scheduled scan.? The scan fails to complete in the specified time period.When will the next schedule scan occur on the computer?

A. when the computer rebootsB. when the user restarts the scanC. at the next scheduled scan periodD. within the next hour



QUESTION 66A Symantec Endpoint Protection (SEP) administrator receives multiple reports that machines are experiencing performance issues. The administrator discoversthat the reports happen about the same time as the scheduled LiveUpdate.Which setting should the SEP administrator configure to minimize I/O when LiveUpdate occurs?

A. Change the LiveUpdate scheduleB. Change the Administrator-defined scan scheduleC. Disable Allow user-defined scans to run when the scan author is logged offD. Disable Run an Active Scan when new definitions arrive

Correct Answer: D




QUESTION 67An administrator needs to increase the access speed for client files that are stored on a file server.Which configuration should the administrator review to address the read speed from the server?

A. enable Network Cache in the client's Virus and Spyware Protection policyB. add the applicable server to a trusted host groupC. create a Firewall allow rule for the server's IP addressD. enable download randomization in the client group's communication settings



QUESTION 68An administrator changes the Virus and Spyware Protection policy for a specific group that disables Auto-Protect. The administrator assigns the policy and the clientsystems applies the corresponding policy serial number. Upon visual inspection of a physical client system, the policy serial number is correct. However, Auto-Protect is still enabled on the client system.Which action should the administrator take to ensure that the desired setting is in place on the client?

A. restart the client systemB. run a command on the computer to Update ContentC. enable the padlock next to the setting in the policyD. withdraw the Virus and Spyware Protection policy




QUESTION 69Which two settings does an administrator enable to use the Risk Tracer feature in the Virus and Spyware Protection policy? (Select two.)

A. Application and Device Control PolicyB. Tamper ProtectionC. Firewall PolicyD. IPS active responseE. Application Learning



QUESTION 70What are two criteria that Symantec Insight uses to evaluate binary executables? (Select two.)

A. sensitivityB. prevalenceC. confidentialityD. contentE. age

Correct Answer: BESection: (none)Explanation


QUESTION 71How are Insight results stored?

A. encrypted on the Symantec Endpoint Protection ManagerB. unencrypted on the Symantec Endpoint Protection ManagerC. encrypted on the Symantec Endpoint Protection client


D. unencrypted on the Symantec Endpoint Protection client



QUESTION 72Which two options are available when configuring DNS change detected for SONAR? (Select two.)

A. BlockB. Active ResponseC. QuarantineD. LogE. Trace



QUESTION 73What does SONAR use to reduce false positives?

A. Virus and Spyware definitionsB. File Fingerprint listC. Symantec InsightD. Extended File Attributes (EFA) table




QUESTION 74Which action does SONAR take before convicting a process?

A. quarantines the processB. blocks suspicious behaviorC. reboots the systemD. checks the reputation of the process



QUESTION 75An administrator notices that some entries list that the Risk was partially removed. The administrator needs to determine whether additional steps are necessary toremediate the threat.Where in the Symantec Endpoint Protection Manager console can the administrator find additional information on the risk?

A. Risk logB. Computer Status reportC. NotificationsD. Infected and At Risk Computers report



QUESTION 76Which two instances could cause Symantec Endpoint Protection to be unable to remediate a file? (Select two.)

A. Another scan is in progress.B. The detected file is in use.C. There are insufficient file permissions.


D. The file is marked for deletion by Windows on reboot.E. The file has good reputation.

Correct Answer: BCSection: (none)Explanation


QUESTION 77An administrator selects the Backup files before attempting to repair the Remediations option in the Auto-Protect policies.Which two actions occur when a virus is detected? (Select two.)

A. replace the file with a place holderB. check the reputationC. store in Quarantine folderD. send the file to Symantec InsightE. encrypt the file



QUESTION 78In the virus and Spyware Protection policy, an administrator sets the First action to Clean risk and sets If first action fails to Delete risk.Which two factors should the administrator consider? (Select two.)

A. The deleted file may still be in the Recycle Bin.B. IT Analytics may keep a copy of the file for investigation.C. False positives may delete legitimate files.D. Insight may back up the file before sending it to Symantec.E. A copy of the threat may still be in the quarantine.

Correct Answer: CESection: (none)


Explanation


QUESTION 79A company allows users to create firewall rules. During the course of business, users are accidentally adding rules that block a custom internal application.Which steps should the Symantec Endpoint Protection administrator take to prevent users from blocking the custom application?

A. create an Allow Firewall rule for the application and place it at the bottom of the firewall rules below the blue lineB. create an Allow Firewall rule for the application and place it at the bottom of the firewall rules above the blue lineC. create an Allow All Firewall rule for the fingerprint of the file and place it at the bottom of the firewall rules above the blue lineD. create an Allow for the network adapter type used by the application and place it at the top of the firewall rules below the blue line



QUESTION 80A company has an application that requires network traffic in both directions to multiple systems at a specific external domain.? A firewall rule was created to allowtraffic to and from the external domain, but the rule is blocking incoming traffic.What should an administrator enable in the firewall policy to allow this traffic?

A. TCP resequencingB. Smart DHCPC. Reverse DNS LookupD. Smart WINS



QUESTION 81A Symantec Endpoint Protection administrator must block traffic from an attacking computer for a specific time period.


Where should the administrator adjust the time to block the attacking computer?

A. in the firewall policy, under Protection and StealthB. in the firewall policy, under Built in RulesC. in the group policy, under External Communication SettingsD. in the group policy, under Communication Settings



QUESTION 82A user is unknowingly about to connect to a malicious website and download a known threat within a .rar file. All Symantec Endpoint Protection technologies are installed on the client's system.In which feature set order must the threat pass through to successfully infect the system?

A. Download Insight, Firewall, IPSB. Firewall, IPS, Download InsightC. IPS, Firewall, Download InsightD. Download Insight, IPS, Firewall



QUESTION 83A Symantec Endpoint Protection (SEP) administrator creates a firewall policy to block FTP traffic and assigns the policy to all of the SEP clients. The networkmonitoring team informs the administrator that a client system is making an FTP connection to a server. While investigating the problem from the SEP client GUI,the administrator notices that there are zero entries pertaining to FTP traffic in the SEP Traffic log or Packet log. While viewing the Network Activity dialog, there iszero inbound/outbound traffic for the FTP process.What is the most likely reason?

A. The block rule is below the blue line.


B. The server has an IPS exception for that traffic.C. Peer-to-peer authentication is allowing the traffic.D. The server is in the IPS policy excluded hosts list.



QUESTION 84Which action must a Symantec Endpoint Protection administrator take before creating custom Intrusion Prevention signatures?

A. change the custom signature orderB. create a Custom Intrusion Prevention Signature libraryC. define signature variablesD. enable signature logging



QUESTION 85A Symantec Endpoint Protection administrator needs to prevent users from modifying files in a specific program folder that is on all client machines.What does the administrator need to configure?

A. a file and folder exception in the Exception policyB. an application rule set in the Application and Device Control policyC. a file fingerprint list and System LockdownD. the Tamper Protection settings for the client folder




QUESTION 86An administrator tests a new Application and Device Control policy. One of the rule sets being tested blocks the notepad.exe application from running. After pushingthe policy to a test client, the administrator finds that notepad.exe is still able to run. The administrator verifies that the rule set is enabled in the Application andDevice Control policy.Which two reasons may be preventing the policy from performing the application blocking? (Select two.)

A. The System Lockdown policy includes notepad.exe in the whitelist.B. System Lockdown has been removed from the client.C. The Client User Interface Control is set to Client control.D. The rule set is in Production mode.E. A rule set with conflicting rules exists higher up in the policy.



QUESTION 87A Symantec Endpoint Protection administrator is using System Lockdown in blacklist mode with a file fingerprint list. When testing a client, the administrator noticesthat at least one of the files on the list is allowed to execute.What is the likely cause of the problem?

A. The application has been upgraded.B. The Application and Device Control policy is in test mode.C. A file exception has been added to the Exceptions policy.D. The Application and Device Control policy is allowing the file to execute.




QUESTION 88Which step is unnecessary when an administrator creates an application rule set?

A. define a providerB. select a process to applyC. select a process to excludeD. define rule order



QUESTION 89An administrator needs to learn the applications running on a computer.Which step should the administrator take to configure functionality?

A. configure a local Symantec Endpoint Protection Manager administrator to have rights to view reports onlyB. enable application tracking under communication settings at the site levelC. enable file fingerprinting on the Symantec Endpoint Protection clientD. configure pull mode for Application Learning



QUESTION 90Which two criteria can an administrator use to determine hosts in a host group? (Select two.)

A. SubnetB. Network ServicesC. Application ProtocolD. DNS Domain


E. Network Adapters



QUESTION 91What is an appropriate use of a file fingerprint list?

A. allow unknown files to be downloaded with InsightB. prevent programs from runningC. prevent AntiVirus from scanning a fileD. allow files to bypass Intrusion Prevention detection



QUESTION 92When can an administrator add a new replication partner?

A. immediately following the first LiveUpdate session of the new siteB. during a Symantec Endpoint Protection Manager upgradeC. during the initial install of the new siteD. immediately following a successful Active Directory sync




QUESTION 93An administrator plans to implement a multi-site Symantec Endpoint Protection (SEP) deployment. The administrator needs to determine whether replication isviable without needing to make network firewall changes or change defaults in SEP.Which port should the administrator verify is open on the path of communication between the two proposed sites?

A. 1433B. 2967C. 8014D. 8433



QUESTION 94An administrator is troubleshooting a Symantec Endpoint Protection (SEP) replication.Which component log should the administrator check to determine whether the communication between the two sites is working correctly?


A. Apache Web ServerB. TomcatC. SQL ServerD. Group Update Provider (GUP)




QUESTION 95An administrator is re-adding an existing Replication Partner to the local Symantec Endpoint Protection Manager site.Which two parameters are required to re-establish this replication partnership? (Select two.)

A. remote server IP Address and portB. remote site Encryption PasswordC. remote site Domain IDD. remote server Administrator credentialsE. remote SQL database account credentials



QUESTION 96Which task is unavailable for administrative accounts that authenticate using RSA SecurID Authentication?

A. reset forgotten passwordsB. import organizational units (OU) from Active DirectoryC. configure external loggingD. enable Session Based Authentication with Web Services



QUESTION 97Which two considerations must an administrator make when enabling Application Learning in an environment? (Select two.)

A. Application Learning can generate increased false positives.B. Application Learning should be deployed on a small group of systems in the enterprise.


C. Application Learning can generate significant CPU or memory use on a Symantec Endpoint Protection Manager.D. Application Learning requires a file fingerprint list to be created in advance.E. Application Learning is dependent on Insight.



QUESTION 98A Symantec Endpoint Protection (SEP) administrator performed a disaster recovery without a database backup.In which file should the SEP administrator add "scm.agent.groupcreation=true" to enable the automatic creation of client groups?

A. settings.confB. conf.propertiesC. catalina.outD. httpd.conf



QUESTION 99Catastrophic hardware failure has occurred on a single Symantec Endpoint Protection Manager (SEPM) in an environment with two SEPMs.What is the quickest way an administrator can restore the environment to its original state?

A. build a new site and configure replication with the still functioning SEPMB. install a new SEPM into the existing siteC. clone the still functioning SEPM and change the server.properties fileD. reinstall the entire SEPM environment




QUESTION 100An administrator is recovering from a Symantec Endpoint Manager (SEPM) site failure.Which file should the administrator use during an install of SEPM to recover the lost environment according to Symantec Disaster Recovery Best Practicedocumentation?

A. original installation logB. recovery_timestamp fileC. settings.properties fileD. Sylink.xml file from the SEPM



QUESTION 101Which action can an administrator take to improve the Symantec Endpoint Protection Manager (SEPM) dashboard performance and report accuracy?

A. decreasing the number of content revisions to keepB. lowering the client installation log entriesC. rebuilding database indexesD. limiting the number of backups to keep



QUESTION 102The Security Status on the console home page is failing to alert a Symantec Endpoint Protection (SEP) administrator when virus definitions are out of date.How should the SEP administrator enable the Security Status alert?


A. lower the Security Status thresholdsB. raise the Security Status thresholdsC. change the Notifications setting to "Show all notifications"D. change the Action Summary display to “By number of computers”



QUESTION 103A large-scale virus attack is occurring and a notification condition is configured to send an email whenever viruses infect five computers on the network. ASymantec Endpoint Protection administratorhas set a one hour damper period for that notification condition.How many notifications does the administrator receive after 30 computers are infected in two hours?

A. 1B. 2C. 6D. 15



QUESTION 104Administrators at a company share a single terminal for configuring Symantec Endpoint Protection. The administrators want to ensure that each administrator usingthe console is forced to authenticate using their individual credentials. They are concerned that administrators may forget to log off the terminal, which would easilyallow others to gain access to the Symantec Endpoint Protection Manager (SEPM) console.Which setting should the administrator disable to minimize the risk of non-authorized users logging into the SEPM console?

A. allow users to save credentials when logging onB. delete clients that have not connected for specified timeC. lock account after the specified number of unsuccessful logon attempts


D. allow administrators to reset the passwords



QUESTION 105An administrator reports that the Home, Monitors, and Report pages are absent in the Symantec Endpoint Protection Management console when the administratorlogs on.Which action should the administrator perform to correct the problem?

A. configure proxy settings for each server in the siteB. configure External Logging to Enable Transmission of Logs to a Syslog ServerC. grant the Administrator Full Access to Root group of the organizationD. grant View Reports permission to the administrator



QUESTION 106After several failed logon attempts, the Symantec Endpoint Protection Manager (SEPM) has locked the default admin account. An administrator needs to makesystem changes as soon as possible to address an outbreak, but the admin account is the only account.Which action should the administrator take to correct the problem with minimal impact to the existing environment?

A. wait 15 minutes and attempt to log on againB. restore the SEPM from a backupC. run the Management Server and Configuration Wizard to reconfigure the serverD. reinstall the SEPM




QUESTION 107A Symantec Endpoint Protection Manager (SEPM) administrator notices performance issues with the SEPM server. The Client tab becomes unresponsive in theSEPM console and .DAT files accumulate in the “agentinfo” folder.Which tool should the administrator use to gather log files to submit to Symantec Technical Support?

A. collectLog.cmdB. LogExport.exeC. ExportLog.vbsD. smc.exe



QUESTION 108A company needs to configure an Application and Device Control policy to block read/write access to all USB removable media on its Symantec Endpoint Protection(SEP) systems.Which tool should an administrator use to format the GUID and device IDs as required by SEP?

A. CheckSum.exeB. DeviceTree.exeC. TaskMgr.exeD. DevViewer.exe



QUESTION 109Users report abnormal behavior on systems where Symantec Endpoint Protection is installed.


Which tool can an administrator run on the problematic systems to identify the likely cause of the abnormal behavior?

A. smc.exe -stopB. SymHelp.exeC. PowerShell.exeD. CleanWipe.exe



QUESTION 110An administrator uses ClientSideClonePrepTool to clone systems and virtual machine deployment.What will the tool do when it is run on each system?

A. run Microsoft SysPrep and removes all AntiVirus/AntiSpyware definitionsB. disable Tamper Protect and deploys a Sylink.xmlC. add a new Extended File Attribute value to all existing filesD. remove unique Hardware IDs and GUIDs from the system



QUESTION 111An administrator is using the SylinkDrop tool to update a Symantec Endpoint Protection client install on a system. The client fails to migrate to the new SymantecEndpoint Protection Manager (SEPM), which is defined correctly in the Sylink.xml file that was exported from the SEPM.?Which settings must be provided with SylinkDrop to ensure the successful migration to a new Symantec Endpoint Protection environment with additional GroupLevel Security Settings?

A. -s "silent"B. -t "Tamper Protect"C. -r "reboot"


D. -p "password"



QUESTION 112Which tool should the administrator run before starting the Symantec Endpoint Protection Manager upgrade as a Symantec Best Practice?

A. collectLog.cmdB. DBValidator.batC. LogExport.cmdD. Upgrade.exe



QUESTION 113Which two Symantec Endpoint Protection components are used to distribute content updates? (Select two.)

