symantec.examsheets.250-315.v2014-02-07.by.jsadomba · 2/7/2014 · exam code: 250-315 exam name:...

Symantec.Examsheets.250-315.v2014-02-07.by.JSadomba.167q

Number: 250-315Passing Score: 800Time Limit: 120 minFile Version: 16.5

http://www.gratisexam.com/

Exam Code: 250-315

Exam Name: Administration of Symantec Endpoint Protection 12.1

Exam A

QUESTION 1Which Symantec Endpoint Protection 12.1 protection technology provides the primary protection layers againstzero-day network attacks?

A. SONARB. Client FirewallC. Intrusion PreventionD. System Lockdown

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 2According to Symantec, what is a botnet?

A. systems infected with the same virus strainB. groups of systems performing remote tasks without the users' knowledgeC. groups of computers configured to steal credit card recordsD. compromised systems opening communication to an IRC channel

Correct Answer: BSection: (none)Explanation


QUESTION 3A financial company has a security policy that prevents banking system workstations from connecting to theinternet. Which Symantec Endpoint Protection 12.1 protection technology will be prevented from working on thecompany's workstations?

A. InsightB. Application and Device ControlC. Network Threat ProtectionD. LiveUpdate

Correct Answer: ASection: (none)Explanation


QUESTION 4In addition to performance improvements, which two benefits does Insight provide? (Select two.)

A. reputation scoring for documentsB. zero-day threat detection

C. protection against system file modificationsD. false positive mitigationE. blocking of malicious websites

Correct Answer: BDSection: (none)Explanation


QUESTION 5How does the Intrusion Prevention System add an additional layer of protection to Network Threat Protection?

A. It inspects the TCP packet headers and tracks the sequence number.B. It performs deep packet inspection, reading the packet headers, and data portion.C. It examines TCP/IP traffic from the application and traces the source of the traffic.D. It monitors IP datagrams for abnormalities.



QUESTION 6The fake antivirus family "PC scout" infects systems with a similar method regardless of its variant. WhichSONAR sub-feature can block new variants of the same family, based on sequence of events?


A. artificial intelligenceB. behavioral heuristicC. human authored signaturesD. behavioral policy lockdown



QUESTION 7Drive-by downloads are a common vector of infections. Some of these attacks use encryption to bypasstraditional defense mechanisms. Which Symantec Endpoint Protection 12.1 protection technology blocks suchobfuscated attacks?

A. SONAR

B. Bloodhound heuristic virus detectionC. Client FirewallD. Browser Intrusion Prevention

Correct Answer: DSection: (none)Explanation


QUESTION 8Which Symantec Endpoint Protection 12.1 defense mechanism provides protection against worms like W32.Silly.FDC, which propagate from system to system through the use of autorun.inf files?

A. Application ControlB. SONARC. Client FirewallD. Exceptions



QUESTION 9A company is experiencing a malware outbreak. The company deploys Symantec Endpoint Protection 12.1,with only Virus and Spyware Protection, Application and Device Control, and Intrusion Prevention technologies.Why would Intrusion Prevention be unable to block all communications from an attacking host?

A. Intrusion Prevention needs the firewall component to block all traffic from the attacking host.B. Intrusion Prevention blocks the attack only if the administrator wrote a signature for it.C. Intrusion Prevention definitions are out-of-date.D. Intrusion Prevention is set to log only.



QUESTION 10Which Symantec Endpoint Protection 12.1 component uses reputation to evaluate a file?

A. Shared Insight Cache serverB. Symantec Endpoint Protection clientC. Symantec Endpoint Protection ManagerD. LiveUpdate Administrator server



QUESTION 11Which Symantec Endpoint Protection 12.1 component provides services to improve the performance of virtualclient scanning?

A. Shared Insight Cache serverB. LiveUpdate Administrator serverC. Symantec Protection CenterD. Group Update Provider



QUESTION 12How many Symantec Endpoint Protection Managers can be connected to an embedded database?

A. 1B. 2C. 5D. 10



QUESTION 13Which component is required in order to run Symantec Endpoint Protection 12.1 protection technologies?

A. Symantec Endpoint Protection ManagerB. Symantec Endpoint Protection clientC. LiveUpdate Administrator serverD. Symantec Protection Center



QUESTION 14Which Symantec Endpoint Protection 12.1 component provides single-sign-on to the Symantec EndpointProtection Manager and other products, along with cross-product reporting?

A. Symantec Reporting server

B. Symantec Security Information ManagerC. IT AnalyticsD. Symantec Protection Center



QUESTION 15Which Symantec Endpoint Protection 12.1 component uses Sybase SQL Anywhere?

A. Symantec Endpoint Protection Manager embedded databaseB. Symantec Endpoint Protection Manager remote databaseC. LiveUpdate Administrator serverD. Shared Insight Cache server



QUESTION 16Which Symantec Endpoint Protection 12.1 component improves performance because known good files areskipped?

A. LiveUpdate Administrator serverB. Group Update ProviderC. Shared Insight Cache serverD. Central Quarantine server



QUESTION 17How can an administrator manage multiple, independent companies from one database while maintainingindependent groups, computers, and policies?

A. Set up limited administrators with appropriate rights.B. Set up separate domains.C. Set up additional sites using a single database.D. Set up separate locations and turn off inheritance.



QUESTION 18A company with one site has a factory with computers in the manufacturing area. Both factory managers andoperators need to log in to these shared computers. Different policies will be applied depending on whether theindividual logging in to the machine is a manager or an operator. Which Symantec Endpoint Protection 12.1feature provides this ability?

A. Computer modeB. Active Directory synchronizationC. User modeD. Console authentication



QUESTION 19An administrator is logged in to the Symantec Endpoint Protection Manager (SEPM) console for a systemnamed SEPM01. The groups and policies that were previously in the SEPM01 console are unavailable andhave been replaced with unfamiliar groups and policies. What was a possible reason for this change?

A. The administrator was modified from using Computer mode to User mode.B. The administrator was logged in to the incorrect domain for SEPM01.C. The administrator was changed from a limited administrator to a system administrator.D. The administrator was using the Web console instead of the Java console.



QUESTION 20Which two objects in the Symantec Endpoint Protection Manager console describe the most granular level towhich a policy can be applied? (Select two.)

A. SiteB. DomainC. GroupD. LocationE. ComputerF. User

Correct Answer: CDSection: (none)Explanation


QUESTION 21An administrator creates a new domain in the Symantec Endpoint Protection Manager console.

How can the administrator copy policies from the old domain to the new domain?

A. Export the policy from the old domain and import it into the new domain.B. Copy the policy in the old domain and paste the policy into the new domain.C. Copy the old domain's policy XML file into the folder for the new domain.D. Back up the old domain's database and restore it into the new domain.



QUESTION 22A company plans to expand its Symantec Endpoint Protection 12.1 (SEP) infrastructure by creating a secondsite for use in replication. At a minimum, which two tasks need to be completed to create the second site?(Select two.)

A. A new Symantec Endpoint Protection Manager needs to be installed.B. A new SEP domain needs to be created.C. A new SEP database needs to be created.D. An SEP administrator needs to be given replication rights.E. A new SEP location needs to be created.

Correct Answer: ACSection: (none)Explanation


QUESTION 23A company is transitioning from using policies based on the individual that logs in to the client machine topolicies based only on the client machine. Which Symantec Endpoint Protection 12.1 change will theorganization need to perform?

A. Move from User mode to Computer mode.B. Move from Computer mode to User mode.C. Use groups synchronized from Active Directory.D. Use groups created manually.E. Turn on location awareness.



QUESTION 24A company has a single datacenter at its main office and 10 branch offices with 100 computers in each office.The branch offices are connected to the datacenter with a 56k network link. The customer wants the Symantec

Endpoint Protection Manager (SEPM) to be installed in the datacenter. What can be done at the branch officesto reduce the bandwidth caused by definition updates from the Symantec Endpoint Protection clients at eachbranch office?

A. Enable a Group Update Provider at each branch office.B. Reduce the number of virus definitions cached on each client.C. Place a SEPM database in each branch office.D. Use the Shared Insight Cache server in each branch office.



QUESTION 25A LiveUpdate policy allows for configuring single Group Update Providers (GUPs) or multiple GUPs from a list.What is a limitation when using multiple GUPs?

A. Less content can be cached.B. They can only communicate with clients in the same Windows domain.C. They can only communicate with clients in the same local subnet.D. Fewer clients can be communicated with.



QUESTION 26A company recently purchased the Symantec Endpoint Protection 12.1 (SEP) product. It has two datacentersand wants to configure SEP for high availability, so that if one datacenter goes down, the SEP clients cansmoothly fail over to the other datacenter. What should be done to allow SEP clients to fail over from onedatacenter to the next?

A. Install a Group Update Provider at each datacenter and configure replication.B. Install a Symantec Protection Center at each datacenter and configure replication.C. Install a Symantec Endpoint Protection Manager at each datacenter and configure replication.D. Install a Symantec Site Server at each datacenter and configure replication.



QUESTION 27Refer to the exhibit.

A branch office needs to forward logs to the headquarters. The administrator is configuring the site Branch A .Which setting should be enabled to achieve this?

A. Replicate the log from the local site to this partner site.B. Replicate the log from this partner site to the local site.C. Auto Replicate.



QUESTION 28A company has multiple offices and is unsure whether to use the Symantec Endpoint Protection Manager(SEPM) or the Group Update Provider (GUP) at the offices. When should the company use the SEPM ratherthan the GUP?

A. when the site has a local Windows serverB. when the site has a large number of clientsC. when the site has a low bandwidth network connectionD. when the site has more than one subnet



QUESTION 29A new installation of the Symantec Endpoint Protection 12.1 (SEP) is running on a trial license.For how long can managed SEP clients receive updates?

