Number of Questions: 80-90
Exam Duration: 105 minutes (with Borderline survey included)
Passing Score: 63%
Answer each question then check the correct answers provided at the bottom of the page.
1. Which process is required to be running on all detection servers?
- a. FileReader
- b. RequestProcessor
- c. PacketCapture
- d. IncidentWriter
2. What files are retrieved when collecting configuration files for detection servers from the Enforce console?
- a. All .conf, .config and .properties files within the specified date range
- b. All .config files
- c. All .conf, .config and .properties files
- d. All files and folders located in the lib directory
3. Which detection rule only allows matching on the body and attachment components of an email?
- a. EDM rule
- b. Data Identifier rule
- c. Keyword rule
- d. IDM rule
4. Which statistic from the Systems > Servers > Overview page would be available for the Enforce Server on a three-tier installation?
- a. Messages (Last 10 sec)
- b. Messages (Today)
- c. Incidents (Today)
- d. Incident Queue
5. Where can an incident responder find the exact location of the file copy created by the Protect: Copy File response action?
- a. in the Incident Snapshot
- b. in the Incident Summary
- c. in the Policy configuration
- d. in the Discover Target configuration
6. What should a Data Loss Prevention administrator configure to send system event information to a syslog server?
- a. modify specific options in the Manager.properties file
- b. modify specific options in the Protect.properties file
- c. set specific parameters in the Smart Response rule
- d. set specific parameters in the Automated Response rule
7. All users, regardless of their role permissions, are allowed to use which two reporting options? (Select two.)
- a. ability to delete incidents
- b. ability to set the home page report
- c. ability to look up custom attributes
- d. ability to export reports to XML
- e. ability to select reports to display
8. What is an advantage of using a Dashboard report?
- a. Incident responders can view correlations across multiple products.
- b. They allow incidents to be viewed across multiple products.
- c. They can be used as work queues for incident responders.
- d. Incident responders can see the history of each incident.
9. A user is attempting to change their own Enforce password. After selecting the Profile link on the Enforce user interface, the user finds that the password fields are grayed-out, and the user is unable to change the value.
What is the cause of the password fields being grayed-out?
- a. The user's existing role prevents any modification of existing account values, including the password.
- b. The password rotation period is still current and prevents the password value from being changed at this time.
- c. Changes to the password are done outside of Enforce because Active Directory Authentication is enabled.
- d. The password must be changed by the Data Loss Prevention administrator because the Require Strong Password option is enabled.
10. What are two reasons companies deploy data loss prevention solutions? (Select two.)
- a. to protect their perimeters from external threats
- b. to help protect their brand and reputation
- c. to prevent employee access to undesirable websites
- d. to inspect encrypted emails prior to transmission
- e. to reduce the likelihood of data breaches and related costs
11. What is the primary function of Endpoint Prevent?
- a. encrypts confidential data being sent over the network or copied to removable media
- b. finds confidential data and quarantines the data to a central repository
- c. disables end-user devices that are unauthorized by a company's data security policies
- d. stops confidential data from being sent over the network or copied to removable media
12. Which method encrypts the Oracle password on the Enforce Server?
- a. Rivest, Shamir, Adleman (RSA)
- b. Data Encryption Standard (DES)
- c. Triple Data Encryption Standard (Triple DES)
- d. Advanced Encryption Standard (AES)
13. The data loss prevention team needs to scan file shares that are located in Atlanta, Los Angeles, and Brazil.
What is the most effective plan for identifying confidential and sensitive information on these files shares?
- a. deploy a single Enforce Server and a single Network Discover Server
- b. deploy an Enforce server at each location and a single Network Discover Server
- c. deploy a single Enforce Server and a Network Discover Server at each location
- d. deploy a single Enforce Server and a single Network Protect Server
14. Two response rules that perform different actions on the same product have been added to a policy.
- a. Network Protect Copy instead of Network Protect Quarantine
- b. Discard all attachments instead of Discard only non-violating attachments
- c. Endpoint Notify instead of Endpoint Block
- d. Network Block SMTP message instead of Network Modify SMTP message
15. Which response action would an Automated Response be unable to perform on a Discover Incident?
- a. copy the file to another location
- b. send an email to a manager
- c. change the permissions of the file
- d. log to a syslog server
16. How does Network Discover apply filters to Microsoft Outlook Personal Folder (.pst) files?
- a. individual emails in the .pst file
- b. the entire .pst file
- c. attachments in the .pst file
- d. calendar items in the .pst file
17. A Data Loss Prevention administrator needs to include all traffic from their corporate subnet of 18.104.22.168/16 and also needs to exclude all other traffic. The IP filter that has been applied is:
What happens to traffic with a source IP address of 22.214.171.124?
- a. Traffic matches the first filter of the rule and is kept.
- b. Traffic matches the first filter of the rule and is discarded.
- c. Traffic matches the second filter of the rule and is kept.
- d. Traffic matches the second filter of the rule and is discarded.
18. Which component has an obfuscated (hidden) log?
- a. Endpoint Agent
- b. Enforce Server
- c. Network Monitor
- d. Network Discover
19. What is the master Administrator user (created during installation) unable to do?
- a. remove a detection server from system configuration without uninstalling the detection server
- b. create a policy author role that has access to just one policy group
- c. create an incident responder role that sees incidents only from Endpoint Discover scans
- d. save custom reports and then share them with others in the system
20. Why should an organization wait a few months before enabling auto notifications? (Select two.)
- a. The SMTP server is configured in later phases of risk reduction.
- b. Employees will have learned more about security practices by then.
- c. Some broken business processes will have been fixed, reducing incidents.
- d. It will overload the Enforce Server with auto notifications.
- e. It will take that long to gather email addresses for employees.
Answers: 1-a, 2-c, 3-d, 4-d, 5-a, 6-a, 7-b&e, 8-b, 9-c, 10-b&e, 11-d, 12-d, 13-c, 14-d, 15-c, 16-b, 17-d, 18-a, 19-d, 20-b&c
Contact the Symantec Certification Team
Can't find what you're looking for?
If you have questions or need further assistance, send an email to firstname.lastname@example.org