A. Group Update Provider (GUP)B. Shared Insight Cache ServerC. Symantec Protection CenterD. Symantec Endpoint Protection ManagerE. Symantec Insight Database




QUESTION 114What is a valid Symantec Endpoint Protection (SEP) single site design?

A. multiple MySQL databasesB. one Microsoft SQL Server databaseC. one Microsoft SQL Express databaseD. multiple embedded databases



QUESTION 115A company needs to forward log data from Data Center A to Data Center B during off peak hours only.How should the company architect its Symantec Endpoint Protection environment?

A. set up two sites and schedule replication between them during off peak hoursB. set up a single site and configure the clients to send their logs to the Manager during off peak hoursC. set up a Group Update Provider (GUP) at Data Center A and configure it to send logs during off peak hoursD. set up a LiveUpdate Server at Data Center A and configure it to send logs during off peak hours



QUESTION 116A Symantec Endpoint Protection administrator needs to comply with a service level agreement stipulating that all definitions must be internally quality assurancetested before being deployed to customers.Which step should the administrator take?

A. install a LiveUpdate Administrator ServerB. install a Shared Insight Cache Server


C. install a Group Update Provider (GUP) to the existing siteD. install a Symantec Protection Center



QUESTION 117What is a supported migration path for Symantec Endpoint Protection?

A. Symantec Endpoint Protection Enterprise Edition 12.1 > Symantec Endpoint Protection Small Business Edition 12.1B. Symantec Endpoint Protection Small Business Edition 12.1 > Symantec Endpoint Protection Enterprise Edition 12.1C. Symantec Endpoint Protection 12.1 Enterprise Edition > Symantec Endpoint Protection 11.x Enterprise EditionD. Symantec Endpoint Protection Small Business Edition 12.1 > Symantec Endpoint Protection 11.x Small Business Edition



QUESTION 118Employees of an accounting company often take their notebooks to customer sites. The administrator needs to apply a different firewall policy when the notebooksare disconnected from the accounting company's network.What must the administrator configure to use the two different policies?

A. GroupsB. DomainsC. SitesD. Locations




QUESTION 119Which setting can an administrator change that will result in the greatest impact on the speed of delivery of Symantec Endpoint Protection policy changes to theendpoints?

A. Download randomizationB. Heartbeat intervalC. LiveUpdate scheduling frequencyD. Reconnection preferences



QUESTION 120A threat was detected by Auto-Protect on a client system.Which command can an administrator run to determine whether additional threats exist?

A. Restart Client ComputerB. Update Content and ScanC. Enable Network Threat ProtectionD. Enable Download Insight



QUESTION 121Why does Power Eraser need Internet access?

A. to leverage Symantec Insight


B. to validate root certificates on all portable executables (PXE) filesC. to ensure the Power Eraser tool is the latest releaseD. to look up CVE vulnerabilities




Exam B

QUESTION 1Which Symantec Endpoint Protection 12.1 protection technology provides the primary protection layers against zero-day network attacks?

A. SONAR B. Client Firewall C. Intrusion Prevention D. System Lockdown


Explanation/Reference:Explanation:

QUESTION 2According to Symantec, what is a botnet?

A. systems infected with the same virus strain B. groups of systems performing remote tasks without the users' knowledge C. groups of computers configured to steal credit card records D. compromised systems opening communication to an IRC channel



QUESTION 3A financial company has a security policy that prevents banking system workstations from connecting to the internet. Which Symantec Endpoint Protection 12.1 protection technology will be prevented from working on the company's workstations?

A. Insight


B. Application and Device Control C. Network Threat Protection D. LiveUpdate




A. reputation scoring for documents B. zero-day threat detection C. protection against system files modifications D. false positive mitigation E. blocking of malicious websites



QUESTION 5How does the Intrusion Prevention System add an additional layer of protection to Network Threat Protection?

A. It inspects the TCP packet headers and tracks the sequence number. B. It performs deep packet inspection, reading the packet headers, and data portion. C. It examines TCP/IP traffic from the application and traces the source of the traffic. D. It monitors IP datagrams for abnormalities.



Explanation


QUESTION 6The fake antivirus family "PC scout" infects systems with a similar method regardless of its variant. Which SONAR sub-feature can block new variants of the same family, based on sequence of events?

A. artificial intelligence B. behavioral heuristic C. human authored signatures D. behavioral policy lockdown



QUESTION 7Drive-by downloads are a common vector of infections. Some of these attacks use encryption to bypass traditional defense mechanisms. Which Symantec Endpoint Protection 12.1 protection technology blocks such obfuscated attacks?

A. SONAR B. Bloodhound heuristic virus detection C. Client Firewall D. Browser Intrusion Prevention



QUESTION 8


Which Symantec Endpoint Protection 12.1 defense mechanism provides protection against worms like W32.Silly.FDC, which propagate from system to system through the use of autorun.inf files?

A. Application Control B. SONAR C. Client Firewall D. Exceptions



QUESTION 9A company is experiencing a malware outbreak. The company deploys Symantec Endpoint Protection 12.1, with only Virus and Spyware Protection, Application and Device Control, and Intrusion Prevention technologies. Why would Intrusion Prevention be unable to block all communications from an attacking host?

A. Intrusion Prevention needs the firewall component to block all traffic from the attacking host.B. Intrusion Prevention blocks the attack only if the administrator wrote a signature for it. C. Intrusion Prevention definitions are out-of-date. D. Intrusion Prevention is set to log only.



QUESTION 10Which Symantec Endpoint Protection 12.1 component uses reputation to evaluate a file?

A. Shared Insight Cache server B. Symantec Endpoint Protection client C. Symantec Endpoint Protection Manager


D. LiveUpdate Administrator server



QUESTION 11Which Symantec Endpoint Protection 12.1 component provides services to improve the performance of virtual client scanning?

A. Shared Insight Cache server B. LiveUpdate Administrator server C. Symantec Protection Center D. Group Update Provider



QUESTION 12How many Symantec Endpoint Protection Managers can be connected to an embedded database?

A. 1 B. 2 C. 5 D. 10




Explanation:

QUESTION 13Which component is required in order to run Symantec Endpoint Protection 12.1 protection technologies?

A. Symantec Endpoint Protection Manager B. Symantec Endpoint Protection client C. LiveUpdate Administrator server D. Symantec Protection Center



QUESTION 14Which Symantec Endpoint Protection 12.1 component provides single-sign-on to the Symantec Endpoint Protection Manager and other products, along with cross-product reporting?

A. Symantec Reporting server B. Symantec Security Information Manager C. IT Analytics D. Symantec Protection Center



QUESTION 15Which Symantec Endpoint Protection 12.1 component uses Sybase SQL Anywhere?

A. Symantec Endpoint Protection Manager embedded database B. Symantec Endpoint Protection Manager remote database


C. LiveUpdate Administrator server D. Shared Insight Cache server



QUESTION 16Which Symantec Endpoint Protection 12.1 component improves performance because known good files are skipped?

A. LiveUpdate Administrator server B. Group Update Provider C. Shared Insight Cache server D. Central Quarantine server



QUESTION 17How can an administrator manage multiple, independent companies from one database while maintaining independent groups, computers, and policies?


A. Set up limited administrators with appropriate rights.


B. Set up separate domains. C. Set up additional sites using a single database. D. Set up separate locations and turn off inheritance.



QUESTION 18A company with one site has a factory with computers in the manufacturing area. Both factory managers and operators need to log in to these shared computers. Different policies will be applied depending on whether the individual logging in to the machine is a manager or an operator. Which Symantec Endpoint Protection 12.1 feature provides this ability?

A. Computer mode B. Active Directory synchronization C. User mode D. Console authentication



QUESTION 19An administrator is logged in to the Symantec Endpoint Protection Manager (SEPM) console for a system named SEPM01. The groups and policies that were previously in the SEPM01 console are unavailable and have been replaced with unfamiliar groups and policies. What was a possible reason for this change?

A. The administrator was modified from using Computer mode to User mode. B. The administrator was logged in to the incorrect domain for SEPM01. C. The administrator was changed from a limited administrator to a system administrator. D. The administrator was using the Web console instead of the Java console.




QUESTION 20Which two objects in the Symantec Endpoint Protection Manager console describe the most granular level to which a policy can be applied? (Select two.)

A. Site B. Domain C. Group D. Location E. Computer F. User



QUESTION 21An administrator creates a new domain in the Symantec Endpoint Protection Manager console. How can the administrator copy policies from the old domain to the new domain?

A. Export the policy from the old domain and import it into the new domain. B. Copy the policy in the old domain and paste the policy into the new domain. C. Copy the old domain's policy XML file into the folder for the new domain. D. Back up the old domain's database and restore it into the new domain.




QUESTION 22A company plans to expand its Symantec Endpoint Protection 12.1 (SEP) infrastructure by creating a second site for use in replication. At a minimum, which two tasks need to be completed to create the second site? (Select two.)

A. A new Symantec Endpoint Protection Manager needs to be installed. B. A new SEP domain needs to be created. C. A new SEP database needs to be created. D. An SEP administrator needs to be given replication rights. E. A new SEP location needs to be created.



QUESTION 23A company is transitioning from using policies based on the individual that logs in to the client machine to policies based only on the client machine. Which Symantec Endpoint Protection 12.1 change will the organization need to perform?

A. Move from User mode to Computer mode. B. Move from Computer mode to User mode. C. Use groups synchronized from Active Directory. D. Use groups created manually. E. Turn on location awareness.




QUESTION 24A company has a single datacenter at its main office and 10 branch offices with 100 computers in each office. The branch offices are connected to the datacenter with a 56k network link. The customer wants the Symantec Endpoint Protection Manager (SEPM) to be installed in the datacenter. What can be done at the branch offices to reduce the bandwidth caused by definition updates from the Symantec Endpoint Protection clients at each branch office?

A. Enable a Group Update Provider at each branch office. B. Reduce the number of virus definitions cached on each client. C. Place a SEPM database in each branch office. D. Use the Shared Insight Cache server in each branch office.



QUESTION 25A LiveUpdate policy allows for configuring single Group Update Providers (GUPs) or multiple GUPs from a list. What is a limitation when using multiple GUPs?

A. Less content can be cached. B. They can only communicate with clients in the same Windows domain. C. They can only communicate with clients in the same local subnet. D. Fewer clients can be communicated with.



QUESTION 26A company recently purchased the Symantec Endpoint Protection 12.1 (SEP) product. It has two datacenters and wants to configure SEP for high availability, so that if one datacenter goes down, the SEP clients can smoothly fail over to the other datacenter. What should be done to allow SEP clients to fail over from one datacenter to the next?


A. Install a Group Update Provider at each datacenter and configure replication. B. Install a Symantec Protection Center at each datacenter and configure replication. C. Install a Symantec Endpoint Protection Manager at each datacenter and configure replication. D. Install a Symantec Site Server at each datacenter and configure replication.



QUESTION 27Refer to the exhibit.


A branch office needs to forward logs to the headquarters. The administrator is configuring the site Branch A. Which setting should be enabled to achieve this?

A. Replicate the log from the local site to this partner site. B. Replicate the log from this partner site to the local site. C. Auto Replicate.

Correct Answer: A




QUESTION 28A company has multiple offices and is unsure whether to use the Symantec Endpoint Protection Manager (SEPM) or the Group Update Provider (GUP) at the offices. When should the company use the SEPM rather than the GUP?

A. when the site has a local Windows server B. when the site has a large number of clients C. when the site has a low bandwidth network connection D. when the site has more than one subnet



QUESTION 29A new installation of the Symantec Endpoint Protection 12.1 (SEP) is running on a trial license. For how long can managed SEP clients receive updates?

A. 30 days B. 60 days C. 90 days D. 120 days




QUESTION 30Which two Symantec Endpoint Protection 12.1 (SEP) standalone tools are available for malware scanning and remediation? (Select two.)

A. Symantec Power Eraser B. Symantec Endpoint Recovery Tool C. Symantec Offline Image Scanner D. Symantec Protection Center E. CleanWipe

Correct Answer: ABSection: (none)Explanation


QUESTION 31For replication, Symantec recommends that the number of sites be kept to five for optimum performance. What can be done to reduce the number of sites?

A. Replicate log data in both directions. B. Limit the number of clients per manager. C. Spread the clients over additional domains. D. Add Group Update Providers for content distribution.



QUESTION 32In Symantec Endpoint Protection 12.1 Enterprise Edition (SEP), what happens when the Soft Enforcement license expires?

A. LiveUpdate stops. B. Proactive Threat Protection is disabled.


C. SEP clients become unmanaged. D. Content updates are allowed.



QUESTION 33A company is currently testing Symantec Endpoint Protection 12.1 on 100 clients. The company has decided to deploy SEP to an additional 20,000 clients. They are concerned about the number of clients supported on a single Symantec Endpoint Protection Manager (SEPM). What should the company do to ensure that the SEPM can support the clients?

A. Configure the clients for Pull mode. B. Decrease the heartbeat interval. C. Switch to HTTPS for client communications. D. Switch to IIS as the web server.



QUESTION 34An administrator gets a browser certificate warning when accessing the Symantec Endpoint Protection Manager (SEPM) Web console. Where can the administrator obtain a self-signed certificate to prevent this warning from appearing?

A. SEPM console Licenses section B. Symantec Protection Center C. SEPM Web Access D. Symantec Support

Correct Answer: C




QUESTION 35An administrator installed Symantec Endpoint Protection 12.1 (SEP) in the environment. However, the administrator wants to use secure communication and SSL authentication between clients and the Symantec Endpoint Protection Manager (SEPM). How should the administrator proceed?

A. Configure and apply certificate in IIS on SEPM. B. Configure SSL in the Apache Tomcat Web Server. C. Edit http.conf.properties and change the port to 443. D. Use public and private key configuration on SEPM 12.1.





Inheritance is turned on only for groups England, Sales, Laptops, and Manchester (highlighted). Without turning inheritance off, which top level group must be modified to affect users in the Laptop group?

A. My Company B. England C. London D. Sales



QUESTION 37A client is unable to communicate with the Symantec Endpoint Protection Manager (SEPM) Server. The administrator decides to replace the Sylink.xml file on the client using the SylinkDrop tool. Which two additional tasks can be accomplished by replacing the Sylink.xml file? (Select two.)

A. Convert an unmanaged client to a managed client. B. Migrate the SEPM servers to a new domain. C. Enable remote troubleshooting for administrators. D. Update Symantec Endpoint Protection client to the latest eraser engine. E. Migrate or move clients to a new domain or management server.



QUESTION 38A manufacturing company runs three shifts. Employees at the facility must share computers. The administrators need to apply different policies/configurations for each shift. The administrator will


need to switch the clients to User mode. Which two additional configuration changes need to be made to allow policies to be applied to each shift? (Select two.)

A. Create one group for all computers on each shift. B. Create one group for all users on each shift. C. Turn on inheritance for all groups. D. Turn on inheritance for all users. E. Turn off inheritance for each user group created. F. Turn off inheritance for each computer group created.



QUESTION 39An administrator makes a change in the Active Directory structure which has been imported into the Symantec Endpoint Protection Manager (SEPM). By default, when will the change automatically be reflected in the SEPM?

A. as soon as the change is made in Active Directory B. maximum 1 hour C. maximum 4 hours D. maximum 24 hours



QUESTION 40A Symantec Endpoint Protection Manager (SEPM) administrator is importing from an Active Directory environment. The administrator needs to know which object types are being imported. Which two object types are imported into the SEPM from Active Directory? (Select two.)


A. policy B. users C. computers D. services E. groups



QUESTION 41When can an administrator delete a location?

A. when location awareness has been turned off B. when the group has inheritance turned off C. when all clients are moved from the group D. when the policy has been withdrawn



QUESTION 42A large oil company has a small exploration department that is remotely located and rarely has internet connectivity. Which client type would allow the exploration department to configure their own security policies?

A. Mixed-mode client B. User-mode client C. Managed client D. Unmanaged client




QUESTION 43A large software company has a small engineering department that is remotely located over a slow WAN connection. Which method will deploy the Symantec Endpoint Protection 12.1 (SEP)clients to the remote site using the smallest amount of network bandwidth?

A. Deploy the SEP clients using basic content. B. Deploy the clients using the Push Install Wizard. C. Install a Group Update Provider on a remote computer and then install the remote SEP clients. D. Install a Group Update Provider on a local computer and then install the remote SEP clients.