A. 30 daysB. 60 daysC. 90 daysD. 120 days



QUESTION 30Which two Symantec Endpoint Protection 12.1 (SEP) standalone tools are available for malware scanning andremediation? (Select two.)

A. Symantec Power EraserB. Symantec Endpoint Recovery ToolC. Symantec Offline Image ScannerD. Symantec Protection CenterE. CleanWipe

Correct Answer: AB

Section: (none)Explanation


QUESTION 31For replication, Symantec recommends that the number of sites be kept to five for optimum performance. Whatcan be done to reduce the number of sites?

A. Replicate log data in both directions.B. Limit the number of clients per manager.C. Spread the clients over additional domains.D. Add Group Update Providers for content distribution.



QUESTION 32In Symantec Endpoint Protection 12.1 Enterprise Edition (SEP), what happens when the Soft Enforcementlicense expires?

A. LiveUpdate stops.B. Proactive Threat Protection is disabled.C. SEP clients become unmanaged.D. Content updates are allowed.



QUESTION 33A company is currently testing Symantec Endpoint Protection 12.1 on 100 clients. The company has decided todeploy SEP to an additional 20,000 clients. They are concerned about the number of clients supported on asingle Symantec Endpoint Protection Manager (SEPM). What should the company do to ensure that the SEPMcan support the clients?

A. Configure the clients for Pull mode.B. Decrease the heartbeat interval.C. Switch to HTTPS for client communications.D. Switch to IIS as the web server.



QUESTION 34An administrator gets a browser certificate warning when accessing the Symantec Endpoint ProtectionManager (SEPM) Web console. Where can the administrator obtain a self-signed certificate to prevent thiswarning from appearing?

A. SEPM console Licenses sectionB. Symantec Protection CenterC. SEPM Web AccessD. Symantec Support



QUESTION 35An administrator installed Symantec Endpoint Protection 12.1 (SEP) in the environment. However, theadministrator wants to use secure communication and SSL authentication between clients and the SymantecEndpoint Protection Manager (SEPM). How should the administrator proceed?

A. Configure and apply certificate in IIS on SEPM.B. Configure SSL in the Apache Tomcat Web Server.C. Edit http.conf.properties and change the port to 443.D. Use public and private key configuration on SEPM 12.1.




Inheritance is turned on only for groups England, Sales, Laptops, and Manchester (highlighted). Without turninginheritance off, which top level group must be modified to affect users in the Laptop group?

A. My Company

B. EnglandC. LondonD. Sales



QUESTION 37A client is unable to communicate with the Symantec Endpoint Protection Manager (SEPM) Server. Theadministrator decides to replace the Sylink.xml file on the client using the SylinkDrop tool. Which two additionaltasks can be accomplished by replacing the Sylink.xml file? (Select two.)

A. Convert an unmanaged client to a managed client.B. Migrate the SEPM servers to a new domain.C. Enable remote troubleshooting for administrators.D. Update Symantec Endpoint Protection client to the latest eraser engine.E. Migrate or move clients to a new domain or management server.

Correct Answer: AESection: (none)Explanation


QUESTION 38A manufacturing company runs three shifts. Employees at the facility must share computers. Theadministrators need to apply different policies/configurations for each shift. The administrator will need to switchthe clients to User mode. Which two additional configuration changes need to be made to allow policies to beapplied to each shift? (Select two.)

A. Create one group for all computers on each shift.B. Create one group for all users on each shift.C. Turn on inheritance for all groups.D. Turn on inheritance for all users.E. Turn off inheritance for each user group created.F. Turn off inheritance for each computer group created.

Correct Answer: BESection: (none)Explanation


QUESTION 39An administrator makes a change in the Active Directory structure which has been imported into the SymantecEndpoint Protection Manager (SEPM). By default, when will the change automatically be reflected in theSEPM?

A. as soon as the change is made in Active Directory

B. maximum 1 hourC. maximum 4 hoursD. maximum 24 hours



QUESTION 40A Symantec Endpoint Protection Manager (SEPM) administrator is importing from an Active Directoryenvironment. The administrator needs to know which object types are being imported. Which two object typesare imported into the SEPM from Active Directory? (Select two.)

A. policyB. usersC. computersD. servicesE. groups

Correct Answer: BCSection: (none)Explanation


QUESTION 41When can an administrator delete a location?

A. when location awareness has been turned offB. when the group has inheritance turned offC. when all clients are moved from the groupD. when the policy has been withdrawn



QUESTION 42A large oil company has a small exploration department that is remotely located and rarely has internetconnectivity. Which client type would allow the exploration department to configure theirown security policies?

A. Mixed-mode clientB. User-mode clientC. Managed clientD. Unmanaged client

Correct Answer: D



QUESTION 43A large software company has a small engineering department that is remotely located over a slow WANconnection. Which method will deploy the Symantec Endpoint Protection 12.1 (SEP) clients to the remote siteusing the smallest amount of network bandwidth?

A. Deploy the SEP clients using basic content.B. Deploy the clients using the Push Install Wizard.C. Install a Group Update Provider on a remote computer and then install the remote SEP clients.D. Install a Group Update Provider on a local computer and then install the remote SEP clients.



QUESTION 44An administrator created a Symantec Endpoint Protection 12.1 (SEP) installation package without specifyingthe group to which the SEP clients should belong. What will happen when the administrator tries to install aSEP client using the installation package?

A. The SEP client installation will fail.B. The SEP client will prompt the administrator to specify a group.C. The Symantec Endpoint Protection Manager will prompt the administrator to specify a group.D. The SEP client will be installed into a default group.



QUESTION 45A Symantec Endpoint Protection 12.1 (SEP) administrator discovers that a firewall is blocking Windows filesharing. Which method can bypass the firewall and allow the SEP clients to be installed with a minimumamount of effort?

A. Remote PushB. Web Link and EmailC. Create Pull Mode clientD. Administrative share (C$) deployment



QUESTION 46A Symantec Endpoint Protection 12.1 (SEP) administrator deployed SEP clients, but the SEP clients are failingto register with the Symantec Endpoint Protection Manager (SEPM). Which solution would allow the clients toregister with the SEPM?

A. Disable the firewall on the SEP client.B. Allow port 8014 through the network firewall between the SEPM and the client.C. Modify the network firewalls so that stateful packet inspection is performed.D. Open the ephemeral TCP ports on the SEP client firewall.



QUESTION 47A Symantec Endpoint Protection 12.1 (SEP) administrator suspects that newly arrived computers are infectedwith a virus. Which steps should the administrator take when installing the SEP client on the new computers?

A. Choose the Evaluate before installation SEP client feature set.B. Install an unmanaged client first, then install a managed client after the virus is removed.C. Install Norton Removal Tool, then install the SEP client.D. Run Power Eraser, then install the SEP client.



QUESTION 48An administrator wants to deploy the Symantec Endpoint Protection 12.1 (SEP) client to computers that arelacking the Symantec Endpoint Protection client. Which tool should the administrator use to discover anddeploy the SEP client to the computers?

A. Unmanaged DetectorB. Client Deployment WizardC. Symantec Endpoint Recovery ToolD. Symantec Endpoint Discovery Tool



QUESTION 49A Symantec Endpoint Protection 12.1 (SEP) administrator is remotely deploying SEP clients, but the clients arefailing to install on Windows XP. Which two could be preventing installation? (Select two.)

A. Clients are members of a Windows domain and have Windows firewall enabled.

B. Clients are members of a Windows domain and have Windows firewall disabled.C. Clients are members of a workgroup and simple file sharing is disabled.D. Clients are members of a workgroup and simple file sharing is enabled.E. Clients are members of a Windows domain and have a DHCP address.

Correct Answer: ADSection: (none)Explanation


QUESTION 50Which Symantec Endpoint Protection client component must be installed to enable Unmanaged Detectormode?

A. Virus and Spyware ProtectionB. SONARC. Network Threat ProtectionD. Network Access Control



QUESTION 51In which client management log can an administrator identify when the client last connected to the SymantecEndpoint Protection Manager?

A. ComplianceB. AuditC. SystemD. Event



QUESTION 52Which command line syntax invokes the Symantec Endpoint Protection Client Service to determine whether amore recent copy of the configuration file is available on the management server?

A. smc -getconfigB. smc -getsylinkC. smc -updateD. smc -updateconfig

Correct Answer: DSection: (none)

Explanation


QUESTION 53Immediately after installation, what does a managed client do to contact the Symantec Endpoint ProtectionManager (SEPM)?

A. Initiate communication on port 80.B. Initiate communication on port 8014.C. Initiate communication on port 8445.D. Wait for the SEPM if in Push mode.




The status of two clients on the Symantec Endpoint Protection Manager is provided in the exhibit. They indicatethat the clients are "Offline". What does the Offline status indicate?

A. Live Update is not running on clients.B. Antivirus is disabled in clients.C. There are communications issues with clients.D. Installation was unsuccessful on clients.




What does the symbol to the left of the system name, SEPMGR12, indicate?

A. The firewall is enabled.B. The Symantec Endpoint Protection Manager is running.C. The system is online.D. The Unmanaged Detector is enabled.



QUESTION 56Some customers report that when they run the command "smc -stop" on their clients, they are unable toconnect to network resources. What is wrong?

A. The customers need to enable the Smart DHCP option in their firewall policy.B. The security option "Block all traffic until the firewall starts and after the firewall stops" is enabled.C. A location awareness policy has been configured that applies when the service is stopped.D. The network card is blocked by a Device Control policy.



QUESTION 57A company successfully deploys Symantec Endpoint Protection 12.1 to its clients. However, when the companydeploys the client to the servers, the servers immediately reboot. The companyneeds to prevent the servers from rebooting during normal business hours. What is wrong?

A. The "Hard restart" option is enabled in the Restart Settings tab.B. The "Restart immediately if the user is not logged in" option is enabled.