QUESTION 44An administrator created a Symantec Endpoint Protection 12.1 (SEP) installation package without specifying the group to which the SEP clients should belong. What will happen when the administrator tries to install a SEP client using the installation package?

A. The SEP client installation will fail. B. The SEP client will prompt the administrator to specify a group. C. The Symantec Endpoint Protection Manager will prompt the administrator to specify a group. D. The SEP client will be installed into a default group.




Explanation:

QUESTION 45A Symantec Endpoint Protection 12.1 (SEP) administrator discovers that a firewall is blocking Windows file sharing. Which method can bypass the firewall and allow the SEP clients to be installed with a minimum amount of effort?

A. Remote Push B. Web Link and Email C. Create Pull Mode client D. Administrative share (C$) deployment



QUESTION 46A Symantec Endpoint Protection 12.1 (SEP) administrator deployed SEP clients, but the SEP clients are failing to register with the Symantec Endpoint Protection Manager (SEPM). Which solution would allow the clients to register with the SEPM?

A. Disable the firewall on the SEP client. B. Allow port 8014 through the network firewall between the SEPM and the client. C. Modify the network firewalls so that stateful packet inspection is performed. D. Open the ephemeral TCP ports on the SEP client firewall.



QUESTION 47A Symantec Endpoint Protection 12.1 (SEP) administrator suspects that newly arrived computers are infected with a virus. Which steps should the administrator take when installing the SEP client on the new computers?


A. Choose the Evaluate before installation SEP client feature set. B. Install an unmanaged client first, then install a managed client after the virus is removed. C. Install Norton Removal Tool, then install the SEP client. D. Run Power Eraser, then install the SEP client.



QUESTION 48An administrator wants to deploy the Symantec Endpoint Protection 12.1 (SEP) client to computers that are lacking the Symantec Endpoint Protection client. Which tool should the administrator use to discover and deploy the SEP client to the computers?

A. Unmanaged Detector B. Client Deployment Wizard C. Symantec Endpoint Recovery Tool D. Symantec Endpoint Discovery Tool



QUESTION 49A Symantec Endpoint Protection 12.1 (SEP) administrator is remotely deploying SEP clients, but the clients are failing to install on Windows XP. Which two could be preventing installation? (Select two.)

A. Clients are members of a Windows domain and have Windows firewall enabled. B. Clients are members of a Windows domain and have Windows firewall disabled. C. Clients are members of a workgroup and simple file sharing is disabled. D. Clients are members of a workgroup and simple file sharing is enabled.


E. Clients are members of a Windows domain and have a DHCP address.



QUESTION 50Which Symantec Endpoint Protection client component must be installed to enable Unmanaged Detector mode?

A. Virus and Spyware Protection B. SONAR C. Network Threat Protection D. Network Access Control



QUESTION 51In which client management log can an administrator identify when the client last connected to the Symantec Endpoint Protection Manager?

A. Compliance B. Audit C. System D. Event




Explanation:

QUESTION 52Which command line syntax invokes the Symantec Endpoint Protection Client Service to determine whether a more recent copy of the configuration file is available on the management server?

A. smc -getconfig B. smc -getsylink C. smc -update D. smc -updateconfig



QUESTION 53Immediately after installation, what does a managed client do to contact the Symantec Endpoint Protection Manager (SEPM)?

A. Initiate communication on port 80. B. Initiate communication on port 8014. C. Initiate communication on port 8445. D. Wait for the SEPM if in Push mode.





The status of two clients on the Symantec Endpoint Protection Manager is provided in the exhibit. They indicate that the clients are "Offline". What does the Offline status indicate?

A. Live Update is not running on clients. B. Antivirus is disabled in clients. C. There are communications issues with clients. D. Installation was unsuccessful on clients.





What does the symbol to the left of the system name, SEPMGR12, indicate?

A. The firewall is enabled. B. The Symantec Endpoint Protection Manager is running. C. The system is online. D. The Unmanaged Detector is enabled.



QUESTION 56Some customers report that when they run the command "smc -stop" on their clients, they are unable to connect to network resources. What is wrong?

A. The customers need to enable the Smart DHCP option in their firewall policy. B. The security option "Block all traffic until the firewall starts and after the firewall stops" is


enabled. C. A location awareness policy has been configured that applies when the service is stopped. D. The network card is blocked by a Device Control policy.



QUESTION 57A company successfully deploys Symantec Endpoint Protection 12.1 to its clients. However, when the company deploys the client to the servers, the servers immediately reboot. The company needs to prevent the servers from rebooting during normal business hours. What is wrong?

A. The "Hard restart" option is enabled in the Restart Settings tab. B. The "Restart immediately if the user is not logged in" option is enabled. C. A previous version of the client was installed. D. There is "No prompt" configured on the Restart Settings tab.



QUESTION 58A company has three groups of clients: Laptops, Desktops, and Servers. Administrators must have the ability to perform manual scans for these clients from the Symantec Endpoint Protection Manager. In addition, the manual scans need to be customized according to the different clients, for example by customizing whether memory is scanned and which folder locations are scanned. How can the environment be configured to provide this ability while minimizing management overhead?

A. Configure one Virus and Spyware Protection policy with a customized On-Demand scan and set different Exception policies for each group.

B. Configure one Virus and Spyware Protection policy with three customized On-Demand scans. C. Configure one Virus and Spyware Protection policy with three customized Scheduled scans


and setting the schedule to Manual. D. Configure a different Virus and Spyware Protection policy for each group with customized On-

Demand scans.



QUESTION 59A Symantec Endpoint Protection 12.1 group has two defined locations based on whether clients are attached to the local network or are remote. The local network location has an administrator-defined scan scheduled to begin each Monday at 09:00. The remote location has an administrator-defined scan scheduled to begin each Wednesday night at 21:00. All systems are used daily and remain powered on all night. Some users in the group have laptops, while the other users have standard desktops. Assuming the laptops are taken home and used each night, what is the effect?

A. All clients will run scans only on Monday. B. All clients will run scans both on Monday and Wednesday. C. The laptops will run scans only on Wednesday, while the desktops will run scans only on

Monday. D. The laptops will run scans both the Monday and Wednesday, while the desktops will run scans

only on Monday.



QUESTION 60Which two actions can a user take during an in-progress scheduled scan? (Select two.)

A. disable B. stop C. pause


D. skip E. reschedule



QUESTION 61A user added a daily 10:00 scheduled scan to their Symantec Endpoint Protection 12.1 client. After reviewing the logs, the user confirms that the scan failed to start at 10:00. Why did the scan fail to start?

A. Tuning Options were set for best application performance. B. "Delay scheduled scans when running on battery" was enabled. C. Scan Progress options were set to "Do not show progress". D. The Windows scheduler service was disabled.



QUESTION 62A Symantec Endpoint Protection 12.1 client is running a user-defined scan when a scheduled, administrator-defined scan is scheduled to launch. What is the effect on the client?

A. The user-defined scan will be paused in order to launch the administrator-defined scan. B. The administrator-defined scan will launch after the user-defined scan completes. C. The user-defined scan will be canceled in order to launch the administrator-defined scan. D. The administrator-defined scan will be skipped and the user-defined scan will continue.




QUESTION 63Which protection technology assists in protecting documents in real-time when accessed or modified?

A. SONAR B. Reputation Scans C. Auto-Protect D. Scheduled Scans



QUESTION 64A Symantec Endpoint Protection 12.1 administrator has the Virus and Spyware Protection policy configured with Auto-Protect enabled. The administrator is confronted with computer performance issues. Which two options can the administrator use to improve performance? (Select two.)

A. Enable the option to Trust Files on Remote Computers Running Auto-Protect. B. Enable the Risk Tracer option. C. Edit the autoprotect.xml and increase the cache value. D. Enable the option of Network Cache. E. Enable the Preserve File Times option.



QUESTION 65


An administrator is modifying a Virus and Spyware Protection policy for a Symantec Endpoint Protection 12.1 (SEP) client because it is demonstrating poor boot performance. Which option should the administrator consider to alleviate this problem?

A. Ensure that Risk Tracer is disabled. B. Load Auto-Protect during the startup of SEP. C. Enable File Cache across reboots. D. Modify the policy to use Insight Cache.



QUESTION 66Which technology uses heuristics to scan outbound email?

A. Internet Email Auto-Protect B. Microsoft Outlook Auto-Protect C. Lotus Notes Auto-Protect D. SONAR



QUESTION 67Which type of email does Internet Email Auto-Protect support?

A. IMAP based email B. HTTP/s based email C. SMTP based email D. Outlook Web Access (OWA)





In the use case displayed in the exhibit, why is the administrator unable to save the changes to this file?

A. Application Control is preventing Notepad from accessing the host file. B. SONAR is set to block host file modifications. C. Tamper Protection is enabled. D. The Auto-Protect feature detected a malicious activity.




QUESTION 69What could be an adverse effect of activating aggressive mode on the SONAR policy?

A. false negatives B. false positives C. performance issues D. higher rejection rate



QUESTION 70Which two options are available when configuring high risk detection in SONAR? (Select two.)

A. Block B. Skip C. Quarantine D. Log E. Delete



QUESTION 71Acrobat Reader is being targeted by a threat using process injection. Which feature of SONAR is sandboxing Acroread32.exe so that the threat is prevented from dropping its payload?

A. Commercial Application Detection


B. Suspicious Behavior Detection C. System Change Events D. Signature Based Detection



QUESTION 72Which two options are available when configuring DNS change detected for SONAR? (Select two.)

A. Block B. Skip C. Quarantine D. Log E. Delete



QUESTION 73A company is building a new Symantec Endpoint Protection Manager and is setting the remediation actions for threats in the Virus and Spyware Protection policy. For security risks, the first action is set to Repair and the second action is Quarantine. In this environment, Symantec Endpoint Protection 12.1 (SEP) has been deployed to a small group of clients for testing. Which condition would cause Auto-Protect to stop sending notifications and stop logging the event after three detections?

A. A client continuously downloads the same security risk. B. File System Auto Protect is malfunctioning on the SEP Client. C. SEP services on the client are stopped.


D. SEP is unable to read virus definitions.



QUESTION 74An administrator set the remediation options for Security Risks to the defaults (Quarantine, then Delete). However, the security team is the only team authorized to have Hack Tools on their systems. Which two steps must the administrator complete to accomplish this? (Select two.)

A. Create a specific group for Security Team. B. Turn on inheritance for the Security Team group. C. Assign a Virus and Spyware Protection policy with customized remediation options set. D. Set a specific location for the My Company group. E. Unlock the padlock in Auto-Protect for Remote Access.



QUESTION 75Where is a file encrypted and saved to when the "Backup files before attempting to repair them" setting is enabled?

A. the local Windows Temp (C:\Windows\Temp) directory B. the local Quarantine folder C. the FileBackup folder within the Application Data\Symantec directory D. the local Symantec Endpoint Protection Temp folder




QUESTION 76In which two situations would Symantec Endpoint Protection 12.1 (SEP) generate a Left Alone action? (Select two.)

A. Another scan is in progress. B. The detected file is in use. C. There are limited permissions to the file on the system. D. The file is marked for deletion by Windows on reboot. E. Virus definitions are corrupt or missing.



QUESTION 77A company is deploying Symantec Endpoint Protection 12.1 and configuring remediation options within the Virus and Spyware Protection policy. They are considering enabling "Terminate processes automatically" within the remediation options. If this feature is enabled, which two characteristics will the user see when the client must terminate a process to remove or repair a risk? (Select two.)

A. When this option is enabled, the client automatically takes the necessary action without notifying users.

B. When a restart is required, the machine automatically reboots and the user is unable to opt out of the restart.

C. When this option is enabled, the client notifies the user of ending processes to mitigate the threat.

D. When this option is enabled, the client generates an entry in the Risk logs that a process was terminated automatically.

E. When a restart is required, the user is allowed to save data and close open applications or to opt out of the restart.




QUESTION 78An administrator is reviewing risk logs in the Symantec Endpoint Protection Manager (SEPM) and notices that some entries list that the "Risk was partially removed". The administrator wants to determine whether additional steps are necessary to remediate the threat. How should the administrator proceed?

A. Review the threat writeup and run a full system scan on the machine. B. Perform a repair of the Symantec Endpoint Protection install on the machine. C. Submit infected file to Security Response to see if it is a new variant. D. Change remediation actions in the Virus and Spyware Protection policy in the SEPM.



QUESTION 79A clean file in a proprietary application has been quarantined by SONAR. How can an administrator fix the broken application from the Symantec Endpoint Protection Manager console?

A. Restore the application with the Client Deployment Wizard. B. Allow the application from the Monitor Logs view. C. Run the Enable Auto-Protect command on the client. D. Run a new scan with a newer set of definitions.




Explanation:

QUESTION 80Which Symantec Endpoint Protection 12.1 feature allows an administrator to prevent users from downloading files that are unsafe?

A. SONAR B. Insight C. Application Control D. Trusted Web Domain exceptions



QUESTION 81A company is concerned that its clients may be out-of-date and it wants to ensure that all running applications are protected with Symantec's latest definitions, even if they are unavailable on the Symantec Endpoint Protection 12.1 (SEP) client. How could the company configure SEP to achieve this goal?

A. Enable SONAR with High Risk detections set to Quarantine. B. Enable Insight Lookup as part of a daily scheduled scan. C. Enable Insight for Community and Symantec Trusted Files. D. Enable and apply an Intrusion Prevention policy.




Topic 2, Volume B

QUESTION 82What is the likely impact of increasing the Download Insight sensitivity?

A. It would block files that trend towards a poor reputation and decrease false positives. B. It would allow only files with a good reputation and decrease false positives. C. It would allow only files that trend toward a good reputation and increases false positives. D. It would block files that have a poor reputation and decrease false positives.



QUESTION 83A customer is downloading newly-created company files from an internal website and is being blocked by Download Insight based on reputation. How can the customer prevent this?

A. Change the minimum number of days in the Download Insight settings. B. Change the minimum number of users in the Download Insight settings. C. Increase the sensitivity slider in the Download Insight settings. D. Enable the option to trust files downloaded from an intranet website in the Download Insight

settings.



QUESTION 84An administrator wants to make sure users are warned when they decide to download potentially malicious files. Which option should the administrator configure?


A. the Notifications tab under the admin-defined scan settings B. the Notifications tab under Auto-Protect settings C. the Network Protection Security event notification in location-specific settings D. the Notifications tab under Download Insight settings





A user runs a full scan on a system and is confused by the "Files trusted" count. Which option will result in the files being left unscanned?

A. Enabling the "Only when files are executed" setting in the Virus and Spyware Protection policy. B. Enabling the "Do not scan files when trusted processes access the files" setting in the Virus

and Spyware Protection policy. C. Enabling Insight in the Virus and Spyware Protection policy. D. Enabling the file cache settings in the Virus and Spyware Protection policy.

Correct Answer: CSection: (none)


Explanation


QUESTION 86A customer reports that users are able to download new files from the internet and execute those files on their own computers. What can be configured to prevent this?

A. Decrease the Download Insight sensitivity. B. Change the action for unproven files in Download Insight. C. Change the second action for malicious files in Download Insight. D. Change the first action for malicious files in Download Insight.



QUESTION 87A computer is configured in Mixed Control mode. The administrator creates and applies a Firewall policy to the computer that has a rule that allows FTP traffic above the blue line and another rule that blocks LDAP traffic below the blue line. On the computer, local rules are created to allow LDAP traffic and block FTP traffic. Which traffic flow behavior should be expected on the local computer?

A. Both FTP and LDAP traffic are allowed. B. Both FTP and LDAP traffic are blocked. C. FTP is blocked and LDAP is allowed. D. FTP is allowed and LDAP is blocked.





A company has created a specific firewall policy that allows only certain traffic. Which traffic is allowed in the firewall policy displayed in the exhibit?

A. traffic on port 23 from Telnet (telnet.exe) B. traffic on port 25 from Outlook (outlook.exe) C. traffic on port 110 from Outlook (outlook.exe) D. traffic on port 80 from Internet Explorer (iexplore.exe) E. traffic on port 443 from Internet Explorer (iexplore.exe)




QUESTION 89A company is running the Symantec Endpoint Protection 12.1 firewall and wants to ensure that DNS traffic is allowed. Which feature should be enabled in the firewall policy?