C. A previous version of the client was installed.D. There is "No prompt" configured on the Restart Settings tab.



QUESTION 58A company has three groups of clients: Laptops, Desktops, and Servers. Administrators must have the ability toperform manual scans for these clients from the Symantec Endpoint Protection Manager. In addition, themanual scans need to be customized according to the different clients, for example by customizing whethermemory is scanned and which folder locations are scanned. How can the environment be configured to providethis ability while minimizing management overhead?

A. Configure one Virus and Spyware Protection policy with a customized On-Demand scan and set differentException policies for each group.

B. Configure one Virus and Spyware Protection policy with three customized On-Demand scans.C. Configure one Virus and Spyware Protection policy with three customized Scheduled scans and setting the

schedule to Manual.D. Configure a different Virus and Spyware Protection policy for each group with customized On- Demand

scans.



QUESTION 59A Symantec Endpoint Protection 12.1 group has two defined locations based on whether clients are attached tothe local network or are remote. The local network location has an administrator- defined scan scheduled tobegin each Monday at 09:00. The remote location has an administrator- defined scan scheduled to begin eachWednesday night at 21:00. All systems are used daily and remain powered on all night. Some users in thegroup have laptops, while the other users have standard desktops. Assuming the laptops are taken home andused each night, what is the effect?

A. All clients will run scans only on Monday.B. All clients will run scans both on Monday and Wednesday.C. The laptops will run scans only on Wednesday, while the desktops will run scans only on Monday.D. The laptops will run scans both the Monday and Wednesday, while the desktops will run scans only on

Monday.



QUESTION 60Which two actions can a user take during an in-progress scheduled scan? (Select two.)

A. disableB. stopC. pauseD. skipE. reschedule



QUESTION 61A user added a daily 10:00 scheduled scan to their Symantec Endpoint Protection 12.1 client. After reviewingthe logs, the user confirms that the scan failed to start at 10:00. Why did the scan fail to start?

A. Tuning Options were set for best application performance.B. "Delay scheduled scans when running on battery" was enabled.C. Scan Progress options were set to "Do not show progress".D. The Windows scheduler service was disabled.



QUESTION 62A Symantec Endpoint Protection 12.1 client is running a user-defined scan when a scheduled,administrator-defined scan is scheduled to launch. What is the effect on the client?

A. The user-defined scan will be paused in order to launch the administrator-defined scan.B. The administrator-defined scan will launch after the user-defined scan completes.C. The user-defined scan will be canceled in order to launch the administrator-defined scan.D. The administrator-defined scan will be skipped and the user-defined scan will continue.



QUESTION 63Which protection technology assists in protecting documents in real-time when accessed or modified?

A. SONARB. Reputation ScansC. Auto-ProtectD. Scheduled Scans

Correct Answer: CSection: (none)

Explanation


QUESTION 64A Symantec Endpoint Protection 12.1 administrator has the Virus and Spyware Protection policy configuredwith Auto-Protect enabled. The administrator is confronted with computer performance issues. Which twooptions can the administrator use to improve performance? (Select two.)

A. Enable the option to Trust Files on Remote Computers Running Auto-Protect.B. Enable the Risk Tracer option.C. Edit the autoprotect.xml and increase the cache value.D. Enable the option of Network Cache.E. Enable the Preserve File Times option.



QUESTION 65An administrator is modifying a Virus and Spyware Protection policy for a Symantec Endpoint Protection 12.1(SEP) client because it is demonstrating poor boot performance. Which option should the administratorconsider to alleviate this problem?

A. Ensure that Risk Tracer is disabled.B. Load Auto-Protect during the startup of SEP.C. Enable File Cache across reboots.D. Modify the policy to use Insight Cache.



QUESTION 66Which technology uses heuristics to scan outbound email?

A. Internet Email Auto-ProtectB. Microsoft Outlook Auto-ProtectC. Lotus Notes Auto-ProtectD. SONAR



QUESTION 67

Which type of email does Internet Email Auto-Protect support?

A. IMAP based emailB. HTTP/s based emailC. SMTP based emailD. Outlook Web Access (OWA)





In the use case displayed in the exhibit, why is the administrator unable to save the changes to this file?

A. Application Control is preventing Notepad from accessing the host file.B. SONAR is set to block host file modifications.C. Tamper Protection is enabled.D. The Auto-Protect feature detected a malicious activity.



QUESTION 69What could be an adverse effect of activating aggressive mode on the SONAR policy?

A. false negativesB. false positivesC. performance issuesD. higher rejection rate



QUESTION 70Which two options are available when configuring high risk detection in SONAR? (Select two.)

A. BlockB. SkipC. QuarantineD. Log E. Delete



QUESTION 71Acrobat Reader is being targeted by a threat using process injection. Which feature of SONAR is sandboxingAcroread32.exe so that the threat is prevented from dropping its payload?

A. Commercial Application DetectionB. Suspicious Behavior DetectionC. System Change EventsD. Signature Based Detection



QUESTION 72Which two options are available when configuring DNS change detected for SONAR? (Select two.)

A. BlockB. SkipC. QuarantineD. LogE. Delete



QUESTION 73A company is building a new Symantec Endpoint Protection Manager and is setting the remediation actions forthreats in the Virus and Spyware Protection policy. For security risks, the first action is set to Repair and thesecond action is Quarantine. In this environment, Symantec Endpoint Protection 12.1 (SEP) has been deployedto a small group of clients for testing. Which condition would cause Auto-Protect to stop sending notificationsand stop logging the event after three detections?

A. A client continuously downloads the same security risk.B. File System Auto Protect is malfunctioning on the SEP Client.C. SEP services on the client are stopped.D. SEP is unable to read virus definitions.



QUESTION 74An administrator set the remediation options for Security Risks to the defaults (Quarantine, then Delete).However, the security team is the only team authorized to have Hack Tools on their systems. Which two stepsmust the administrator complete to accomplish this? (Select two.)

A. Create a specific group for Security Team.B. Turn on inheritance for the Security Team group.C. Assign a Virus and Spyware Protection policy with customized remediation options set.D. Set a specific location for the My Company group.E. Unlock the padlock in Auto-Protect for Remote Access.



QUESTION 75Where is a file encrypted and saved to when the "Backup files before attempting to repair them" setting isenabled?

A. the local Windows Temp (C:\Windows\Temp) directoryB. the local Quarantine folderC. the FileBackup folder within the Application Data\Symantec directoryD. the local Symantec Endpoint Protection Temp folder



QUESTION 76In which two situations would Symantec Endpoint Protection 12.1 (SEP) generate a Left Alone action? (Selecttwo.)

A. Another scan is in progress.B. The detected file is in use.C. There are limited permissions to the file on the system.D. The file is marked for deletion by Windows on reboot.E. Virus definitions are corrupt or missing.



QUESTION 77A company is deploying Symantec Endpoint Protection 12.1 and configuring remediation options within theVirus and Spyware Protection policy. They are considering enabling "Terminate processes automatically" withinthe remediation options. If this feature is enabled, which two characteristics will the user see when the clientmust terminate a process to remove or repair a risk? (Select two.)

A. When this option is enabled, the client automatically takes the necessary action without notifying users.B. When a restart is required, the machine automatically reboots and the user is unable to opt out of the

restart.C. When this option is enabled, the client notifies the user of ending processes to mitigate the threat.D. When this option is enabled, the client generates an entry in the Risk logs that a process was terminated

automatically.E. When a restart is required, the user is allowed to save data and close open applications or to opt out of the

restart.



QUESTION 78

An administrator is reviewing risk logs in the Symantec Endpoint Protection Manager (SEPM) and notices thatsome entries list that the "Risk was partially removed". The administrator wants to determine whether additionalsteps are necessary to remediate the threat. How should the administrator proceed?

A. Review the threat writeup and run a full system scan on the machine.B. Perform a repair of the Symantec Endpoint Protection install on the machine.C. Submit infected file to Security Response to see if it is a new variant.D. Change remediation actions in the Virus and Spyware Protection policy in the SEPM.



QUESTION 79A clean file in a proprietary application has been quarantined by SONAR. How can an administrator fix thebroken application from the Symantec Endpoint Protection Manager console?

A. Restore the application with the Client Deployment Wizard.B. Allow the application from the Monitor Logs view.C. Run the Enable Auto-Protect command on the client.D. Run a new scan with a newer set of definitions.



QUESTION 80Which Symantec Endpoint Protection 12.1 feature allows an administrator to prevent users from downloadingfiles that are unsafe?

A. SONARB. InsightC. Application ControlD. Trusted Web Domain exceptions



QUESTION 81A company is concerned that its clients may be out-of-date and it wants to ensure that all running applicationsare protected with Symantec's latest definitions, even if they are unavailable on the Symantec EndpointProtection 12.1 (SEP) client. How could the company configure SEP to achieve this goal?

A. Enable SONAR with High Risk detections set to Quarantine.B. Enable Insight Lookup as part of a daily scheduled scan.

C. Enable Insight for Community and Symantec Trusted Files.D. Enable and apply an Intrusion Prevention policy.



QUESTION 82What is the likely impact of increasing the Download Insight sensitivity?

A. It would block files that trend towards a poor reputation and decrease false positives.B. It would allow only files with a good reputation and decrease false positives.C. It would allow only files that trend toward a good reputation and increases false positives.D. It would block files that have a poor reputation and decrease false positives.



QUESTION 83A customer is downloading newly-created company files from an internal website and is being blocked byDownload Insight based on reputation. How can the customer prevent this?

A. Change the minimum number of days in the Download Insight settings.B. Change the minimum number of users in the Download Insight settings.C. Increase the sensitivity slider in the Download Insight settings.D. Enable the option to trust files downloaded from an intranet website in the Download Insight settings.



QUESTION 84An administrator wants to make sure users are warned when they decide to download potentially maliciousfiles. Which option should the administrator configure?

A. the Notifications tab under the admin-defined scan settingsB. the Notifications tab under Auto-Protect settingsC. the Network Protection Security event notification in location-specific settingsD. the Notifications tab under Download Insight settings


Explanation/Reference:

Explanation:


A user runs a full scan on a system and is confused by the "Files trusted" count. Which option will result in thefiles being left unscanned?

A. Enabling the "Only when files are executed" setting in the Virus and Spyware Protection policy.B. Enabling the "Do not scan files when trusted processes access the files" setting in the Virus and Spyware

Protection policy.C. Enabling Insight in the Virus and Spyware Protection policy.D. Enabling the file cache settings in the Virus and Spyware Protection policy.



QUESTION 86A customer reports that users are able to download new files from the internet and execute those files on theirown computers. What can be configured to prevent this?

A. Decrease the Download Insight sensitivity.B. Change the action for unproven files in Download Insight.

C. Change the second action for malicious files in Download Insight.D. Change the first action for malicious files in Download Insight.



QUESTION 87A computer is configured in Mixed Control mode. The administrator creates and applies a Firewall policy to thecomputer that has a rule that allows FTP traffic above the blue line and another rule that blocks LDAP trafficbelow the blue line. On the computer, local rules are created to allow LDAP traffic and block FTP traffic. Whichtraffic flow behavior should be expected on the local computer?

A. Both FTP and LDAP traffic are allowed.B. Both FTP and LDAP traffic are blocked.C. FTP is blocked and LDAP is allowed.D. FTP is allowed and LDAP is blocked.




A company has created a specific firewall policy that allows only certain traffic. Which traffic is allowed in thefirewall policy displayed in the exhibit?

A. traffic on port 23 from Telnet (telnet.exe)B. traffic on port 25 from Outlook (outlook.exe)C. traffic on port 110 from Outlook (outlook.exe)D. traffic on port 80 from Internet Explorer (iexplore.exe)E. traffic on port 443 from Internet Explorer (iexplore.exe)



QUESTION 89A company is running the Symantec Endpoint Protection 12.1 firewall and wants to ensure that DNS traffic isallowed. Which feature should be enabled in the firewall policy?

A. DNS exceptionB. DNS LookupC. Reverse DNS LookupD. Smart DNS



QUESTION 90A system administrator created a firewall policy that allows certain applications and blocks others. However,some applications are being blocked that should be allowed. Which log should be viewed to troubleshoot thisissue?

A. Application logB. System logC. Traffic logD. Control log



QUESTION 91An administrator has defined a rule to allow traffic to and from a specific server by its Fully Qualified DomainName (FQDN), because the server's IP address varies based on the office in which a client is located. Theadministrator attempts to verify the rule and finds that the traffic is being blocked. The logs list the IP address ofthe server instead of its FQDN. What does the administrator need to do within the firewall policy to allow therule to work correctly?

A. Enable DNS lookup.B. Enable reverse DNS lookup.C. Disable Smart DNS.D. Disable NetBIOS Protection.



QUESTION 92A company is running the Symantec Endpoint Protection 12.1 firewall with the default policy. At the bottom ofthe ruleset, there is a rule called "Block all other IP traffic and log" which will block all IP traffic. A financialapplication is being blocked by this rule. What should be changed to allow the application without sacrificingsecurity?

A. The existing rule should be changed.B. A new rule should be created.C. An existing rule should be deleted.D. An existing rule needs to be reordered.



QUESTION 93A company has a firewall policy with a rule that allows all applications on all ports. An administrator needs tomodify the policy so that it allows Internet Explorer to communicate to any website, but only on port 80 and 443.In addition, the company only wants this modification to affect traffic from Internet Explorer. The administratorcreated a new rule at the top of the ruleset that allows Internet Explorer on port 80 and 443.Which step should the administrator take next?

A. Move the new rule below the Allow Applications rule.B. Delete the Allow All Applications rule.C. Modify the Allow All Applications rule to exclude Internet Explorer.D. Create a new rule above the Allow All Applications rule to block Internet Explorer.



QUESTION 94The Symantec Endpoint Protection 12.1 (SEP) client indicates that the Virus and Spyware Protection (AV)definitions are current, while the Intrusion Prevention System (IPS) signatures are one day older. How can anadministrator determine whether this SEP client is up-to-date?

A. The administrator can tell the client is up-to-date because the AV definitions are the latest.B. The administrator can tell the client is out-of-date because the IPS signatures are old.

C. The administrator needs to review the client Computer Status logs to determine whether the client is up-to-date.

D. The administrator needs to review the Symantec Security Response page to determine whether the client isup-to-date.



QUESTION 95A company selected Opera 10 as its corporate browser. Drive-by downloads are occurring and SONARintercepts the resulting scripts. How should the company proceed to minimize the occurrence of drive-bydownloads?

A. Upgrade to Opera 11.B. Use Internet Explorer or Firefox.C. Enable browser protection.D. Reboot the Symantec Endpoint Protection client.



QUESTION 96Which Intrusion Prevention feature is updated automatically?

A. Intrusion Prevention custom signaturesB. SNORT syntaxC. Auto-ProtectD. Generic Exploit Blocking



QUESTION 97An administrator needs to exclude some servers from an Intrusion Prevention System (IPS) policy. Whenspecifying an excluded host in an IPS policy, which two methods can be used? (Select two.)

A. DNS hostB. IP addressC. MAC addressD. DNS domainE. subnet

Correct Answer: BE



QUESTION 98An administrator needs to ensure that a specific network threat can be detected. The attack signatures for thisthreat may be found across multiple packets. What can the administrator do to ensure the best chance ofdetecting this threat?

A. Ensure that Symantec IPS signatures are updated.B. Create custom IPS signatures.C. Enable TCP resequencing.D. Create a Firewall rule for this threat.



QUESTION 99A company organizes its clients into two groups: the Symantec Endpoint Protection Manager (SEPM) groupwith all the SEPMs and a Desktops group with all other systems. An Application and Device Control policy isused with the "Block modifications to hosts file" rule set enabled. This policy is applied to all groups in thecompany. How can an administrator modify the hosts file on the SEPM systems, while minimizing risks posedto the company?

A. Withdraw the policy from all clients, modify the hosts files, and reassign the policy.B. Withdraw the policy from the SEPM group, modify the hosts files, and reassign the policy.C. Modify the hosts file using an operating system-based system account.D. Temporarily disable Network Threat Protection on each client when modifying the hosts file.



QUESTION 100An administrator needs to customize the Application and Device Control policy to exclude all USB devicesexcept for a specific, company-issued USB thumb drive. Which function or program, provided with theSymantec Endpoint Protection 12.1 software, should the administrator use to customize the environment?

A. DevViewer.exeB. Sep_SupportTool.exeC. SOIS.exeD. vietool.exe




A USB mouse is plugged in to a system that uses the device control displayed in the exhibit. What is theexpected behavior?

A. The mouse is blocked until the user adds the device as a local client exception.B. The mouse is blocked until an administrator adds the device to the exception policy.C. The mouse will work as normal because the Human Interface Device exclusion takes precedence.D. The mouse will work as normal because Mouse devices are missing from Blocked Devices.




A company is using a custom application that writes its application settings in the registry. An administratorplans to prevent users from modifying these values, while ensuring that the custom application still functionscorrectly. An Application and Device Control policy is created with an application rule to block access to create,delete, or write attempts, for the registry keys used by the custom application. One way to ensure users areprohibited from the registry keys, but the custom application can still modify them, is to add an ApplicationControl exception for the custom application. What is another way to ensure this functionality?

A. Add an application rule to allow access to create, delete, or write attempts, to the custom application folder.B. Add an application rule to allow access to read attempts for the registry keys.C. Add an application rule set that allows access to read attempts for the registry keys.D. Add an application rule to allow access to create, delete, or write attempts for the custom application.



QUESTION 103A company needs to prevent users from modifying files in a specific program folder that is on all client

machines. What needs to be configured?

A. a file and folder exception in the Exception policyB. an application rule set in the Application and Device Control policyC. a file fingerprint list and System LockdownD. a custom IPS signature in the Intrusion Prevention policy



QUESTION 104An administrator is testing a new Application and Device Control policy. One of the rule sets being tested blocksthe notepad.exe application from running. After pushing the policy to a test client, the administrator finds thatnotepad.exe is still able to run. The administrator verifies that the rule set is enabled in the Application andDevice Control policy. Which two may be preventing the policy from performing the application blocking?(Select two.)

A. An Application exception has been configured in the Exceptions policy.B. System Lockdown has been configured for the client.C. Network Threat Protection needs to be installed on the client.D. The rule set is in the "Test (log only)" mode.E. A rule set with conflicting rules exists higher up in the policy.

Correct Answer: DESection: (none)Explanation


QUESTION 105An administrator enabled the default application control rule "Block writing to USB Drives", but needs to modifyit so that clients can write to a specific make and model of company-authorized, encrypted USB drive. Howshould the administrator proceed?

A. Edit the rule set and add the device ID to the exceptions.B. Edit the rule set and add a condition after the block condition to allow access to the specific device.C. Edit the rule set and add a rule after the block rule to allow access to the specific device.D. Using DevViewer, plug the device into the Symantec Endpoint Protection Manager and select "Add Device

to Manager".



QUESTION 106An administrator enables the "Learn applications that run on the client computers" setting for a group of clients.Later, when using the Search for Applications function, the administrator is unable to find results. What is thecause of the problem?

A. The administrator is a limited administrator without rights to view reports.B. Application learning is disabled under communication settings at the site level.C. Submissions are disabled on the Symantec Endpoint Protection client by the user.D. Pull mode is enabled and is unsupported by application learning.



QUESTION 107A company creates free web access computers for use in public areas, such as airports. The software providedon the computers will be static and the systems must be secure. What should be used to restrict unauthorizedapplications from running on these computers?