A. DNS exception B. DNS Lookup C. Reverse DNS Lookup D. Smart DNS



QUESTION 90A system administrator created a firewall policy that allows certain applications and blocks others. However, some applications are being blocked that should be allowed. Which log should be viewed to troubleshoot this issue?

A. Application log B. System log C. Traffic log D. Control log



QUESTION 91An administrator has defined a rule to allow traffic to and from a specific server by its Fully Qualified Domain Name (FQDN), because the server's IP address varies based on the office in


which a client is located. The administrator attempts to verify the rule and finds that the traffic is being blocked. The logs list the IP address of the server instead of its FQDN. What does the administrator need to do within the firewall policy to allow the rule to work correctly?

A. Enable DNS lookup


B. Enable reverses DNS lookup. C. Disable Smart DNS. D. Disable NetBIOS Protection



QUESTION 92A company is running the Symantec Endpoint Protection 12.1 firewall with the default policy. At the bottom of the ruleset, there is a rule called "Block all other IP traffic and log" which will block all IP traffic. A financial application is being blocked by this rule. What should be changed to allow the application without sacrificing security?

A. The existing rule should be changed. B. A new rule should be created. C. An existing rule should be deleted. D. An existing rule needs to be reordered.




QUESTION 93A company has a firewall policy with a rule that allows all applications on all ports. An administrator needs to modify the policy so that it allows Internet Explorer to communicate to any website, but only on port 80 and 443. In addition, the company only wants this modification to affect traffic from Internet Explorer. The administrator created a new rule at the top of the ruleset that allows Internet Explorer on port 80 and 443. Which step should the administrator take next?

A. Move the new rule below the Allow Applications rule. B. Delete the Allow All Applications rule. C. Modify the Allow All Applications rule to exclude Internet Explorer. D. Create a new rule above the Allow All Applications rule to block Internet Explorer.



QUESTION 94The Symantec Endpoint Protection 12.1 (SEP) client indicates that the Virus and Spyware Protection (AV) definitions are current, while the Intrusion Prevention System (IPS) signatures are one day older. How can an administrator determine whether this SEP client is up-to-date?

A. The administrator can tell the client is up-to-date because the AV definitions are the latest. B. The administrator can tell the client is out-of-date because the IPS signatures are old. C. The administrator needs to review the client Computer Status logs to determine whether the

client is up-to-date. D. The administrator needs to review the Symantec Security Response page to determine whether

the client is up-to-date.




QUESTION 95A company selected Opera 10 as its corporate browser. Drive-by downloads are occurring and SONAR intercepts the resulting scripts. How should the company proceed to minimize the occurrence of drive-by downloads?

A. Upgrade to Opera 11. B. Use Internet Explorer or Firefox. C. Enable browser protection. D. Reboot the Symantec Endpoint Protection client.



QUESTION 96Which Intrusion Prevention feature is updated automatically?

A. Intrusion Prevention custom signatures B. SNORT syntax C. Auto-Protect D. Generic Exploit Blocking



QUESTION 97An administrator needs to exclude some servers from an Intrusion Prevention System (IPS) policy. When specifying an excluded host in an IPS policy, which two methods can be used? (Select two.)

A. DNS host B. IP address


C. MAC address D. DNS domain E. subnet



QUESTION 98An administrator needs to ensure that a specific network threat can be detected. The attack signatures for this threat may be found across multiple packets. What can the administrator do to ensure the best chance of detecting this threat?

A. Ensure that Symantec IPS signatures are updated. B. Create custom IPS signatures C. Enable TCP resequencing D. Create a Firewall rule for this threat



QUESTION 99A company organizes its clients into two groups: the Symantec Endpoint Protection Manager (SEPM) group with all the SEPMs and a Desktops group with all other systems. An Application and Device Control policy is used with the "Block modifications to hosts file" rule set enabled. This policy is applied to all groups in the company. How can an administrator modify the hosts file on the SEPM systems, while minimizing risks posed to the company?

A. Withdraw the policy from all clients, modify the hosts files, and reassign the policy. B. Withdraw the policy from the SEPM group, modify the hosts files, and reassign the policy. C. Modify the hosts file using an operating system-based system account. D. Temporarily disable Network Threat Protection on each client when modifying the hosts file.




QUESTION 100An administrator needs to customize the Application and Device Control policy to exclude all USB devices except for a specific, company-issued USB thumb drive. Which function or program, provided with the Symantec Endpoint Protection 12.1 software, should the administrator use to customize the environment?

A. DevViewer.exe B. Sep_SupportTool.exe C. SOIS.exe D. vietool.exe





A USB mouse is plugged in to a system that uses the device control displayed in the exhibit. What is the expected behavior?

A. The mouse is blocked until the user adds the device as a local client exception. B. The mouse is blocked until an administrator adds the device to the exception policy. C. The mouse will work as normal because the Human Interface Device exclusion takes

precedence.


D. The mouse will work as normal because Mouse devices are missing from Blocked Devices.





A company is using a custom application that writes its application settings in the registry. An administrator plans to prevent users from modifying these values, while ensuring that the custom application still functions correctly. An Application and Device Control policy is created with an application rule to block access to create, delete, or write attempts, for the registry keys used by the custom application. One way to ensure users are prohibited from the registry keys, but the


custom application can still modify them, is to add an Application Control exception for the custom application. What is another way to ensure this functionality?

A. Add an application rule to allow access to create, delete, or write attempts, to the custom application folder.

B. Add an application rule to allow access to read attempts for the registry keys. C. Add an application rule set that allows access to read attempts for the registry keys. D. Add an application rule to allow access to create, delete, or write attempts for the custom

application.



QUESTION 103A company needs to prevent users from modifying files in a specific program folder that is on all client machines. What needs to be configured?

A. a file and folder exception in the Exception policy B. an application rule set in the Application and Device Control policy C. a file fingerprint list and System Lockdown D. a custom IPS signature in the Intrusion Prevention policy



QUESTION 104An administrator is testing a new Application and Device Control policy. One of the rule sets being tested blocks the notepad.exe application from running. After pushing the policy to a test client, the administrator finds that notepad.exe is still able to run. The administrator verifies that the rule set is enabled in the Application and Device Control policy. Which two may be preventing the policy from performing the application blocking? (Select two.)


A. An Application exception has been configured in the Exceptions policy. B. System Lockdown has been configured for the client. C. Network Threat Protection needs to be installed on the client. D. The rule set is in the "Test (log only)" mode. E. A rule set with conflicting rules exists higher up in the policy.

Correct Answer: DESection: (none)Explanation


QUESTION 105An administrator enabled the default application control rule "Block writing to USB Drives", but needs to modify it so that clients can write to a specific make and model of company-authorized, encrypted USB drive. How should the administrator proceed?

A. Edit the rule set and add the device ID to the exceptions. B. Edit the rule set and add a condition after the block condition to allow access to the specific

device. C. Edit the rule set and add a rule after the block rule to allow access to the specific device. D. Using DevViewer, plug the device into the Symantec Endpoint Protection Manager and select

"Add Device to Manager".



QUESTION 106An administrator enables the "Learn applications that run on the client computers" setting for a group of clients. Later, when using the Search for Applications function, the administrator is unable to find results. What is the cause of the problem?

A. The administrator is a limited administrator without rights to view reports. B. Application learning is disabled under communication settings at the site level.


C. Submissions are disabled on the Symantec Endpoint Protection client by the user. D. Pull mode is enabled and is unsupported by application learning.



QUESTION 107A company creates free web access computers for use in public areas, such as airports. The software provided on the computers will be static and the systems must be secure. What should be used to restrict unauthorized applications from running on these computers?

A. client security settings and Tamper Protection B. blocked devices in an Application and Device Control policy C. file fingerprint list and System Lockdown D. custom IPS signatures in an Intrusion Prevention policy



QUESTION 108What is a benefit of enabling Browser Intrusion Prevention?

A. It uses a reputation and cloud-based technology to monitor and identify attacks on Internet Explorer and Firefox.

B. It sends traffic results to a dedicated Symantec server to determine whether the traffic is legitimate. C. It monitors traffic on supported browsers by using attack signatures and heuristics.

C. It improves performance by allowing clients to share Intrusion Prevention scan results.




QUESTION 109Company A acquires Company B. Company B has 200 employees. Multiple firewall rules, based on collections of client addresses, are required to allow the new employees access to Company A's resources and permissions to use approved network applications. Which feature should be used to minimize the amount of time needed to create rules for these new clients?

A. Application rule sets B. Host groups C. Built-in rules D. Network Services



QUESTION 110Which two criteria can be used to determine hosts in a host group? (Select two.)

A. DNS domain B. Subnet C. Gateway address D. WINS server E. DHCP server



QUESTION 111


Which two criteria can be used to determine hosts in a host group? (Select two.)

A. MAC address B. registry key C. management server connection D. DNS host E. network connection type



QUESTION 112According to Symantec best practices, which two tasks should be completed after creating file fingerprint lists, but prior to enabling System Lockdown? (Select two.)

A. Add any approved applications. B. Move the Symantec Endpoint Protection Managers to a separate group. C. Log unapproved applications. D. Run the checksum.exe command on the clients. D. Enable application learning.



QUESTION 113Which port is used by default for replication between sites?

A. 2967 B. 8014 C. 8443 D. 9090

Correct Answer: C




QUESTION 114A company has deployed Symantec Endpoint Protection 12.1 in their corporate environment using a multi-site design. If an administrator makes policy changes in the United States site, when will the changes appear in the European site?

A. after the next heartbeat B. after the next replication interval C. immediately D. after the policy changes are saved



QUESTION 115In a management server list, Symantec Endpoint Protection Manager (SEPM) A is added to Priority 1, and SEPM B is added to Priority 2. This setup will provide which service?

A. load balancing B. replication C. failover D. clustering




QUESTION 116Which two configuration elements are needed in order to add a replication partner? (Select two.)

A. SQL Server IP and sa password B. administrator name and password C. site-to-site VPN tunnel D. replication server name and port E. internet access



QUESTION 117Which two are optional when replicating between Symantec Endpoint Protection Managers? (Select two.)

A. groups B. policies C. logs D. content E. locations



QUESTION 118What is the default replication frequency when adding an additional site to a Symantec Endpoint Protection 12.1 deployment?

A. 1 hour B. 8 hours


C. daily D. Auto replicate



QUESTION 119Which step must be completed to set up two sites to replicate?

A. Add a new Management Server list with the replication partner added. B. Launch the Replication Wizard from the Admin page and follow the prompts. C. Install a SQL server on at least one site. D. Install a Symantec Endpoint Protection Manager Server and database as a replication partner.



QUESTION 120Which authentication method must be used to provide the ability to reset forgotten passwords?

A. RSA SecurID Authentication B. Smart Card Authentication C. Symantec Management Server Authentication D. Directory Authentication




QUESTION 121An employee is taking leave for four months and the employee's workstation will be powered off and locked in an office. Why does the workstation disappear from the Symantec Endpoint Protection Manager (SEPM) Reports and Client view after 30 days?

A. Administrators used the "reclaim license" option. B. The SEPM purges offline clients after a set amount of time. C. The SEPM quarantines offline clients after a set amount of time. D. The SEPM purges clients with expired licenses.



QUESTION 122How frequently does Symantec recommend that a Symantec Endpoint Protection Manager site check LiveUpdate for content updates?

A. every hour B. every 4 hours C. once a day D. twice a day



QUESTION 123Which two should be considered when enabling Application Learning in an environment? (Select two.)

A. Application Learning requires Virus and Spyware Protection.


B. Application Learning should be deployed on a small group of systems in the enterprise. C. Application Learning can generate significant CPU or memory use on a Symantec Endpoint

Protection Manager. D. Application Learning can be used without using application-based firewall rules, Application

Control rules, or Centralized Exceptions. E. Application Learning is dependent on a properly configured firewall.



QUESTION 124Where are directory servers added before importing Organizational Units (OU) or adding administrators to the Symantec Endpoint Protection Manager?

A. Site properties B. Server properties C. localhost properties D. Import Server properties



QUESTION 125A company is setting up a new environment with three Symantec Endpoint Protection Managers (SEPM) and wants to set one SEPM to act as the primary reporting server. Where in the SEPM should the administrator configure the priority reporting server to be used for running scheduled reports and notifications?

A. Local Host properties B. Local Site properties C. Scheduled reports


D. Server properties



QUESTION 126A company suffered a catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM) which was using a remote Microsoft SQL Server. The administrator has all required backups. The administrator restores the hardware and the operating system with the required software (including SEPM). What is the next step in the recovery procedure?

A. Export the server certificate from the SEPM console. B. Customize the SEPM configuration using the recovery file. C. Restore the SQL database to realign with SEPM restore. D. Replace the Sylink.xml using the SylinkDrop.exe.



QUESTION 127An administrator is in the process of recovering from a disaster and needs the keystore password to update the certificate on the Symantec Endpoint Protection Manager (SEPM). From which two locations can the administrator obtain this information? (Select two.)

A. SEPM replication partners B. original installation log C. disaster recovery file D. settings.properties file E. Sylink.xml file from the SEPM

Correct Answer: CD




QUESTION 128An administrator notices that the Symantec Endpoint Protection Manager (SEPM) embedded database is growing large and is taking longer to back up than desired. How can backup performance of the database be improved?

A. Change the number of backups to keep. B. Reduce the number of log entries under Log Settings. C. Change the backup frequency from Weekly to Daily. D. Configure incremental backups in the SEPM.



QUESTION 129A Microsoft SQL Server containing a Symantec Endpoint Protection Manager (SEPM) database has encountered an unrecoverable hard drive failure. An administrator has rebuilt the Microsoft SQL Server and has confirmed that the SEPM can connect with the SQL Server. Which step should the administrator take next?

A. Select Rebuild Indexes from the SEPM console B. Launch Checksum.exe database integrity tool C. Use the Backup and Restore utility included with SEPM D. Select Truncate Transaction Logs from the SEPM




QUESTION 130Which operation can be performed using the Database Back Up and Restore utility found in the Windows Start menu?

A. on-demand backup of the database B. scheduled monthly backup of the database C. selection of the Symantec Endpoint Protection Manager to backup D. selection of the backup location



QUESTION 131A company suffered catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM).The administrator restores the hardware and the operating system with the required software (including SEPM). The administrator then runs the SEPM Database Back Up and Restore utility. What is the most important consideration?

A. Ensure that the Microsoft SQL services are disabled on the server. B. Ensure that the SEPM service is set to Manual and Running. C. Ensure that the SEPM service is set to Automatic and Stopped. D. Ensure that the embedded database service is set to Disabled and Stopped.



QUESTION 132An administrator has installed Symantec Endpoint Protection 12.1 using an embedded database. Which two database maintenance tasks are available in the Symantec Endpoint Protection Manager console? (Select two.)


A. truncating database transaction logs B. limiting the client installation log entries C. rebuilding of database indexes D. deleting clients who have not connected recently from the console E. limiting the number of backups to keep



QUESTION 133An administrator is restoring a Microsoft SQL Symantec Endpoint Protection 12.1 database and installing a new Symantec Endpoint Protection Manager (SEPM). After completing the restore, the administrator notices that the clients are unable to connect to the SEPM. Which step did the administrator forget when performing the restore?

A. restoring the client certificate B. restoring the server certificate C. importing the previously backed up data D. setting the SQL client folder



QUESTION 134How can an administrator proactively obtain information about unknown devices on a network?

A. Use the Client Deployment Wizard feature to locate unmanaged endpoints. B. Create an Unmanaged Computer notification. C. Schedule an audit report to send to the administrator. D. Run the Symantec Endpoint Discovery Tool.




QUESTION 135A company is building a new Symantec Endpoint Protection Manager (SEPM) and building email notifications that will go to the security team. Which two notification conditions should the team implement into the SEPM? (Select two.)

A. Unknown User B. Invalid Host Name C. Risk Outbreak D. Group Update Provider Failure E. Authentication Failure



QUESTION 136An administrator needs to determine which versions of Symantec Endpoint Protection (SEP) are currently in the network. Which report provides this information?

A. Client Inventory report B. Deployment report C. SEP Product Versions report D. Audit Inventory report




QUESTION 137Which notification action can be performed when a security-related condition is met?