A. client security settings and Tamper ProtectionB. blocked devices in an Application and Device Control policyC. file fingerprint list and System LockdownD. custom IPS signatures in an Intrusion Prevention policy



QUESTION 108What is a benefit of enabling Browser Intrusion Prevention?

A. It uses a reputation and cloud-based technology to monitor and identify attacks on Internet Explorer andFirefox.

B. It sends traffic results to a dedicated Symantec server to determine whether the traffic is legitimate.C. It monitors traffic on supported browsers by using attack signatures and heuristics.D. It improves performance by allowing clients to share Intrusion Prevention scan results.



QUESTION 109Company A acquires Company B. Company B has 200 employees. Multiple firewall rules, based on collectionsof client addresses, are required to allow the new employees access to Company A's resources andpermissions to use approved network applications. Which feature should be used to minimize the amount oftime needed to create rules for these new clients?

A. Application rule setsB. Host groupsC. Built-in rules

D. Network Services



QUESTION 110Which two criteria can be used to determine hosts in a host group? (Select two.)

A. DNS domainB. SubnetC. Gateway addressD. WINS serverE. DHCP server

Correct Answer: ABSection: (none)Explanation



A. MAC addressB. registry keyC. management server connectionD. DNS host E. network connection type



QUESTION 112According to Symantec best practices, which two tasks should be completed after creating file fingerprint lists,but prior to enabling System Lockdown? (Select two.)

A. Add any approved applications.B. Move the Symantec Endpoint Protection Managers to a separate group.C. Log unapproved applications. D. Run the checksum.exe command on the clients.D. Enable application learning.



QUESTION 113Which port is used by default for replication between sites?

A. 2967B. 8014C. 8443D. 9090



QUESTION 114A company has deployed Symantec Endpoint Protection 12.1 in their corporate environment using a multi-sitedesign. If an administrator makes policy changes in the United States site, when will the changes appear in theEuropean site?

A. after the next heartbeatB. after the next replication intervalC. immediatelyD. after the policy changes are saved



QUESTION 115In a management server list, Symantec Endpoint Protection Manager (SEPM) A is added to Priority 1, andSEPM B is added to Priority 2. This setup will provide which service?

A. load balancingB. replicationC. failoverD. clustering



QUESTION 116Which two configuration elements are needed in order to add a replication partner? (Select two.)

A. SQL Server IP and sa passwordB. administrator name and passwordC. site-to-site VPN tunnel

D. replication server name and portE. internet access



QUESTION 117Which two are optional when replicating between Symantec Endpoint Protection Managers? (Select two.)

A. groupsB. policiesC. logsD. contentE. locations



QUESTION 118What is the default replication frequency when adding an additional site to a Symantec Endpoint Protection 12.1deployment?

A. 1 hourB. 8 hoursC. dailyD. Autoreplicate



QUESTION 119Which step must be completed to set up two sites to replicate?

A. Add a new Management Server list with the replication partner added.B. Launch the Replication Wizard from the Admin page and follow the prompts.C. Install a SQL server on at least one site.D. Install a Symantec Endpoint Protection Manager Server and database as a replication partner.



Explanation:

QUESTION 120Which authentication method must be used to provide the ability to reset forgotten passwords?

A. RSA SecurID AuthenticationB. Smart Card AuthenticationC. Symantec Management Server AuthenticationD. Directory Authentication



QUESTION 121An employee is taking leave for four months and the employee's workstation will be powered off and locked inan office. Why does the workstation disappear from the Symantec Endpoint Protection Manager (SEPM)Reports and Client view after 30 days?

A. Administrators used the "reclaim license" option.B. The SEPM purges offline clients after a set amount of time.C. The SEPM quarantines offline clients after a set amount of time.D. The SEPM purges clients with expired licenses.



QUESTION 122How frequently does Symantec recommend that a Symantec Endpoint Protection Manager site checkLiveUpdate for content updates?

A. every hourB. every 4 hoursC. once a dayD. twice a day



QUESTION 123Which two should be considered when enabling Application Learning in an environment? (Select two.)

A. Application Learning requires Virus and Spyware Protection.B. Application Learning should be deployed on a small group of systems in the enterprise.

C. Application Learning can generate significant CPU or memory use on a Symantec Endpoint ProtectionManager.

D. Application Learning can be used without using application-based firewall rules, Application Control rules, orCentralized Exceptions.

E. Application Learning is dependent on a properly configured firewall.



QUESTION 124Where are directory servers added before importing Organizational Units (OU) or adding administrators to theSymantec Endpoint Protection Manager?

A. Site propertiesB. Server propertiesC. localhost propertiesD. Import Server properties



QUESTION 125A company is setting up a new environment with three Symantec Endpoint Protection Managers (SEPM) andwants to set one SEPM to act as the primary reporting server. Where in the SEPM should the administratorconfigure the priority reporting server to be used for running scheduled reports and notifications?

A. Local Host propertiesB. Local Site propertiesC. Scheduled reportsD. Server properties



QUESTION 126A company suffered a catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM)which was using a remote Microsoft SQL Server. The administrator has all required backups. The administratorrestores the hardware and the operating system with the required software (including SEPM).What is the next step in the recovery procedure?

A. Export the server certificate from the SEPM console.B. Customize the SEPM configuration using the recovery file.C. Restore the SQL database to realign with SEPM restore.

D. Replace the Sylink.xml using the SylinkDrop.exe.



QUESTION 127An administrator is in the process of recovering from a disaster and needs the keystore password to update thecertificate on the Symantec Endpoint Protection Manager (SEPM). From which two locations can theadministrator obtain this information? (Select two.)

A. SEPM replication partnersB. original installation logC. disaster recovery fileD. settings.properties fileE. Sylink.xml file from the SEPM



QUESTION 128An administrator notices that the Symantec Endpoint Protection Manager (SEPM) embedded database isgrowing large and is taking longer to back up than desired. How can backup performance of the database beimproved?

A. Change the number of backups to keep.B. Reduce the number of log entries under Log Settings.C. Change the backup frequency from Weekly to Daily.D. Configure incremental backups in the SEPM.



QUESTION 129A Microsoft SQL Server containing a Symantec Endpoint Protection Manager (SEPM) database hasencountered an unrecoverable hard drive failure. An administrator has rebuilt the Microsoft SQL Server and hasconfirmed that the SEPM can connect with the SQL Server. Which step should the administrator take next?

A. Select Rebuild Indexes from the SEPM console.B. Launch Checksum.exe database integrity tool.C. Use the Backup and Restore utility included with SEPM.D. Select Truncate Transaction Logs from the SEPM.

Correct Answer: C



QUESTION 130Which operation can be performed using the Database Back Up and Restore utility found in the Windows Startmenu?

A. on-demand backup of the databaseB. scheduled monthly backup of the databaseC. selection of the Symantec Endpoint Protection Manager to backupD. selection of the backup location



QUESTION 131A company suffered catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM). Theadministrator restores the hardware and the operating system with the required software (including SEPM). Theadministrator then runs the SEPM Database Back Up and Restore utility. What is the most importantconsideration?

A. Ensure that the Microsoft SQL services are disabled on the server.B. Ensure that the SEPM service is set to Manual and Running.C. Ensure that the SEPM service is set to Automatic and Stopped.D. Ensure that the embedded database service is set to Disabled and Stopped.



QUESTION 132An administrator has installed Symantec Endpoint Protection 12.1 using an embedded database. Which twodatabase maintenance tasks are available in the Symantec Endpoint Protection Manager console? (Selecttwo.)

A. truncating database transaction logsB. limiting the client installation log entriesC. rebuilding of database indexesD. deleting clients who have not connected recently from the consoleE. limiting the number of backups to keep



Explanation:

QUESTION 133An administrator is restoring a Microsoft SQL Symantec Endpoint Protection 12.1 database and installing a newSymantec Endpoint Protection Manager (SEPM). After completing the restore, the administrator notices that theclients are unable to connect to the SEPM. Which step did the administrator forget when performing therestore?

A. restoring the client certificateB. restoring the server certificateC. importing the previously backed up dataD. setting the SQL client folder



QUESTION 134How can an administrator proactively obtain information about unknown devices on a network?

A. Use the Client Deployment Wizard feature to locate unmanaged endpoints.B. Create an Unmanaged Computer notification.C. Schedule an audit report to send to the administrator.D. Run the Symantec Endpoint Discovery Tool.



QUESTION 135A company is building a new Symantec Endpoint Protection Manager (SEPM) and building email notificationsthat will go to the security team. Which two notification conditions should the team implement into the SEPM?(Select two.)

A. Unknown UserB. Invalid Host NameC. Risk OutbreakD. Group Update Provider FailureE. Authentication Failure

Correct Answer: CESection: (none)Explanation


QUESTION 136An administrator needs to determine which versions of Symantec Endpoint Protection (SEP) are currently in thenetwork. Which report provides this information?

A. Client Inventory reportB. Deployment reportC. SEP Product Versions reportD. Audit Inventory report



QUESTION 137Which notification action can be performed when a security-related condition is met?

A. Send an SNMP trap.B. Alert with a GUI popup on the admin console.C. Run a batch file or another executable file.D. Send an alert to a client.



QUESTION 138An administrator needs to check when and by which account a policy was modified. Which log query should theadministrator use?

A. ComplianceB. AuditC. AccessD. System



QUESTION 139Which Symantec Endpoint Protection Manager feature allows an administrator to view and modify commonlyaccessed reports?

A. Favorite Reports Display list on the Monitors pageB. Scheduled Reports in the Reports sectionC. Favorite Reports Display list on the Home pageD. Summary Dropdown in the Monitors section

Correct Answer: CSection: (none)

Explanation


QUESTION 140Which two options can administrators customize on the Home page? (Select two.)