A. Send an SNMP trap. B. Alert with a GUI popup on the admin console. C. Run a batch file or another executable file. D. Send an alert to a client.



QUESTION 138An administrator needs to check when and by which account a policy was modified. Which log query should the administrator use?

A. Compliance B. Audit C. Access D. System



QUESTION 139Which Symantec Endpoint Protection Manager feature allows an administrator to view and modify commonly accessed reports?

A. Favorite Reports Display list on the Monitors page


B. Scheduled Reports in the Reports section C. Favorite Reports Display list on the Home page D. Summary Dropdown in the Monitors section



QUESTION 140Which two options can administrators customize on the Home page? (Select two.)

A. auto-refresh rate B. number of report C. Favorite Reports D. Common Tasks E. types of endpoints listed





An administrator has configured the Symantec Endpoint Protection Manager (SEPM) to use Active Directory authentication. The administrator defines a new Symantec Endpoint Protection administrator named Sep_SysAdmin, configured to use Directory Authentication. Which password needs to be entered when the administrator logs in to the SEPM console as Sep_SysAdmin?

A. the password for the Active Directory user that was mapped with Sep_SysAdmin B. the password for the user named Sep_SysAdmin that was created in SEPM C. the password for the user named Sep_SysAdmin that was created in Active Directory


D. the password for the Administrator account in Active Directory



QUESTION 142What are two default access rights for various types of Symantec Endpoint Protection Manager Administrator accounts? (Select two.)

A. A system administrator can view and modify the entire organization. B. An administrator can view and modify all features in a single domain and can view reports in

other domains. C. A limited administrator can view the entire organization. D. An administrator can view multiple domains. E. An administrator can view and modify all features in a single domain.



QUESTION 143What are two responsibilities associated with the Limited Administrator account type in Symantec Endpoint Protection Manager? (Select two.)

A. view and manage console settings for domains B. create and manage accounts in a single domain C. create location specific policies D. manage their own authentication type E. remotely run commands on client computers

Correct Answer: CESection: (none)


Explanation


QUESTION 144An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager (SEPM). The administrator adds an account named Sep_SysAdmin in the SEPM. This account is configured to use Active Directory Authentication. Which two settings can the administrator configure for the Sep_SysAdmin account? (Select two.)

A. Password Never Expires B. Test Account C. Password Expires in x Days (where x is any number) D. Check the Password Strength E. Select the Directory Server





An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager as displayed in the exhibit. Which port number should be used for LDAP?

A. 389 B. 636 C. 637 D. 639



QUESTION 146Which two can be used when defining location switching criteria for the Symantec Endpoint


Protection 12.1 client? (Select two.)

A. NIC description B. OS type C. MAC address D. WINS server E. client version



QUESTION 147A company wants to reduce or eliminate the HelpDesk calls they receive due to end users modifying, moving, or deleting configuration files. Which component of Symantec Endpoint Protection will allow the IT administrator to prevent users from altering configuration files?

A. Privilege De-escalation B. Proactive Threat Detection C. Application Control D. Host Integrity



QUESTION 148An administrator wants to ensure that all clients consider the content from the website www.symantec.com as safe. Where can the administrator configure this?

A. Exception policy B. External Communication Settings C. Security Settings


D. Browser Intrusion Prevention excluded domains



QUESTION 149A company wants its clients to use the Group Update Provider (GUP) that is closest to them, but is concerned about what happens if the GUP is unavailable or goes offline. Which two options could mitigate this issue? (Select two.)

A. Increase the maximum number of simultaneous downloads to clients. B. Configure the Symantec Endpoint Protection Manager failover options. C. Configure GUP roaming in the external communications settings. D. Configure a failover GUP in the multiple GUP options. E. Configure the maximum bandwidth allocated to a GUP.



QUESTION 150By default, the Client User Interface control is set to Server Control. Which two actions will the user who is logged in as a Windows administrator be able to perform? (Select two.)

A. Change Virus and Spyware Protection settings. B. Edit firewall rules below the blue line. C. Change between Push and Pull mode. D. Disable Tamper Protection. E. Edit the Intrusion Prevention policy.

Correct Answer: ADSection: (none)


Explanation


QUESTION 151Which technology does the Symantec Endpoint Protection Firewall use?

A. proxy inspection B. packet filtering C. stateful packet inspection D. application gateway proxy



QUESTION 152How many Symantec Endpoint Protection Managers can connect to an embedded database?

A. one B. two C. four D. unlimited



QUESTION 153A large enterprise plans to deploy Symantec Endpoint Protection 12.1 (SEP) on 36,000 virtual endpoints distributed across 1,800 VMware ESX servers in a single datacenter. A system administrator needs to optimize endpoint scanning performance by enabling Shared Insight Cache (SIC) server functionality. Which two configuration changes should the administrator make to


minimize the number of SIC servers that need to be deployed? (Select two.)

A. Perform regular scans of all virtual systems with the offline image scanner. B. Enable scanning randomization across all SEP endpoints. C. Enable virtual image exceptions across all SEP endpoints. D. Disable Insight lookups for threat detection on each virtual SEP endpoint. E. Enable download randomization across all SEP endpoints.



QUESTION 154Which statement describes a difference between Virtual Image Exceptions (VIE) and Shared Insight Cache (SIC)?

A. VIE tracks executable files, whereas SIC tracks all file types. B. VIE data is stored on the local system, whereas SIC data is placed in a shared location. C. SIC tracks whitelisted and malicious files, whereas VIE tracks only whitelisted files. D. SIC can query Symantec Insight, whereas VIE is unable to make Symantec Insight queries.



QUESTION 155Refer to the exhibit. A customer configures location awareness as displayed in the exhibit, but the client fails to change from the Out of Office location to the Office location, even though it is connected to the Symantec Endpoint Protection Manager. What is wrong?

A. The client connection specific DNS suffix needs to be example.com. B. The Remember Last Location setting is enabled. C. The Enable Location Awareness setting is disabled.


D. The Out of Office location is the default location.



QUESTION 156An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on virtual machines. In order to protect against previously undetected threats, the administrator must regularly scan the static instance of the virtual machine image set which includes the files that have been whitelisted. In addition to cleaning the static image set, which additional step must the administrator complete if threats are discovered?

A. Select the threat in the log and add it as an exception. B. Use the Symantec Offline Image Scanner (SOIS) on the static image. C. Ensure that virtual client tagging is enabled. D. Use the vietool to update the whitelist.



QUESTION 157A user is downloading a file from https://www.example.com to the local system. The user is able to download and save that file even though it is a known malicious application. Why is the user able to download the application?

A. A SONAR exception is in place. B. An Application Control exception for the file is in place. C. A Trusted Web Domain exception is in place. D. Download Insight exceptions are disabled.

Correct Answer: C




QUESTION 158In addition to preventing Symantec Endpoint Protection 12.1 (SEP) from being stopped maliciously, which other two functions does Tamper Protection perform? (Select two.)

A. It prevents a user from stopping the SEP services. B. It prevents the SEP Registry keys from being deleted. C. It prevents SEP from stopping third party applications. D. It prevents the SEP files and folders from being changed. E. It prevents the user from opening the SEP client interface.



QUESTION 159In addition to adding exceptions directly into an Exceptions policy, what is another method of adding exceptions?

A. adding the exception to a policy from the Application Control log B. importing the exception into a policy from the Notifications window C. adding the application exception to a File Fingerprint list D. adding the exception from the Threat report




QUESTION 160A managed Symantec Endpoint Protection 12.1 (SEP) client is in a group that has a Virus and Spyware Protection policy specifying that all files must be scanned. An Exceptions policy has been applied to the group by the SEP administrator. The Exceptions policy has an empty exclusions list. A local user of the client has added an Exception to exclude C:\temp. What will happen if a user attempts to download a file to the C:\temp folder?

A. The local exclusion will be ignored. B. The user will be prompted to override the group's policy. C. The local exclusion will allow malware. D. The group's policy will negate the local exception.




A. The SIC server allocates additional memory for the whitelist as needed. B. The SIC server will start writing the cache to disk. C. The SIC server will remove the least recently used items based on the prune size. D. The SIC server will remove items with the fewest number of votes.



QUESTION 162Which statement is true about the Database Backup and Restore utility?

A. It backs up and restores only an embedded database.


B. It allows an administrator to pause and resume backups. C. It saves database backups to the local computer. D. It backs up and restores the certificate keystore.



QUESTION 163When the Symantec Endpoint Protection 12.1 client firewall defends against a MAC spoof attack, what does it drop?

A. ICMP response B. IP redirect C. gratuitous ARP D. TCP reset



QUESTION 164All email Auto-Protect options are disabled, and an administrator receives an email from an associate with a .zip file attached. There are three files in the .zip file that are needed for the administrator's presentation the next day. What neither of them realize is that one of the files is infected with a virus. When will File System Auto-Protect detect this infected file?

A. when the email is opened B. when the .zip file is opened C. when the .zip file is saved to the administrator's desktop D. when the email is closed

Correct Answer: D




QUESTION 165Which feature can be configured to increase or decrease performance of scheduled scans?


A. scan frequency B. CPU throttling C. heartbeat interval D. tuning options




Exam C

QUESTION 1Which Symantec Endpoint Protection 12.1 protection technology provides the primary protection layers against zero-day network attacks?

A. SONARB. Client FirewallC. Intrusion PreventionD. System Lockdown



QUESTION 2According to Symantec, what is a botnet?

A. systems infected with the same virus strainB. groups of systems performing remote tasks without the users' knowledgeC. groups of computers configured to steal credit card recordsD. compromised systems opening communication to an IRC channel



QUESTION 3A financial company has a security policy that prevents banking system workstations from connecting to the internet. Which Symantec Endpoint Protection 12.1protection technology will be prevented from working on the company's workstations?

A. InsightB. Application and Device ControlC. Network Threat Protection


D. LiveUpdate




A. reputation scoring for documentsB. zero-day threat detectionC. protection against system files modificationsD. false positive mitigationE. blocking of malicious websites



QUESTION 5How does the Intrusion Prevention System add an additional layer of protection to Network Threat Protection?

A. It inspects the TCP packet headers and tracks the sequence number.B. It performs deep packet inspection, reading the packet headers, and data portion.C. It examines TCP/IP traffic from the application and traces the source of the traffic.D. It monitors IP datagrams for abnormalities.




QUESTION 6The fake antivirus family "PC scout" infects systems with a similar method regardless of its variant. Which SONAR sub-feature can block new variants of the samefamily, based on sequence of events?

A. artificial intelligenceB. behavioral heuristicC. human authored signaturesD. behavioral policy lockdown



QUESTION 7Drive-by downloads are a common vector of infections. Some of these attacks use encryption to bypass traditional defense mechanisms. Which SymantecEndpoint Protection 12.1 protection technology blocks such obfuscated attacks?

A. SONARB. Bloodhound heuristic virus detectionC. Client FirewallD. Browser Intrusion Prevention



QUESTION 8Which Symantec Endpoint Protection 12.1 defense mechanism provides protection against worms like W32.Silly.FDC, which propagate from system to systemthrough the use of autorun.inf files?

A. Application ControlB. SONAR


C. Client FirewallD. Exceptions



QUESTION 9A company is experiencing a malware outbreak. The company deploys Symantec Endpoint Protection 12.1, with only Virus and Spyware Protection, Application andDevice Control, and Intrusion Prevention technologies. Why would Intrusion Prevention be unable to block all communications from an attacking host?

A. Intrusion Prevention needs the firewall component to block all traffic from the attacking host.B. Intrusion Prevention blocks the attack only if the administrator wrote a signature for it.C. Intrusion Prevention definitions are out-of-date.D. Intrusion Prevention is set to log only.



QUESTION 10Which Symantec Endpoint Protection 12.1 component uses reputation to evaluate a file?


A. Shared Insight Cache serverB. Symantec Endpoint Protection client


C. Symantec Endpoint Protection ManagerD. LiveUpdate Administrator server



QUESTION 11Which Symantec Endpoint Protection 12.1 component provides services to improve the performance of virtual client scanning?

A. Shared Insight Cache serverB. LiveUpdate Administrator serverC. Symantec Protection CenterD. Group Update Provider



QUESTION 12How many Symantec Endpoint Protection Managers can be connected to an embedded database?

A. 1B. 2C. 5D. 10




QUESTION 13Which component is required in order to run Symantec Endpoint Protection 12.1 protection technologies?

A. Symantec Endpoint Protection ManagerB. Symantec Endpoint Protection clientC. LiveUpdate Administrator serverD. Symantec Protection Center



QUESTION 14Which Symantec Endpoint Protection 12.1 component provides single-sign-on to the Symantec Endpoint Protection Manager and other products, along with cross-product reporting?

A. Symantec Reporting serverB. Symantec Security Information ManagerC. IT AnalyticsD. Symantec Protection Center



QUESTION 15Which Symantec Endpoint Protection 12.1 component uses Sybase SQL Anywhere?

A. Symantec Endpoint Protection Manager embedded databaseB. Symantec Endpoint Protection Manager remote databaseC. LiveUpdate Administrator serverD. Shared Insight Cache server




QUESTION 16Which Symantec Endpoint Protection 12.1 component improves performance because known good files are skipped?

A. LiveUpdate Administrator serverB. Group Update ProviderC. Shared Insight Cache serverD. Central Quarantine server



QUESTION 17How can an administrator manage multiple, independent companies from one database while maintaining independent groups, computers, and policies?

A. Set up limited administrators with appropriate rights.B. Set up separate domains.C. Set up additional sites using a single database.D. Set up separate locations and turn off inheritance.



QUESTION 18


A company with one site has a factory with computers in the manufacturing area. Both factory managers and operators need to log in to these shared computers.Different policies will be applied depending on whether the individual logging in to the machine is a manager or an operator. Which Symantec Endpoint Protection12.1 feature provides this ability?

A. Computer modeB. Active Directory synchronizationC. User modeD. Console authentication



QUESTION 19An administrator is logged in to the Symantec Endpoint Protection Manager (SEPM) console for a system named SEPM01. The groups and policies that werepreviously in the SEPM01 console are unavailable and have been replaced with unfamiliar groups and policies. What was a possible reason for this change?

A. The administrator was modified from using Computer mode to User mode.B. The administrator was logged in to the incorrect domain for SEPM01.C. The administrator was changed from a limited administrator to a system administrator.D. The administrator was using the Web console instead of the Java console.



QUESTION 20Which two objects in the Symantec Endpoint Protection Manager console describe the most granular level to which a policy can be applied? (Select two.)

A. SiteB. DomainC. GroupD. Location


E. ComputerF. User



QUESTION 21An administrator creates a new domain in the Symantec Endpoint Protection Manager console. How can the administrator copy policies from the old domain to thenew domain?

A. Export the policy from the old domain and import it into the new domain.B. Copy the policy in the old domain and paste the policy into the new domain.C. Copy the old domain's policy XML file into the folder for the new domain.D. Back up the old domain's database and restore it into the new domain.



QUESTION 22A company plans to expand its Symantec Endpoint Protection 12.1 (SEP) infrastructure by creating a second site for use in replication. At a minimum, which twotasks need to be completed to create the second site? (Select two.)

A. A new Symantec Endpoint Protection Manager needs to be installed.B. A new SEP domain needs to be created.C. A new SEP database needs to be created.D. An SEP administrator needs to be given replication rights.E. A new SEP location needs to be created.




QUESTION 23A company is transitioning from using policies based on the individual that logs in to the client machine to policies based only on the client machine. WhichSymantec Endpoint Protection 12.1 change will the organization need to perform?

A. Move from User mode to Computer mode.B. Move from Computer mode to User mode.C. Use groups synchronized from Active Directory.D. Use groups created manually.E. Turn on location awareness.



QUESTION 24A company has a single datacenter at its main office and 10 branch offices with 100 computers in each office. The branch offices are connected to the datacenterwith a 56k network link. The customer wants the Symantec Endpoint Protection Manager (SEPM) to be installed in the datacenter. What can be done at the branchoffices to reduce the bandwidth caused by definition updates from the Symantec Endpoint Protection clients at each branch office?

A. Enable a Group Update Provider at each branch office.B. Reduce the number of virus definitions cached on each client.C. Place a SEPM database in each branch office.D. Use the Shared Insight Cache server in each branch office.