A. auto-refresh rateB. number of reportC. Favorite ReportsD. Common TasksE. types of endpoints listed




An administrator has configured the Symantec Endpoint Protection Manager (SEPM) to use Active Directoryauthentication. The administrator defines a new Symantec Endpoint Protection administrator namedSep_SysAdmin, configured to use Directory Authentication. Which password needs to be entered when theadministrator logs in to the SEPM console as Sep_SysAdmin?

A. the password for the Active Directory user that was mapped with Sep_SysAdminB. the password for the user named Sep_SysAdmin that was created in SEPMC. the password for the user named Sep_SysAdmin that was created in Active DirectoryD. the password for the Administrator account in Active Directory



QUESTION 142What are two default access rights for various types of Symantec Endpoint Protection Manager Administratoraccounts? (Select two.)

A. A system administrator can view and modify the entire organization.B. An administrator can view and modify all features in a single domain and can view reports in other domains.C. A limited administrator can view the entire organization.D. An administrator can view multiple domains.E. An administrator can view and modify all features in a single domain.



QUESTION 143What are two responsibilities associated with the Limited Administrator account type in Symantec EndpointProtection Manager? (Select two.)

A. view and manage console settings for domainsB. create and manage accounts in a single domainC. create location specific policiesD. manage their own authentication typeE. remotely run commands on client computers

Correct Answer: CESection: (none)Explanation


QUESTION 144An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager (SEPM).The administrator adds an account named Sep_SysAdmin in the SEPM. This account is configured to useActive Directory Authentication. Which two settings can the administrator configure for the Sep_SysAdminaccount? (Select two.)

A. Password Never ExpiresB. Test AccountC. Password Expires in x Days (where x is any number)D. Check the Password StrengthE. Select the Directory Server

Correct Answer: BESection: (none)Explanation



An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager asdisplayed in the exhibit. Which port number should be used for LDAP?

A. 389B. 636C. 637D. 639



QUESTION 146Which two can be used when defining location switching criteria for the Symantec Endpoint Protection 12.1client? (Select two.)

A. NIC descriptionB. OS typeC. MAC addressD. WINS serverE. client version



New Questions

QUESTION 147When the Symantec Endpoint Protection 12.1 client firewall defends against a MAC spoof attack, what does itdrop?

A. ICMP responseB. IP redirectC. gratuitous ARPD. TCP reset



QUESTION 148Which technology does the Symantec Endpoint Protection Firewall use?

A. proxy inspectionB. packet filteringC. stateful packet inspectionD. application gateway proxy



QUESTION 149A large enterprise plans to deploy Symantec Endpoint Protection 12.1 (SEP) on 36,000 virtual endpointsdistributed across 1,800 VMware ESX

servers in a single datacenter. A system administrator needs to optimize endpoint scanning

performance by enabling Shared Insight Cache (SIC)server functionality. Which two configuration changes should the administrator make to minimize the number ofSIC servers that need to be

deployed? (Select two.)

A. Perform regular scans of all virtual systems with the offline image scanner.B. Enable scanning randomization across all SEP endpoints.C. Enable virtual image exceptions across all SEP endpoints.D. Disable Insight lookups for threat detection on each virtual SEP endpoint.E. Enable download randomization across all SEP endpoints.



QUESTION 150An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on virtualmachines. In order to protect against

previously undetected threats, the administrator must regularly scan the static instance of the virtual machineimage set which includes the files that

have been whitelisted. In addition to cleaning the static image set, which additional step must the administratorcomplete if threats are discovered?

A. Select the threat in the log and add it as an exception.B. Use the Symantec Offline Image Scanner (SOIS) on the static image.C. Ensure that virtual client tagging is enabled.D. Use the vietool to update the whitelist.



QUESTION 151An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on virtualmachines. In order to protect against

previously undetected threats, the administrator must regularly scan the static instance of the virtual machineimage set which includes the files that


A. Select the threat in the log and add it as an exception.B. Use the Symantec Offline Image Scanner (SOIS) on the static image.C. Ensure that virtual client tagging is enabled.D. Use the vietool to update the whitelist.



QUESTION 152Which statement describes a difference between Virtual Image Exceptions (VIE) and Shared Insight Cache(SIC)?

A. VIE tracks executable files, whereas SIC tracks all file types.B. VIE data is stored on the local system, whereas SIC data is placed in a shared location.C. SIC tracks whitelisted and malicious files, whereas VIE tracks only whitelisted files.D. SIC can query Symantec Insight, whereas VIE is unable to make Symantec Insight queries.

Correct Answer: BSection: (none)

Explanation


QUESTION 153Which feature can be configured to increase or decrease performance of scheduled scans?

A. scan frequencyB. CPU throttlingC. heartbeat intervalD. tuning options




QUESTION 154A user is downloading a file from https://www.example.com to the local system. The user is able to downloadand save that file even though it is a

known malicious application. Why is the user able to download the application?

A. A SONAR exception is in place.B. An Application Control exception for the file is in place.C. A Trusted Web Domain exception is in place.D. Download Insight exceptions are disabled.



QUESTION 155A managed Symantec Endpoint Protection 12.1 (SEP) client is in a group that has a Virus and SpywareProtection policy specifying that all files must

be scanned. An Exceptions policy has been applied to the group by the SEP administrator. The Exceptionspolicy has an empty exclusions list. A

local user of the client has added an Exception to exclude C:\temp. What will happen if a user attempts todownload a file to the C:\temp folder?

A. The local exclusion will be ignored.B. The user will be prompted to override the group's policy.C. The local exclusion will allow malware.D. The group's policy will negate the local exception.



QUESTION 156In addition to adding exceptions directly into an Exceptions policy, what is another method of addingexceptions?

A. adding the exception to a policy from the Application Control logB. importing the exception into a policy from the Notifications windowC. adding the application exception to a File Fingerprint listD. adding the exception from the Threat report



QUESTION 157An exception needs to be created for a file named "RunMe.exe" in a user's Windows 7 "My Documents" folder.The user's login name is Bob. Which

method should be used?

A. Create a file exception for "RunMe.exe" with a Prefix Variable of [USERNAME].B. Create a file exception for "C:\Users\Bob\My Documents\RunMe.exe".C. Create a file exception for "*\RunMe.exe".D. Create a file exception for %USERPROFILE%"\My Documents\RunMe.exe".



QUESTION 158How can a Symantec Endpoint Protection 12.1 client on a Macintosh system get updates?

A. using a LiveUpdate serverB. via a Group Update ProviderC. from the Symantec Endpoint Protection ManagerD. using an .xdb file



QUESTION 159What is the first step an administrator should take in order to run the Virtual Image Exception Toolwhen implementing a new Virtual Desktop

Infrastructure?

A. Update virus definitions.B. Install .Net 4.0 framework.C. Run a full scan.D. Install Symantec Endpoint Protection 12.1 client.



QUESTION 160A large set of static PDF files stored on a single virtual client system, which is running on an ESX server, needto be scanned daily by a scheduled

scan. Which two features should be employed to minimize performance impact on the client during scanning ofthese files? (Select two.)

A. Scanning RandomizationB. Virtual Image exceptionsC. Shared Insight CacheD. Download InsightE. Offline Image Scanner



QUESTION 161A company wants to reduce or eliminate the HelpDesk calls they receive due to end users modifying, moving,or deleting configuration files. Which

component of Symantec Endpoint Protection will allow the IT administrator to prevent users from alteringconfiguration files?

A. Privilege De-escalationB. Proactive Threat DetectionC. Application ControlD. Host Integrity



QUESTION 162Which statement is true about the Database Backup and Restore utility?

A. It backs up and restores only an embedded database.B. It allows an administrator to pause and resume backups.C. It saves database backups to the local computer.D. It backs up and restores the certificate keystore.



QUESTION 163How many Symantec Endpoint Protection Managers can connect to an embedded database?

A. oneB. twoC. fourD. unlimited



QUESTION 164All email Auto-Protect options are disabled, and an administrator receives an email from an associate with a .zip file attached. There are three files in

the .zip file that are needed for the administrator's presentation the next day. What neither of them realize isthat one of the files is infected with avirus. When will File System Auto-Protect detect this infected file?

A. when the email is openedB. when the .zip file is openedC. when the .zip file is saved to the administrator's desktopD. when the email is closed



Explanation:

QUESTION 165A company wants its clients to use the Group Update Provider (GUP) that is closest to them, but is concernedabout what happens if the GUP is

unavailable or goes offline. Which two options could mitigate this issue? (Select two.)

A. Increase the maximum number of simultaneous downloads to clients.B. Configure the Symantec Endpoint Protection Manager failover options.C. Configure GUP roaming in the external communications settings.D. Configure a failover GUP in the multiple GUP options.E. Configure the maximum bandwidth allocated to a GUP.



QUESTION 166An administrator wants to ensure that all clients consider the content from the website www.symantec.com assafe. Where can the administrator

configure this?

A. Exception policyB. External Communication SettingsC. Security SettingsD. Browser Intrusion Prevention excluded domains



QUESTION 167By default, the Client User Interface control is set to Server Control. Which two actions will the user who islogged in as a Windows administrator be

able to perform? (Select two.)

A. Change Virus and Spyware Protection settings.B. Edit firewall rules below the blue line.C. Change between Push and Pull mode.D. Disable Tamper Protection.E. Edit the Intrusion Prevention policy.



Exam AExam B

QUESTION 1Which Symantec Endpoint Protection 12.1 protection technology provides the primary protection layers againstzero-day network attacks?

A. SONARB. Client FirewallC. Intrusion PreventionD. System Lockdown

Answer: CExplanation/Reference:Explanation:

QUESTION 2According to Symantec, what is a botnet?

A. systems infected with the same virus strainB. groups of systems performing remote tasks without the users' knowledge C. groups of computers configuredto steal credit card records D. compromised systems opening communication to an IRC channel

Answer: BExplanation/Reference:Explanation:

QUESTION 3A financial company has a security policy that prevents banking system workstations from connecting to theinternet. Which Symantec Endpoint Protection 12.1 protection technology will be prevented from working on thecompany's workstations?

A. InsightB. Application and Device ControlC. Network Threat ProtectionD. LiveUpdate

Answer: AExplanation/Reference:Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 2

QUESTION 4In addition to performance improvements, which two benefits does Insight provide? (Select two.)

A. reputation scoring for documentsB. zero-day threat detectionC. protection against system file modificationsD. false positive mitigationE. blocking of malicious websites

Answer: BDExplanation/Reference:Explanation:

QUESTION 5How does the Intrusion Prevention System add an additional layer of protection to Network Threat Protection?

A. It inspects the TCP packet headers and tracks the sequence number. B. It performs deep packet inspection,

reading the packet headers, and data portion. C. It examines TCP/IP traffic from the application and traces thesource of the traffic.D. It monitors IP datagrams for abnormalities.


QUESTION 6The fake antivirus family "PC scout" infects systems with a similar method regardless of its variant. WhichSONAR sub-feature can block new variants of the same family, based on sequence of events?

A. artificial intelligenceB. behavioral heuristicC. human authored signaturesD. behavioral policy lockdown


QUESTION 7Drive-by downloads are a common vector of infections. Some of these attacks use encryption to bypasstraditional defense mechanisms. Which Symantec Endpoint Protection 12.1 protection technology blocks suchobfuscated attacks?

A. SONARB. Bloodhound heuristic virus detectionC. Client FirewallD. Browser Intrusion Prevention

Answer: DExplanation/Reference:Explanation:

QUESTION 8Which Symantec Endpoint Protection 12.1 defense mechanism provides protection against worms like W32.Silly.FDC, which propagate from system to system through the use of autorun.inf files?

A. Application ControlB. SONARC. Client FirewallD. Exceptions


QUESTION 9A company is experiencing a malware outbreak. The company deploys Symantec Endpoint Protection 12.1,with only Virus and Spyware Protection, Application and Device Control, and Intrusion Prevention technologies.Why would Intrusion Prevention be unable to block all communications from an attacking host?

A. Intrusion Prevention needs the firewall component to block all traffic from the attacking host. B. IntrusionPrevention blocks the attack only if the administrator wrote a signature for it.C. Intrusion Prevention definitions are out-of-date.D. Intrusion Prevention is set to log only."Pass Any Exam. Any Time." - www.actualtests.com 4

Answer: A


QUESTION 10Which Symantec Endpoint Protection 12.1 component uses reputation to evaluate a file?

A. Shared Insight Cache serverB. Symantec Endpoint Protection clientC. Symantec Endpoint Protection ManagerD. LiveUpdate Administrator server


QUESTION 11Which Symantec Endpoint Protection 12.1 component provides services to improve the performance of virtualclient scanning?

A. Shared Insight Cache serverB. LiveUpdate Administrator serverC. Symantec Protection CenterD. Group Update Provider


QUESTION 12How many Symantec Endpoint Protection Managers can be connected to an embedded database? A. 1B. 2C. 5D. 10"Pass Any Exam. Any Time." - www.actualtests.com 5


QUESTION 13Which component is required in order to run Symantec Endpoint Protection 12.1 protection technologies?

A. Symantec Endpoint Protection ManagerB. Symantec Endpoint Protection clientC. LiveUpdate Administrator serverD. Symantec Protection Center


QUESTION 14Which Symantec Endpoint Protection 12.1 component provides single-sign-on to the Symantec EndpointProtection Manager and other products, along with cross-product reporting?

A. Symantec Reporting serverB. Symantec Security Information ManagerC. IT AnalyticsD. Symantec Protection Center


QUESTION 15Which Symantec Endpoint Protection 12.1 component uses Sybase SQL Anywhere?

A. Symantec Endpoint Protection Manager embedded databaseB. Symantec Endpoint Protection Manager remote databaseC. LiveUpdate Administrator serverD. Shared Insight Cache server"Pass Any Exam. Any Time." - www.actualtests.com 6

Answer: AExplanation/Reference:Explanation:QUESTION 16Which Symantec Endpoint Protection 12.1 component improves performance because known good files areskipped?

A. LiveUpdate Administrator serverB. Group Update ProviderC. Shared Insight Cache serverD. Central Quarantine server


QUESTION 17How can an administrator manage multiple, independent companies from one database while maintainingindependent groups, computers, and policies?

A. Set up limited administrators with appropriate rights.B. Set up separate domains.C. Set up additional sites using a single database.D. Set up separate locations and turn off inheritance.


QUESTION 18A company with one site has a factory with computers in the manufacturing area. Both factory managers andoperators need to log in to these shared computers. Different policies will be applied depending on whether theindividual logging in to the machine is a manager or an operator. Which Symantec Endpoint Protection 12.1feature provides this ability?

A. Computer modeB. Active Directory synchronization"Pass Any Exam. Any Time." - www.actualtests.com 7C. User modeD. Console authentication


QUESTION 19An administrator is logged in to the Symantec Endpoint Protection Manager (SEPM) console for a system

named SEPM01. The groups and policies that were previously in the SEPM01 console are unavailable andhave been replaced with unfamiliar groups and policies. What was a possible reason for this change?

A. The administrator was modified from using Computer mode to User mode. B. The administrator was loggedin to the incorrect domain for SEPM01. C. The administrator was changed from a limited administrator to asystem administrator. D. The administrator was using the Web console instead of the Java console.


QUESTION 20Which two objects in the Symantec Endpoint Protection Manager console describe the most granular level towhich a policy can be applied? (Select two.)

A. SiteB. DomainC. GroupD. LocationE. ComputerF. User

Answer: CDExplanation/Reference:Explanation:

QUESTION 21An administrator creates a new domain in the Symantec Endpoint Protection Manager console.

"Pass Any Exam. Any Time." - www.actualtests.com 8How can the administrator copy policies from the old domain to the new domain?

A. Export the policy from the old domain and import it into the new domain. B. Copy the policy in the old domainand paste the policy into the new domain. C. Copy the old domain's policy XML file into the folder for the newdomain. D. Back up the old domain's database and restore it into the new domain.


QUESTION 22A company plans to expand its Symantec Endpoint Protection 12.1 (SEP) infrastructure by creating a secondsite for use in replication. At a minimum, which two tasks need to be completed to create the second site?(Select two.)

A. A new Symantec Endpoint Protection Manager needs to be installed.B. A new SEP domain needs to be created.C. A new SEP database needs to be created.D. An SEP administrator needs to be given replication rights.E. A new SEP location needs to be created.

Answer: ACExplanation/Reference:Explanation:QUESTION 23A company is transitioning from using policies based on the individual that logs in to the client machine topolicies based only on the client machine. Which Symantec Endpoint Protection 12.1 change will theorganization need to perform?

A. Move from User mode to Computer mode.

B. Move from Computer mode to User mode.C. Use groups synchronized from Active Directory.D. Use groups created manually.E. Turn on location awareness.



QUESTION 24A company has a single datacenter at its main office and 10 branch offices with 100 computers in each office.The branch offices are connected to the datacenter with a 56k network link. The customer wants the SymantecEndpoint Protection Manager (SEPM) to be installed in the datacenter. What can be done at the branch officesto reduce the bandwidth caused by definition updates from the Symantec Endpoint Protection clients at eachbranch office?

A. Enable a Group Update Provider at each branch office.B. Reduce the number of virus definitions cached on each client.C. Place a SEPM database in each branch office.D. Use the Shared Insight Cache server in each branch office.


QUESTION 25A LiveUpdate policy allows for configuring single Group Update Providers (GUPs) or multiple GUPs from a list.What is a limitation when using multiple GUPs?

A. Less content can be cached.B. They can only communicate with clients in the same Windows domain. C. They can only communicate withclients in the same local subnet.D. Fewer clients can be communicated with.


QUESTION 26A company recently purchased the Symantec Endpoint Protection 12.1 (SEP) product. It has two datacentersand wants to configure SEP for high availability, so that if one datacenter goes down, the SEP clients cansmoothly fail over to the other datacenter. What should be done to allow SEP clients to fail over from onedatacenter to the next?

A. Install a Group Update Provider at each datacenter and configure replication. B. Install a SymantecProtection Center at each datacenter and configure replication. C. Install a Symantec Endpoint ProtectionManager at each datacenter and configure replication."Pass Any Exam. Any Time." - www.actualtests.com 10D. Install a Symantec Site Server at each datacenter and configure replication.



A branch office needs to forward logs to the headquarters. The administrator is configuring the site Branch A .

Which setting should be enabled to achieve this?

A. Replicate the log from the local site to this partner site. B. Replicate the log from this partner site to the localsite.C. Auto Replicate.


QUESTION 28A company has multiple offices and is unsure whether to use the Symantec Endpoint Protection Manager(SEPM) or the Group Update Provider (GUP) at the offices. When should the company use the SEPM ratherthan the GUP?

A. when the site has a local Windows serverB. when the site has a large number of clientsC. when the site has a low bandwidth network connectionD. when the site has more than one subnet


QUESTION 29A new installation of the Symantec Endpoint Protection 12.1 (SEP) is running on a trial license.For how long can managed SEP clients receive updates?


A. 30 daysB. 60 daysC. 90 daysD. 120 daysAnswer: BExplanation/Reference:Explanation:

QUESTION 30Which two Symantec Endpoint Protection 12.1 (SEP) standalone tools are available for malware scanning andremediation? (Select two.)

A. Symantec Power EraserB. Symantec Endpoint Recovery ToolC. Symantec Offline Image ScannerD. Symantec Protection CenterE. CleanWipe

Answer: ABExplanation/Reference:Explanation:

QUESTION 31For replication, Symantec recommends that the number of sites be kept to five for optimum performance. Whatcan be done to reduce the number of sites?