QUESTION 25


A LiveUpdate policy allows for configuring single Group Update Providers (GUPs) or multiple GUPs from a list. What is a limitation when using multiple GUPs?

A. Less content can be cached.B. They can only communicate with clients in the same Windows domain.C. They can only communicate with clients in the same local subnet.D. Fewer clients can be communicated with.



QUESTION 26A company recently purchased the Symantec Endpoint Protection 12.1 (SEP) product. It has two datacenters and wants to configure SEP for high availability, sothat if one datacenter goes down, the SEP clients can smoothly fail over to the other datacenter. What should be done to allow SEP clients to fail over from onedatacenter to the next?

A. Install a Group Update Provider at each datacenter and configure replication.B. Install a Symantec Protection Center at each datacenter and configure replication.C. Install a Symantec Endpoint Protection Manager at each datacenter and configure replication.D. Install a Symantec Site Server at each datacenter and configure replication.



QUESTION 27Refer to the exhibit.A branch office needs to forward logs to the headquarters. The administrator is configuring the site Branch

A. Which setting should be enabled to achieve this?



B. Replicate the log from the local site to this partner site.C. Replicate the log from this partner site to the local site.D. Auto Replicate.



QUESTION 28A company has multiple offices and is unsure whether to use the Symantec Endpoint Protection Manager (SEPM) or the Group Update Provider (GUP) at theoffices. When should the company use the SEPM rather than the GUP?

A. when the site has a local Windows serverB. when the site has a large number of clientsC. when the site has a low bandwidth network connectionD. when the site has more than one subnet



QUESTION 29A new installation of the Symantec Endpoint Protection 12.1 (SEP) is running on a trial license. For how long can managed SEP clients receive updates?


A. 30 daysB. 60 daysC. 90 daysD. 120 days



QUESTION 30Which two Symantec Endpoint Protection 12.1 (SEP) standalone tools are available for malware scanning and remediation? (Select two.)

A. Symantec Power EraserB. Symantec Endpoint Recovery ToolC. Symantec Offline Image ScannerD. Symantec Protection CenterE. CleanWipe



QUESTION 31For replication, Symantec recommends that the number of sites be kept to five for optimum performance.What can be done to reduce the number of sites?

A. Replicate log data in both directions.B. Limit the number of clients per manager.C. Spread the clients over additional domains.D. Add Group Update Providers for content distribution.

Correct Answer: D




QUESTION 32In Symantec Endpoint Protection 12.1 Enterprise Edition (SEP), what happens when the Soft Enforcement license expires?

A. LiveUpdate stops.B. Proactive Threat Protection is disabled.C. SEP clients become unmanaged.D. Content updates are allowed.



QUESTION 33A company is currently testing Symantec Endpoint Protection 12.1 on 100 clients. The company has decided to deploy SEP to an additional 20,000 clients. They areconcerned about the number of clients supported on a single Symantec Endpoint Protection Manager (SEPM). What should the company do to ensure that theSEPM can support the clients?

A. Configure the clients for Pull mode.B. Decrease the heartbeat interval.C. Switch to HTTPS for client communications.D. Switch to IIS as the web server.



QUESTION 34


An administrator gets a browser certificate warning when accessing the Symantec Endpoint Protection Manager (SEPM) Web console. Where can theadministrator obtain a self-signed certificate to prevent this warning from appearing?

A. SEPM console Licenses sectionB. Symantec Protection CenterC. SEPM Web AccessD. Symantec Support



QUESTION 35An administrator installed Symantec Endpoint Protection 12.1 (SEP) in the environment. However, the administrator wants to use secure communication and SSLauthentication between clients and the Symantec Endpoint Protection Manager (SEPM). How should the administrator proceed?

A. Configure and apply certificate in IIS on SEPM.B. Configure SSL in the Apache Tomcat Web Server.C. Edit http.conf.properties and change the port to 443.D. Use public and private key configuration on SEPM 12.1.



QUESTION 36Refer to the exhibit.Inheritance is turned on only for groups England, Sales, Laptops, and Manchester (highlighted). Without turning inheritance off, which top level group must bemodified to affect users in the Laptop group?


A. My CompanyB. EnglandC. LondonD. Sales



QUESTION 37A client is unable to communicate with the Symantec Endpoint Protection Manager (SEPM) Server. The administrator decides to replace the Sylink.xml file on theclient using the SylinkDrop tool. Which two additional tasks can be accomplished by replacing the Sylink.xml file? (Select two.)

A. Convert an unmanaged client to a managed client.B. Migrate the SEPM servers to a new domain.C. Enable remote troubleshooting for administrators.D. Update Symantec Endpoint Protection client to the latest eraser engine.E. Migrate or move clients to a new domain or management server.




QUESTION 38A manufacturing company runs three shifts. Employees at the facility must share computers. The administrators need to apply different policies/configurations foreach shift. The administrator will need to switch the clients to User mode. Which two additional configuration changes need to be made to allow policies to beapplied to each shift? (Select two.)

A. Create one group for all computers on each shift.B. Create one group for all users on each shift.C. Turn on inheritance for all groups.D. Turn on inheritance for all users.E. Turn off inheritance for each user group created.F. Turn off inheritance for each computer group created.



QUESTION 39An administrator makes a change in the Active Directory structure which has been imported into the Symantec Endpoint Protection Manager (SEPM). By default,when will the change automatically be reflected in the SEPM?

A. as soon as the change is made in Active DirectoryB. maximum 1 hourC. maximum 4 hoursD. maximum 24 hours




QUESTION 40A Symantec Endpoint Protection Manager (SEPM) administrator is importing from an Active Directory environment. The administrator needs to know which objecttypes are being imported. Which two object types are imported into the SEPM from Active Directory? (Select two.)

A. policyB. usersC. computersD. servicesE. groups



QUESTION 41When can an administrator delete a location?

A. when location awareness has been turned offB. when the group has inheritance turned offC. when all clients are moved from the groupD. when the policy has been withdrawn



QUESTION 42A large oil company has a small exploration department that is remotely located and rarely has internet connectivity. Which client type would allow the explorationdepartment to configure their own security policies?


A. Mixed-mode clientB. User-mode clientC. Managed clientD. Unmanaged client



QUESTION 43A large software company has a small engineering department that is remotely located over a slow WAN connection. Which method will deploy the SymantecEndpoint Protection 12.1 (SEP) clients to the remote site using the smallest amount of network bandwidth?

A. Deploy the SEP clients using basic content.B. Deploy the clients using the Push Install Wizard.C. Install a Group Update Provider on a remote computer and then install the remote SEP clients.D. Install a Group Update Provider on a local computer and then install the remote SEP clients.



QUESTION 44An administrator created a Symantec Endpoint Protection 12.1 (SEP) installation package without specifying the group to which the SEP clients should belong.What will happen when the administrator tries to install a SEP client using the installation package?

A. The SEP client installation will fail.B. The SEP client will prompt the administrator to specify a group.C. The Symantec Endpoint Protection Manager will prompt the administrator to specify a group.D. The SEP client will be installed into a default group.

Correct Answer: D




QUESTION 45A Symantec Endpoint Protection 12.1 (SEP) administrator discovers that a firewall is blocking Windows file sharing. Which method can bypass the firewall andallow the SEP clients to be installed with a minimum amount of effort?

A. Remote PushB. Web Link and EmailC. Create Pull Mode clientD. Administrative share (C$) deployment



QUESTION 46A Symantec Endpoint Protection 12.1 (SEP) administrator deployed SEP clients, but the SEP clients are failing to register with the Symantec Endpoint ProtectionManager (SEPM). Which solution would allow the clients to register with the SEPM?

A. Disable the firewall on the SEP client.B. Allow port 8014 through the network firewall between the SEPM and the client.C. Modify the network firewalls so that stateful packet inspection is performed.D. Open the ephemeral TCP ports on the SEP client firewall.



QUESTION 47


A Symantec Endpoint Protection 12.1 (SEP) administrator suspects that newly arrived computers are infected with a virus. Which steps should the administratortake when installing the SEP client on the new computers?

A. Choose the Evaluate before installation SEP client feature set.B. Install an unmanaged client first, then install a managed client after the virus is removed.C. Install Norton Removal Tool, then install the SEP client.D. Run Power Eraser, then install the SEP client.



QUESTION 48An administrator wants to deploy the Symantec Endpoint Protection 12.1 (SEP) client to computers that are lacking the Symantec Endpoint Protection client. Whichtool should the administrator use to discover and deploy the SEP client to the computers?

A. Unmanaged DetectorB. Client Deployment WizardC. Symantec Endpoint Recovery ToolD. Symantec Endpoint Discovery Tool



QUESTION 49A Symantec Endpoint Protection 12.1 (SEP) administrator is remotely deploying SEP clients, but the clients are failing to install on Windows XP. Which two could bepreventing installation? (Select two.)

A. Clients are members of a Windows domain and have Windows firewall enabled.B. Clients are members of a Windows domain and have Windows firewall disabled.C. Clients are members of a workgroup and simple file sharing is disabled.D. Clients are members of a workgroup and simple file sharing is enabled.


E. Clients are members of a Windows domain and have a DHCP address.



QUESTION 50Which Symantec Endpoint Protection client component must be installed to enable Unmanaged Detector mode?

A. Virus and Spyware ProtectionB. SONARC. Network Threat ProtectionD. Network Access Control



QUESTION 51In which client management log can an administrator identify when the client last connected to the Symantec Endpoint Protection Manager?

A. ComplianceB. AuditC. SystemD. Event




QUESTION 52Which command line syntax invokes the Symantec Endpoint Protection Client Service to determine whether a more recent copy of the configuration file is availableon the management server?

A. smc -getconfigB. smc -getsylinkC. smc -updateD. smc -updateconfig



QUESTION 53Immediately after installation, what does a managed client do to contact the Symantec Endpoint Protection Manager (SEPM)?

A. Initiate communication on port 80.B. Initiate communication on port 8014.C. Initiate communication on port 8445.D. Wait for the SEPM if in Push mode.



QUESTION 54Refer to the exhibit.The status of two clients on the Symantec Endpoint Protection Manager is provided in the exhibit. They indicate that the clients are "Offline". What does the Offlinestatus indicate?


A. Live Update is not running on clients.B. Antivirus is disabled in clients.C. There are communications issues with clients.D. Installation was unsuccessful on clients.



QUESTION 55Refer to the exhibit.What does the symbol to the left of the system name, SEPMGR12, indicate?


A. The firewall is enabled.B. The Symantec Endpoint Protection Manager is running.C. The system is online.D. The Unmanaged Detector is enabled.



QUESTION 56Some customers report that when they run the command "smc -stop" on their clients, they are unable to connect to network resources. What is wrong?

A. The customers need to enable the Smart DHCP option in their firewall policy.B. The security option "Block all traffic until the firewall starts and after the firewall stops" is enabled.C. A location awareness policy has been configured that applies when the service is stopped.D. The network card is blocked by a Device Control policy.




QUESTION 57A company successfully deploys Symantec Endpoint Protection 12.1 to its clients. However, when the company deploys the client to the servers, the serversimmediately reboot. The company needs to prevent the servers from rebooting during normal business hours. What is wrong?

A. The "Hard restart" option is enabled in the Restart Settings tab.B. The "Restart immediately if the user is not logged in" option is enabled.C. A previous version of the client was installed.D. There is "No prompt" configured on the Restart Settings tab.



QUESTION 58A company has three groups of clients: Laptops, Desktops, and Servers. Administrators must have the ability to perform manual scans for these clients from theSymantec Endpoint Protection Manager. In addition, the manual scans need to be customized according to the different clients, for example by customizing whethermemory is scanned and which folder locations are scanned. How can the environment be configured to provide this ability while minimizing management overhead?

A. Configure one Virus and Spyware Protection policy with a customized On-Demand scan and set different Exception policies for each group.B. Configure one Virus and Spyware Protection policy with three customized On-Demand scans.C. Configure one Virus and Spyware Protection policy with three customized Scheduled scans and setting the schedule to Manual.D. Configure a different Virus and Spyware Protection policy for each group with customized On-Demand scans.




QUESTION 59A Symantec Endpoint Protection 12.1 group has two defined locations based on whether clients are attached to the local network or are remote. The local networklocation has an administrator-defined scan scheduled to begin each Monday at 09:00. The remote location has an administrator-defined scan scheduled to begineach Wednesday night at 21:00. All systems are used daily and remain powered on all night. Some users in the group have laptops, while the other users havestandard desktops. Assuming the laptops are taken home and used each night, what is the effect?

A. All clients will run scans only on Monday.B. All clients will run scans both on Monday and Wednesday.C. The laptops will run scans only on Wednesday, while the desktops will run scans only on Monday.D. The laptops will run scans both the Monday and Wednesday, while the desktops will run scans only on Monday.



QUESTION 60Which two actions can a user take during an in-progress scheduled scan? (Select two.)

A. disableB. stopC. pauseD. skipE. reschedule



QUESTION 61A user added a daily 10:00 scheduled scan to their Symantec Endpoint Protection 12.1 client. After

reviewing the logs, the user confirms that the scan failed to start at 10:00. Why did the scan fail to start?


A. Tuning Options were set for best application performance.B. "Delay scheduled scans when running on battery" was enabled.C. Scan Progress options were set to "Do not show progress".D. The Windows scheduler service was disabled.



QUESTION 62A Symantec Endpoint Protection 12.1 client is running a user-defined scan when a scheduled, administrator-defined scan is scheduled to launch. What is the effecton the client?

A. The user-defined scan will be paused in order to launch the administrator-defined scan.B. The administrator-defined scan will launch after the user-defined scan completes.C. The user-defined scan will be canceled in order to launch the administrator-defined scan.D. The administrator-defined scan will be skipped and the user-defined scan will continue.



QUESTION 63Which protection technology assists in protecting documents in real-time when accessed or modified?

A. SONARB. Reputation ScansC. Auto-ProtectD. Scheduled Scans

Correct Answer: C




QUESTION 64A Symantec Endpoint Protection 12.1 administrator has the Virus and Spyware Protection policy configured with Auto-Protect enabled. The administrator isconfronted with computer performance issues. Which two options can the administrator use to improve performance? (Select two.)

A. Enable the option to Trust Files on Remote Computers Running Auto-Protect.B. Enable the Risk Tracer option.C. Edit the autoprotect.xml and increase the cache value.D. Enable the option of Network Cache.E. Enable the Preserve File Times option.



QUESTION 65An administrator is modifying a Virus and Spyware Protection policy for a Symantec Endpoint Protection 12.1 (SEP) client because it is demonstrating poor bootperformance. Which option should the administrator consider to alleviate this problem?

A. Ensure that Risk Tracer is disabled.B. Load Auto-Protect during the startup of SEP.C. Enable File Cache across reboots.D. Modify the policy to use Insight Cache.




QUESTION 66Which technology uses heuristics to scan outbound email?

A. Internet Email Auto-ProtectB. Microsoft Outlook Auto-ProtectC. Lotus Notes Auto-ProtectD. SONAR



QUESTION 67Which type of email does Internet Email Auto-Protect support?

A. IMAP based emailB. HTTP/s based emailC. SMTP based emailD. Outlook Web Access (OWA)



QUESTION 68Refer to the exhibit.In the use case displayed in the exhibit, why is the administrator unable to save the changes to this file?


A. Application Control is preventing Notepad from accessing the host file.B. SONAR is set to block host file modifications.C. Tamper Protection is enabled.D. The Auto-Protect feature detected a malicious activity.



QUESTION 69What could be an adverse effect of activating aggressive mode on the SONAR policy?

A. false negativesB. false positivesC. performance issuesD. higher rejection rate




QUESTION 70Which two options are available when configuring high risk detection in SONAR? (Select two.)

A. BlockB. SkipC. QuarantineD. Log E. Delete



QUESTION 71Acrobat Reader is being targeted by a threat using process injection. Which feature of SONAR is sandboxing Acroread32.exe so that the threat is prevented fromdropping its payload?

A. Commercial Application DetectionB. Suspicious Behavior DetectionC. System Change EventsD. Signature Based Detection



QUESTION 72


Which two options are available when configuring DNS change detected for SONAR? (Select two.)

A. BlockB. SkipC. QuarantineD. LogE. Delete



QUESTION 73A company is building a new Symantec Endpoint Protection Manager and is setting the remediation actions for threats in the Virus and Spyware Protection policy.For security risks, the first action is set to Repair and the second action is Quarantine. In this environment, Symantec Endpoint Protection 12.1 (SEP) has beendeployed to a small group of clients for testing. Which condition would cause Auto-Protect to stop sending notifications and stop logging the event after threedetections?

A. A client continuously downloads the same security risk.B. File System Auto Protect is malfunctioning on the SEP Client.C. SEP services on the client are stopped.D. SEP is unable to read virus definitions.



QUESTION 74An administrator set the remediation options for Security Risks to the defaults (Quarantine, then Delete). However, the security team is the only team authorized tohave Hack Tools on their systems. Which two

steps must the administrator complete to accomplish this? (Select two.)


A. Create a specific group for Security Team.B. Turn on inheritance for the Security Team group.C. Assign a Virus and Spyware Protection policy with customized remediation options set.D. Set a specific location for the My Company group.E. Unlock the padlock in Auto-Protect for Remote Access.



QUESTION 75Where is a file encrypted and saved to when the "Backup files before attempting to repair them" setting is enabled?

A. the local Windows Temp (C:\Windows\Temp) directoryB. the local Quarantine folderC. the FileBackup folder within the Application Data\Symantec directoryD. the local Symantec Endpoint Protection Temp folder



QUESTION 76In which two situations would Symantec Endpoint Protection 12.1 (SEP) generate a Left Alone action? (Select two.)

A. Another scan is in progress.B. The detected file is in use.C. There are limited permissions to the file on the system.D. The file is marked for deletion by Windows on reboot.E. Virus definitions are corrupt or missing.

Correct Answer: BC




QUESTION 77A company is deploying Symantec Endpoint Protection 12.1 and configuring remediation options within the Virus and Spyware Protection policy. They areconsidering enabling "Terminate processes automatically" within the remediation options. If this feature is enabled, which two characteristics will the user see whenthe client must terminate a process to remove or repair a risk? (Select two.)

A. When this option is enabled, the client automatically takes the necessary action without notifying users.B. When a restart is required, the machine automatically reboots and the user is unable to opt out of the restart.C. When this option is enabled, the client notifies the user of ending processes to mitigate the threat.D. When this option is enabled, the client generates an entry in the Risk logs that a process was terminated automatically.E. When a restart is required, the user is allowed to save data and close open applications or to opt out of the restart.



QUESTION 78An administrator is reviewing risk logs in the Symantec Endpoint Protection Manager (SEPM) and notices

that some entries list that the "Risk was partially removed". The administrator wants to determine whether additional steps are necessary to remediate the threat.How should the administrator proceed?

A. Review the threat writeup and run a full system scan on the machine.B. Perform a repair of the Symantec Endpoint Protection install on the machine.C. Submit infected file to Security Response to see if it is a new variant.D. Change remediation actions in the Virus and Spyware Protection policy in the SEPM.




QUESTION 79A clean file in a proprietary application has been quarantined by SONAR. How can an administrator fix the broken application from the Symantec EndpointProtection Manager console?

A. Restore the application with the Client Deployment Wizard.B. Allow the application from the Monitor Logs view.C. Run the Enable Auto-Protect command on the client.D. Run a new scan with a newer set of definitions.



QUESTION 80Which Symantec Endpoint Protection 12.1 feature allows an administrator to prevent users from downloading files that are unsafe?

A. SONARB. InsightC. Application ControlD. Trusted Web Domain exceptions



QUESTION 81A company is concerned that its clients may be out-of-date and it wants to ensure that all running applications are protected with Symantec's latest definitions, evenif they are unavailable on the Symantec Endpoint Protection 12.1 (SEP) client. How could the company configure SEP to achieve this goal?

A. Enable SONAR with High Risk detections set to Quarantine.


B. Enable Insight Lookup as part of a daily scheduled scan.C. Enable Insight for Community and Symantec Trusted Files.D. Enable and apply an Intrusion Prevention policy.



QUESTION 82What is the likely impact of increasing the Download Insight sensitivity?

A. It would block files that trend towards a poor reputation and decrease false positives.B. It would allow only files with a good reputation and decrease false positives.C. It would allow only files that trend toward a good reputation and increases false positives.D. It would block files that have a poor reputation and decrease false positives.



QUESTION 83A customer is downloading newly-created company files from an internal website and is being blocked by Download Insight based on reputation. How can thecustomer prevent this?

A. Change the minimum number of days in the Download Insight settings.B. Change the minimum number of users in the Download Insight settings.C. Increase the sensitivity slider in the Download Insight settings.D. Enable the option to trust files downloaded from an intranet website in the Download Insight settings.




QUESTION 84An administrator wants to make sure users are warned when they decide to download potentially malicious files. Which option should the administrator configure?

A. the Notifications tab under the admin-defined scan settingsB. the Notifications tab under Auto-Protect settingsC. the Network Protection Security event notification in location-specific settingsD. the Notifications tab under Download Insight settings



QUESTION 85Refer to the exhibit.A user runs a full scan on a system and is confused by the "Files trusted" count. Which option will result in the files being left unscanned?


A. Enabling the "Only when files are executed" setting in the Virus and Spyware Protection policy.B. Enabling the "Do not scan files when trusted processes access the files" setting in the Virus and Spyware Protection policy.C. Enabling Insight in the Virus and Spyware Protection policy.D. Enabling the file cache settings in the Virus and Spyware Protection policy.




QUESTION 86A customer reports that users are able to download new files from the internet and execute those files on their own computers. What can be configured to preventthis?

A. Decrease the Download Insight sensitivity.B. Change the action for unproven files in Download Insight.C. Change the second action for malicious files in Download Insight.D. Change the first action for malicious files in Download Insight.



QUESTION 87A computer is configured in Mixed Control mode. The administrator creates and applies a Firewall policy to the computer that has a rule that allows FTP trafficabove the blue line and another rule that blocks LDAP traffic below the blue line. On the computer, local rules are created to allow LDAP traffic and block FTPtraffic. Which traffic flow behavior should be expected on the local computer?

A. Both FTP and LDAP traffic are allowed.B. Both FTP and LDAP traffic are blocked.C. FTP is blocked and LDAP is allowed.D. FTP is allowed and LDAP is blocked.



QUESTION 88Refer to the exhibit.A company has created a specific firewall policy that allows only certain traffic. Which traffic is allowed in the firewall policy displayed in the exhibit?


A. traffic on port 23 from Telnet (telnet.exe)B. traffic on port 25 from Outlook (outlook.exe)C. traffic on port 110 from Outlook (outlook.exe)D. traffic on port 80 from Internet Explorer (iexplore.exe)E. traffic on port 443 from Internet Explorer (iexplore.exe)



QUESTION 89


A company is running the Symantec Endpoint Protection 12.1 firewall and wants to ensure that DNS traffic is allowed. Which feature should be enabled in thefirewall policy?

A. DNS exceptionB. DNS LookupC. Reverse DNS LookupD. Smart DNS



QUESTION 90A system administrator created a firewall policy that allows certain applications and blocks others. However, some applications are being blocked that should beallowed. Which log should be viewed to troubleshoot this issue?

A. Application logB. System logC. Traffic logD. Control log



QUESTION 91An administrator has defined a rule to allow traffic to and from a specific server by its Fully Qualified Domain Name (FQDN), because the server's IP address variesbased on the office in which a client is located. The administrator attempts to verify the rule and finds that the traffic is being blocked. The logs list the IP address ofthe server instead of its FQDN. What does the administrator need to do within the firewall policy to allow the rule to work correctly?

A. Enable DNS lookupB. Enable reverses DNS lookup.C. Disable Smart DNS.


D. Disable NetBIOS Protection



QUESTION 92A company is running the Symantec Endpoint Protection 12.1 firewall with the default policy. At the bottom of the ruleset, there is a rule called "Block all other IPtraffic and log" which will block all IP traffic. A financial application is being blocked by this rule. What should be changed to allow the application without sacrificingsecurity?

A. The existing rule should be changed.B. A new rule should be created.C. An existing rule should be deleted.D. An existing rule needs to be reordered.



QUESTION 93A company has a firewall policy with a rule that allows all applications on all ports. An administrator needs to modify the policy so that it allows Internet Explorer tocommunicate to any website, but only on port 80 and 443. In addition, the company only wants this modification to affect traffic from Internet Explorer. Theadministrator created a new rule at the top of the ruleset that allows Internet Explorer on port 80 and 443.Which step should the administrator take next?

A. Move the new rule below the Allow Applications rule.B. Delete the Allow All Applications rule.C. Modify the Allow All Applications rule to exclude Internet Explorer.D. Create a new rule above the Allow All Applications rule to block Internet Explorer.

Correct Answer: DSection: (none)


Explanation


QUESTION 94The Symantec Endpoint Protection 12.1 (SEP) client indicates that the Virus and Spyware Protection (AV) definitions are current, while the Intrusion PreventionSystem (IPS) signatures are one day older. How can an administrator determine whether this SEP client is up-to-date?

A. The administrator can tell the client is up-to-date because the AV definitions are the latest.B. The administrator can tell the client is out-of-date because the IPS signatures are old.C. The administrator needs to review the client Computer Status logs to determine whether the client is up-to-date.D. The administrator needs to review the Symantec Security Response page to determine whether the client is up-to-date.



QUESTION 95A company selected Opera 10 as its corporate browser. Drive-by downloads are occurring and SONAR intercepts the resulting scripts. How should the companyproceed to minimize the occurrence of drive-by downloads?

A. Upgrade to Opera 11.B. Use Internet Explorer or Firefox.C. Enable browser protection.D. Reboot the Symantec Endpoint Protection client.



QUESTION 96Which Intrusion Prevention feature is updated automatically?


A. Intrusion Prevention custom signaturesB. SNORT syntaxC. Auto-ProtectD. Generic Exploit Blocking



QUESTION 97An administrator needs to exclude some servers from an Intrusion Prevention System (IPS) policy. When specifying an excluded host in an IPS policy, which twomethods can be used? (Select two.)

A. DNS hostB. IP addressC. MAC addressD. DNS domainE. subnet



QUESTION 98An administrator needs to ensure that a specific network threat can be detected. The attack signatures for this threat may be found across multiple packets. Whatcan the administrator do to ensure the best chance of detecting this threat?

A. Ensure that Symantec IPS signatures are updated.B. Create custom IPS signaturesC. Enable TCP resequencingD. Create a Firewall rule for this threat




QUESTION 99A company organizes its clients into two groups: the Symantec Endpoint Protection Manager (SEPM) group with all the SEPMs and a Desktops group with all othersystems. An Application and Device Control

policy is used with the "Block modifications to hosts file" rule set enabled. This policy is applied to all groups in the company. How can an administrator modify thehosts file on the SEPM systems, while minimizing risks posed to the company?

A. Withdraw the policy from all clients, modify the hosts files, and reassign the policy.B. Withdraw the policy from the SEPM group, modify the hosts files, and reassign the policy.C. Modify the hosts file using an operating system-based system account.D. Temporarily disable Network Threat Protection on each client when modifying the hosts file.



QUESTION 100An administrator needs to customize the Application and Device Control policy to exclude all USB devices except for a specific, company-issued USB thumb drive.Which function or program, provided with the Symantec Endpoint Protection 12.1 software, should the administrator use to customize the environment?

A. DevViewer.exeB. Sep_SupportTool.exeC. SOIS.exeD. vietool.exe




QUESTION 101Refer to the exhibit.A USB mouse is plugged in to a system that uses the device control displayed in the exhibit. What is the expected behavior?


A. The mouse is blocked until the user adds the device as a local client exception.B. The mouse is blocked until an administrator adds the device to the exception policy.C. The mouse will work as normal because the Human Interface Device exclusion takes precedence.D. The mouse will work as normal because Mouse devices are missing from Blocked Devices.



QUESTION 102Refer to the exhibit.A company is using a custom application that writes its application settings in the registry. An administrator plans to prevent users from modifying these values,while ensuring that the custom application still functions correctly. An Application and Device Control policy is created with an application rule to block access tocreate, delete, or write attempts, for the registry keys used by the custom application. One way to ensure users are prohibited from the registry keys, but the customapplication can still modify them, is to add an Application Control exception for the custom application. What is another way to ensure this functionality?


A. Add an application rule to allow access to create, delete, or write attempts, to the custom application folder.B. Add an application rule to allow access to read attempts for the registry keys.C. Add an application rule set that allows access to read attempts for the registry keys.D. Add an application rule to allow access to create, delete, or write attempts for the custom application.




QUESTION 103A company needs to prevent users from modifying files in a specific program folder that is on all client machines. What needs to be configured?

A. a file and folder exception in the Exception policyB. an application rule set in the Application and Device Control policyC. a file fingerprint list and System LockdownD. a custom IPS signature in the Intrusion Prevention policy



QUESTION 104An administrator is testing a new Application and Device Control policy. One of the rule sets being tested

blocks the notepad.exe application from running. After pushing the policy to a test client, the administrator finds that notepad.exe is still able to run. Theadministrator verifies that the rule set is enabled in the Application and Device Control policy. Which two may be preventing the policy from performing theapplication blocking? (Select two.)

A. An Application exception has been configured in the Exceptions policy.B. System Lockdown has been configured for the client.C. Network Threat Protection needs to be installed on the client.D. The rule set is in the "Test (log only)" mode.E. A rule set with conflicting rules exists higher up in the policy.

Correct Answer: DESection: (none)Explanation



QUESTION 105An administrator enabled the default application control rule "Block writing to USB Drives", but needs to modify it so that clients can write to a specific make andmodel of company-authorized, encrypted USB drive. How should the administrator proceed?

A. Edit the rule set and add the device ID to the exceptions.B. Edit the rule set and add a condition after the block condition to allow access to the specific device.C. Edit the rule set and add a rule after the block rule to allow access to the specific device.D. Using DevViewer, plug the device into the Symantec Endpoint Protection Manager and select "Add Device to Manager".



QUESTION 106An administrator enables the "Learn applications that run on the client computers" setting for a group of clients. Later, when using the Search for Applicationsfunction, the administrator is unable to find results.What is the cause of the problem?

A. The administrator is a limited administrator without rights to view reports.B. Application learning is disabled under communication settings at the site level.C. Submissions are disabled on the Symantec Endpoint Protection client by the user.D. Pull mode is enabled and is unsupported by application learning.



QUESTION 107A company creates free web access computers for use in public areas, such as airports. The software provided on the computers will be static and the systemsmust be secure. What should be used to restrict unauthorized applications from running on these computers?


A. client security settings and Tamper ProtectionB. blocked devices in an Application and Device Control policyC. file fingerprint list and System LockdownD. custom IPS signatures in an Intrusion Prevention policy



QUESTION 108What is a benefit of enabling Browser Intrusion Prevention?

A. It uses a reputation and cloud-based technology to monitor and identify attacks on Internet Explorer and Firefox.B. It sends traffic results to a dedicated Symantec server to determine whether the traffic is legitimate. C.

It monitors traffic on supported browsers by using attack signatures and heuristics.C. It improves performance by allowing clients to share Intrusion Prevention scan results.



QUESTION 109Company A acquires Company B. Company B has 200 employees. Multiple firewall rules, based on collections of client addresses, are required to allow the newemployees access to Company A's resources and permissions to use approved network applications. Which feature should be used to minimize the amount of timeneeded to create rules for these new clients?

A. Application rule setsB. Host groupsC. Built-in rulesD. Network Services

Correct Answer: B





A. DNS domainB. SubnetC. Gateway addressD. WINS serverE. DHCP server




A. MAC addressB. registry keyC. management server connectionD. DNS hostE. network connection type



QUESTION 112


According to Symantec best practices, which two tasks should be completed after creating file fingerprint lists, but prior to enabling System Lockdown? (Select two.)

A. Add any approved applications.B. Move the Symantec Endpoint Protection Managers to a separate group.C. Log unapproved applications.D. Run the checksum.exe command on the clients.E. Enable application learning.



QUESTION 113Which port is used by default for replication between sites?

A. 2967B. 8014C. 8443D. 9090



QUESTION 114A company has deployed Symantec Endpoint Protection 12.1 in their corporate environment using a multi-site design. If an administrator makes policy changes inthe United States site, when will the changes appear in the European site?

A. after the next heartbeatB. after the next replication intervalC. immediatelyD. after the policy changes are saved




QUESTION 115In a management server list, Symantec Endpoint Protection Manager (SEPM) A is added to Priority 1, and SEPM B is added to Priority 2. This setup will providewhich service?

A. load balancingB. replicationC. failoverD. clustering



QUESTION 116Which two configuration elements are needed in order to add a replication partner? (Select two.)

A. SQL Server IP and sa passwordB. administrator name and passwordC. site-to-site VPN tunnelD. replication server name and portE. internet access




QUESTION 117Which two are optional when replicating between Symantec Endpoint Protection Managers? (Select two.)

A. groupsB. policiesC. logsD. contentE. locations



QUESTION 118What is the default replication frequency when adding an additional site to a Symantec Endpoint Protection 12.1 deployment?

A. 1 hourB. 8 hoursC. dailyD. Auto replicate



QUESTION 119Which step must be completed to set up two sites to replicate?

A. Add a new Management Server list with the replication partner added.B. Launch the Replication Wizard from the Admin page and follow the prompts.C. Install a SQL server on at least one site.


D. Install a Symantec Endpoint Protection Manager Server and database as a replication partner.



QUESTION 120Which authentication method must be used to provide the ability to reset forgotten passwords?

A. RSA SecurID AuthenticationB. Smart Card AuthenticationC. Symantec Management Server AuthenticationD. Directory Authentication



QUESTION 121An employee is taking leave for four months and the employee's workstation will be powered off and locked in an office. Why does the workstation disappear fromthe Symantec Endpoint Protection Manager (SEPM) Reports and Client view after 30 days?

A. Administrators used the "reclaim license" option.B. The SEPM purges offline clients after a set amount of time.C. The SEPM quarantines offline clients after a set amount of time.D. The SEPM purges clients with expired licenses.




QUESTION 122How frequently does Symantec recommend that a Symantec Endpoint Protection Manager site check LiveUpdate for content updates?

A. every hourB. every 4 hoursC. once a dayD. twice a day



QUESTION 123Which two should be considered when enabling Application Learning in an environment? (Select two.)

A. Application Learning requires Virus and Spyware Protection.B. Application Learning should be deployed on a small group of systems in the enterprise.C. Application Learning can generate significant CPU or memory use on a Symantec Endpoint Protection Manager.D. Application Learning can be used without using application-based firewall rules, Application Control rules, or Centralized Exceptions.E. Application Learning is dependent on a properly configured firewall.



QUESTION 124Where are directory servers added before importing Organizational Units (OU) or adding administrators to the Symantec Endpoint Protection Manager?

A. Site propertiesB. Server propertiesC. localhost properties


D. Import Server properties



QUESTION 125A company is setting up a new environment with three Symantec Endpoint Protection Managers (SEPM) and wants to set one SEPM to act as the primary reportingserver. Where in the SEPM should the administrator configure the priority reporting server to be used for running scheduled reports and notifications?

A. Local Host propertiesB. Local Site propertiesC. Scheduled reportsD. Server properties



QUESTION 126A company suffered a catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM) which was using a remote Microsoft SQL Server. Theadministrator has all required backups. The administrator restores the hardware and the operating system with the required software (including SEPM). What is thenext step in the recovery procedure?

A. Export the server certificate from the SEPM console.B. Customize the SEPM configuration using the recovery file.C. Restore the SQL database to realign with SEPM restore.D. Replace the Sylink.xml using the SylinkDrop.exe.




QUESTION 127An administrator is in the process of recovering from a disaster and needs the keystore password to update the certificate on the Symantec Endpoint ProtectionManager (SEPM). From which two locations can the administrator obtain this information? (Select two.)

A. SEPM replication partnersB. original installation logC. disaster recovery fileD. settings.properties fileE. Sylink.xml file from the SEPM



QUESTION 128An administrator notices that the Symantec Endpoint Protection Manager (SEPM) embedded database is growing large and is taking longer to back up thandesired. How can backup performance of the database be improved?

A. Change the number of backups to keep.B. Reduce the number of log entries under Log Settings.C. Change the backup frequency from Weekly to Daily.D. Configure incremental backups in the SEPM.



QUESTION 129A Microsoft SQL Server containing a Symantec Endpoint Protection Manager (SEPM) database has encountered an unrecoverable hard drive failure. Anadministrator has rebuilt the Microsoft SQL Server and has confirmed that the SEPM can connect with the SQL Server. Which step should the administrator take


next?

A. Select Rebuild Indexes from the SEPM consoleB. Launch Checksum.exe database integrity toolC. Use the Backup and Restore utility included with SEPMD. Select Truncate Transaction Logs from the SEPM



QUESTION 130Which operation can be performed using the Database Back Up and Restore utility found in the Windows Start menu?

A. on-demand backup of the databaseB. scheduled monthly backup of the databaseC. selection of the Symantec Endpoint Protection Manager to backupD. selection of the backup location



QUESTION 131A company suffered catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM). The administrator restores the hardware and theoperating system with the required software (including

SEPM). The administrator then runs the SEPM Database Back Up and Restore utility. What is the most important consideration?

A. Ensure that the Microsoft SQL services are disabled on the server.B. Ensure that the SEPM service is set to Manual and Running.C. Ensure that the SEPM service is set to Automatic and Stopped.D. Ensure that the embedded database service is set to Disabled and Stopped.




QUESTION 132An administrator has installed Symantec Endpoint Protection 12.1 using an embedded database. Which two database maintenance tasks are available in theSymantec Endpoint Protection Manager console? (Select two.)

A. truncating database transaction logsB. limiting the client installation log entriesC. rebuilding of database indexesD. deleting clients who have not connected recently from the consoleE. limiting the number of backups to keep



QUESTION 133An administrator is restoring a Microsoft SQL Symantec Endpoint Protection 12.1 database and installing a new Symantec Endpoint Protection Manager (SEPM).After completing the restore, the administrator notices that the clients are unable to connect to the SEPM. Which step did the administrator forget when performingthe restore?

A. restoring the client certificateB. restoring the server certificateC. importing the previously backed up dataD. setting the SQL client folder




QUESTION 134How can an administrator proactively obtain information about unknown devices on a network?

A. Use the Client Deployment Wizard feature to locate unmanaged endpoints.B. Create an Unmanaged Computer notification.C. Schedule an audit report to send to the administrator.D. Run the Symantec Endpoint Discovery Tool.



QUESTION 135A company is building a new Symantec Endpoint Protection Manager (SEPM) and building email notifications that will go to the security team. Which two notificationconditions should the team implement into the SEPM? (Select two.)

A. Unknown UserB. Invalid Host NameC. Risk OutbreakD. Group Update Provider FailureE. Authentication Failure



QUESTION 136An administrator needs to determine which versions of Symantec Endpoint Protection (SEP) are currently in the network. Which report provides this information?

A. Client Inventory report


B. Deployment reportC. SEP Product Versions reportD. Audit Inventory report



QUESTION 137Which notification action can be performed when a security-related condition is met?

A. Send an SNMP trap.B. Alert with a GUI popup on the admin console.C. Run a batch file or another executable file.D. Send an alert to a client.



QUESTION 138An administrator needs to check when and by which account a policy was modified. Which log query should the administrator use?

A. ComplianceB. AuditC. AccessD. System




QUESTION 139Which Symantec Endpoint Protection Manager feature allows an administrator to view and modify commonly accessed reports?

A. Favorite Reports Display list on the Monitors pageB. Scheduled Reports in the Reports sectionC. Favorite Reports Display list on the Home pageD. Summary Dropdown in the Monitors section



QUESTION 140Which two options can administrators customize on the Home page? (Select two.)

A. auto-refresh rateB. number of reportC. Favorite ReportsD. Common TasksE. types of endpoints listed



QUESTION 141Refer to the exhibit.An administrator has configured the Symantec Endpoint Protection Manager (SEPM) to use Active Directory authentication. The administrator defines a newSymantec Endpoint Protection administrator named Sep_SysAdmin, configured to use Directory Authentication. Which password needs to be entered when theadministrator logs in to the SEPM console as Sep_SysAdmin?



A. the password for the Active Directory user that was mapped with Sep_SysAdminB. the password for the user named Sep_SysAdmin that was created in SEPMC. the password for the user named Sep_SysAdmin that was created in Active DirectoryD. the password for the Administrator account in Active Directory



QUESTION 142What are two default access rights for various types of Symantec Endpoint Protection Manager Administrator accounts? (Select two.)

A. A system administrator can view and modify the entire organization.B. An administrator can view and modify all features in a single domain and can view reports in other domains.C. A limited administrator can view the entire organization.D. An administrator can view multiple domains.E. An administrator can view and modify all features in a single domain.



QUESTION 143


What are two responsibilities associated with the Limited Administrator account type in Symantec Endpoint Protection Manager? (Select two.)

A. view and manage console settings for domainsB. create and manage accounts in a single domainC. create location specific policiesD. manage their own authentication typeE. remotely run commands on client computers



QUESTION 144An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager (SEPM). The administrator adds an account namedSep_SysAdmin in the SEPM. This account is configured to use Active Directory Authentication. Which two settings can the administrator configure for theSep_SysAdmin account? (Select two.)

A. Password Never ExpiresB. Test AccountC. Password Expires in x Days (where x is any number)D. Check the Password StrengthE. Select the Directory Server



QUESTION 145Refer to the exhibit.An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager as displayed in the exhibit. Which port number should be usedfor LDAP?


A. 389B. 636C. 637D. 639




QUESTION 146Which two can be used when defining location switching criteria for the Symantec Endpoint Protection 12.1 client? (Select two.)

A. NIC descriptionB. OS typeC. MAC addressD. WINS serverE. client version



QUESTION 147A company wants to reduce or eliminate the HelpDesk calls they receive due to end users modifying, moving, or deleting configuration files. Which component ofSymantec Endpoint Protection will allow the IT administrator to prevent users from altering configuration files?

A. Privilege De-escalationB. Proactive Threat DetectionC. Application ControlD. Host Integrity



QUESTION 148An administrator wants to ensure that all clients consider the content from the website www.symantec.com as safe. Where can the administrator configure this?


A. Exception policyB. External Communication SettingsC. Security SettingsD. Browser Intrusion Prevention excluded domains



QUESTION 149A company wants its clients to use the Group Update Provider (GUP) that is closest to them, but is concerned about what happens if the GUP is unavailable orgoes offline. Which two options could mitigate this issue? (Select two.)

A. Increase the maximum number of simultaneous downloads to clients.B. Configure the Symantec Endpoint Protection Manager failover options.C. Configure GUP roaming in the external communications settings.D. Configure a failover GUP in the multiple GUP options.E. Configure the maximum bandwidth allocated to a GUP.



QUESTION 150By default, the Client User Interface control is set to Server Control. Which two actions will the user who is logged in as a Windows administrator be able toperform? (Select two.)

A. Change Virus and Spyware Protection settings.B. Edit firewall rules below the blue line.C. Change between Push and Pull mode.D. Disable Tamper Protection.E. Edit the Intrusion Prevention policy.




QUESTION 151Which technology does the Symantec Endpoint Protection Firewall use?

A. proxy inspectionB. packet filteringC. stateful packet inspectionD. application gateway proxy



QUESTION 152How many Symantec Endpoint Protection Managers can connect to an embedded database?

A. oneB. twoC. fourD. unlimited



QUESTION 153


A large enterprise plans to deploy Symantec Endpoint Protection 12.1 (SEP) on 36,000 virtual endpoints distributed across 1,800 VMware ESX servers in a singledatacenter. A system administrator needs to optimize endpoint scanning performance by enabling Shared Insight Cache (SIC) server functionality. Which twoconfiguration changes should the administrator make to minimize the number of SIC servers that need to be deployed? (Select two.)

A. Perform regular scans of all virtual systems with the offline image scanner.B. Enable scanning randomization across all SEP endpoints.C. Enable virtual image exceptions across all SEP endpoints.D. Disable Insight lookups for threat detection on each virtual SEP endpoint.E. Enable download randomization across all SEP endpoints.



QUESTION 154Which statement describes a difference between Virtual Image Exceptions (VIE) and Shared Insight Cache (SIC)?

A. VIE tracks executable files, whereas SIC tracks all file types.B. VIE data is stored on the local system, whereas SIC data is placed in a shared location.C. SIC tracks whitelisted and malicious files, whereas VIE tracks only whitelisted files.D. SIC can query Symantec Insight, whereas VIE is unable to make Symantec Insight queries.



QUESTION 155Refer to the exhibit. A customer configures location awareness as displayed in the exhibit, but the client fails to change from the Out of Office location to the Officelocation, even though it is connected to the Symantec Endpoint Protection Manager. What is wrong?

A. The client connection specific DNS suffix needs to be example.com.B. The Remember Last Location setting is enabled.C. The Enable Location Awareness setting is disabled.


D. The Out of Office location is the default location.



QUESTION 156An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on virtual machines. In order to protect against previouslyundetected threats, the administrator must regularly scan the static instance of the virtual machine image set which includes the files that have been whitelisted. Inaddition to cleaning the static image set, which additional step must the administrator complete if threats are discovered?

A. Select the threat in the log and add it as an exception.B. Use the Symantec Offline Image Scanner (SOIS) on the static image.C. Ensure that virtual client tagging is enabled.D. Use the vietool to update the whitelist.



QUESTION 157A user is downloading a file from https://www.example.com to the local system. The user is able to download and save that file even though it is a known maliciousapplication. Why is the user able to download the application?

A. A SONAR exception is in place.B. An Application Control exception for the file is in place.C. A Trusted Web Domain exception is in place.D. Download Insight exceptions are disabled.




QUESTION 158In addition to preventing Symantec Endpoint Protection 12.1 (SEP) from being stopped maliciously, which other two functions does Tamper Protection perform?(Select two.)

A. It prevents a user from stopping the SEP services.B. It prevents the SEP Registry keys from being deleted.C. It prevents SEP from stopping third party applications.D. It prevents the SEP files and folders from being changed.E. It prevents the user from opening the SEP client interface.



QUESTION 159In addition to adding exceptions directly into an Exceptions policy, what is another method of adding exceptions?

A. adding the exception to a policy from the Application Control logB. importing the exception into a policy from the Notifications windowC. adding the application exception to a File Fingerprint listD. adding the exception from the Threat report



QUESTION 160A managed Symantec Endpoint Protection 12.1 (SEP) client is in a group that has a Virus and Spyware Protection policy specifying that all files must be scanned.An Exceptions policy has been applied to the group by the SEP administrator. The Exceptions policy has an empty exclusions list. A local user of the client hasadded an Exception to exclude C:\temp. What will happen if a user attempts to download a file to the C:\temp folder?


A. The local exclusion will be ignored.B. The user will be prompted to override the group's policy.C. The local exclusion will allow malware.D. The group's policy will negate the local exception.




A. The SIC server allocates additional memory for the whitelist as needed.B. The SIC server will start writing the cache to disk.C. The SIC server will remove the least recently used items based on the prune size.D. The SIC server will remove items with the fewest number of votes.



QUESTION 162Which statement is true about the Database Backup and Restore utility?

A. It backs up and restores only an embedded database.B. It allows an administrator to pause and resume backups.C. It saves database backups to the local computer.D. It backs up and restores the certificate keystore.



Explanation


QUESTION 163When the Symantec Endpoint Protection 12.1 client firewall defends against a MAC spoof attack, what does it drop?

A. ICMP responseB. IP redirectC. gratuitous ARPD. TCP reset



QUESTION 164All email Auto-Protect options are disabled, and an administrator receives an email from an associate with a .zip file attached. There are three files in the .zip filethat are needed for the administrator's presentation the next day. What neither of them realize is that one of the files is infected with a virus. When will File SystemAuto-Protect detect this infected file?

A. when the email is openedB. when the .zip file is openedC. when the .zip file is saved to the administrator's desktopD. when the email is closed



QUESTION 165Which feature can be configured to increase or decrease performance of scheduled scans?


A. scan frequencyB. CPU throttlingC. heartbeat intervalD. tuning options




Date post:	30-Sep-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times