A. Replicate log data in both directions.B. Limit the number of clients per manager.C. Spread the clients over additional domains.D. Add Group Update Providers for content distribution.


QUESTION 32In Symantec Endpoint Protection 12.1 Enterprise Edition (SEP), what happens when the Soft Enforcementlicense expires?


A. LiveUpdate stops.B. Proactive Threat Protection is disabled.C. SEP clients become unmanaged.D. Content updates are allowed.


QUESTION 33A company is currently testing Symantec Endpoint Protection 12.1 on 100 clients. The company has decided todeploy SEP to an additional 20,000 clients. They are concerned about the number of clients supported on asingle Symantec Endpoint Protection Manager (SEPM). What should the company do to ensure that the SEPMcan support the clients?

A. Configure the clients for Pull mode.B. Decrease the heartbeat interval.C. Switch to HTTPS for client communications.D. Switch to IIS as the web server.


QUESTION 34An administrator gets a browser certificate warning when accessing the Symantec Endpoint ProtectionManager (SEPM) Web console. Where can the administrator obtain a self-signed certificate to prevent thiswarning from appearing?

A. SEPM console Licenses sectionB. Symantec Protection CenterC. SEPM Web AccessD. Symantec Support


QUESTION 35"Pass Any Exam. Any Time." - www.actualtests.com 13An administrator installed Symantec Endpoint Protection 12.1 (SEP) in the environment. However, theadministrator wants to use secure communication and SSL authentication between clients and the SymantecEndpoint Protection Manager (SEPM). How should the administrator proceed?

A. Configure and apply certificate in IIS on SEPM.B. Configure SSL in the Apache Tomcat Web Server.C. Edit http.conf.properties and change the port to 443.D. Use public and private key configuration on SEPM 12.1.



Inheritance is turned on only for groups England, Sales, Laptops, and Manchester (highlighted). Without turninginheritance off, which top level group must be modified to affect users in the Laptop group?

A. My CompanyB. EnglandC. LondonD. Sales



QUESTION 37A client is unable to communicate with the Symantec Endpoint Protection Manager (SEPM) Server. Theadministrator decides to replace the Sylink.xml file on the client using the SylinkDrop tool. Which two additionaltasks can be accomplished by replacing the Sylink.xml file? (Select two.)

A. Convert an unmanaged client to a managed client.B. Migrate the SEPM servers to a new domain.C. Enable remote troubleshooting for administrators.D. Update Symantec Endpoint Protection client to the latest eraser engine. E. Migrate or move clients to a newdomain or management server.

Answer: AEExplanation/Reference:Explanation:

QUESTION 38A manufacturing company runs three shifts. Employees at the facility must share computers. Theadministrators need to apply different policies/configurations for each shift. The administrator will need to switchthe clients to User mode. Which two additional configuration changes need to be made to allow policies to beapplied to each shift? (Select two.)

A. Create one group for all computers on each shift.B. Create one group for all users on each shift.

C. Turn on inheritance for all groups.D. Turn on inheritance for all users.E. Turn off inheritance for each user group created.F. Turn off inheritance for each computer group created.

Answer: BEExplanation/Reference:Explanation:

QUESTION 39An administrator makes a change in the Active Directory structure which has been imported into the SymantecEndpoint Protection Manager (SEPM). By default, when will the change automatically be reflected in theSEPM?


A. as soon as the change is made in Active DirectoryB. maximum 1 hourC. maximum 4 hoursD. maximum 24 hours


QUESTION 40A Symantec Endpoint Protection Manager (SEPM) administrator is importing from an Active Directoryenvironment. The administrator needs to know which object types are being imported. Which two object typesare imported into the SEPM from Active Directory? (Select two.)

A. policyB. usersC. computersD. servicesE. groups

Answer: BCExplanation/Reference:Explanation:

QUESTION 41When can an administrator delete a location?

A. when location awareness has been turned offB. when the group has inheritance turned offC. when all clients are moved from the groupD. when the policy has been withdrawn


QUESTION 42A large oil company has a small exploration department that is remotely located and rarely has internetconnectivity. Which client type would allow the exploration department to configure their

"Pass Any Exam. Any Time." - www.actualtests.com 16own security policies?

A. Mixed-mode client

B. User-mode clientC. Managed clientD. Unmanaged client


QUESTION 43A large software company has a small engineering department that is remotely located over a slow WANconnection. Which method will deploy the Symantec Endpoint Protection 12.1 (SEP) clients to the remote siteusing the smallest amount of network bandwidth?

A. Deploy the SEP clients using basic content.B. Deploy the clients using the Push Install Wizard.C. Install a Group Update Provider on a remote computer and then install the remote SEP clients. D. Install aGroup Update Provider on a local computer and then install the remote SEP clients.


QUESTION 44An administrator created a Symantec Endpoint Protection 12.1 (SEP) installation package without specifyingthe group to which the SEP clients should belong. What will happen when the administrator tries to install aSEP client using the installation package?

A. The SEP client installation will fail.B. The SEP client will prompt the administrator to specify a group. C. The Symantec Endpoint ProtectionManager will prompt the administrator to specify a group.D. The SEP client will be installed into a default group.



QUESTION 45A Symantec Endpoint Protection 12.1 (SEP) administrator discovers that a firewall is blocking Windows filesharing. Which method can bypass the firewall and allow the SEP clients to be installed with a minimumamount of effort?

A. Remote PushB. Web Link and EmailC. Create Pull Mode clientD. Administrative share (C$) deployment


QUESTION 46A Symantec Endpoint Protection 12.1 (SEP) administrator deployed SEP clients, but the SEP clients are failingto register with the Symantec Endpoint Protection Manager (SEPM). Which solution would allow the clients toregister with the SEPM?

A. Disable the firewall on the SEP client.B. Allow port 8014 through the network firewall between the SEPM and the client. C. Modify the networkfirewalls so that stateful packet inspection is performed. D. Open the ephemeral TCP ports on the SEP client

firewall.


QUESTION 47A Symantec Endpoint Protection 12.1 (SEP) administrator suspects that newly arrived computers are infectedwith a virus. Which steps should the administrator take when installing the SEP client on the new computers?

A. Choose the Evaluate before installation SEP client feature set. B. Install an unmanaged client first, theninstall a managed client after the virus is removed. C. Install Norton Removal Tool, then install the SEP client.D. Run Power Eraser, then install the SEP client.

Answer: DExplanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 18Explanation:

QUESTION 48An administrator wants to deploy the Symantec Endpoint Protection 12.1 (SEP) client to computers that arelacking the Symantec Endpoint Protection client. Which tool should the administrator use to discover anddeploy the SEP client to the computers?

A. Unmanaged DetectorB. Client Deployment WizardC. Symantec Endpoint Recovery ToolD. Symantec Endpoint Discovery ToolAnswer: BExplanation/Reference:Explanation:

QUESTION 49A Symantec Endpoint Protection 12.1 (SEP) administrator is remotely deploying SEP clients, but the clients arefailing to install on Windows XP. Which two could be preventing installation? (Select two.)

A. Clients are members of a Windows domain and have Windows firewall enabled. B. Clients are members of aWindows domain and have Windows firewall disabled. C. Clients are members of a workgroup and simple filesharing is disabled. D. Clients are members of a workgroup and simple file sharing is enabled. E. Clients aremembers of a Windows domain and have a DHCP address.

Answer: ADExplanation/Reference:Explanation:

QUESTION 50Which Symantec Endpoint Protection client component must be installed to enable Unmanaged Detectormode?

A. Virus and Spyware ProtectionB. SONAR"Pass Any Exam. Any Time." - www.actualtests.com 19C. Network Threat ProtectionD. Network Access Control


QUESTION 51

In which client management log can an administrator identify when the client last connected to the SymantecEndpoint Protection Manager?

A. ComplianceB. AuditC. SystemD. Event


QUESTION 52Which command line syntax invokes the Symantec Endpoint Protection Client Service to determine whether amore recent copy of the configuration file is available on the management server?

A. smc -getconfigB. smc -getsylinkC. smc -updateD. smc -updateconfig


QUESTION 53Immediately after installation, what does a managed client do to contact the Symantec Endpoint ProtectionManager (SEPM)?


A. Initiate communication on port 80.B. Initiate communication on port 8014.C. Initiate communication on port 8445.D. Wait for the SEPM if in Push mode.



The status of two clients on the Symantec Endpoint Protection Manager is provided in the exhibit. They indicatethat the clients are "Offline". What does the Offline status indicate?

A. Live Update is not running on clients.B. Antivirus is disabled in clients.C. There are communications issues with clients.

D. Installation was unsuccessful on clients.


QUESTION 55Refer to the exhibit."Pass Any Exam. Any Time." - www.actualtests.com 21

What does the symbol to the left of the system name, SEPMGR12, indicate?

A. The firewall is enabled.B. The Symantec Endpoint Protection Manager is running.C. The system is online.D. The Unmanaged Detector is enabled.


QUESTION 56Some customers report that when they run the command "smc -stop" on their clients, they are unable toconnect to network resources. What is wrong?

A. The customers need to enable the Smart DHCP option in their firewall policy. B. The security option "Blockall traffic until the firewall starts and after the firewall stops" is enabled. C. A location awareness policy has beenconfigured that applies when the service is stopped. D. The network card is blocked by a Device Control policy.


QUESTION 57A company successfully deploys Symantec Endpoint Protection 12.1 to its clients. However, when the companydeploys the client to the servers, the servers immediately reboot. The company

"Pass Any Exam. Any Time." - www.actualtests.com 22needs to prevent the servers from rebooting during normal business hours. What is wrong?

A. The "Hard restart" option is enabled in the Restart Settings tab. B. The "Restart immediately if the user is notlogged in" option is enabled.C. A previous version of the client was installed.D. There is "No prompt" configured on the Restart Settings tab.


QUESTION 58A company has three groups of clients: Laptops, Desktops, and Servers. Administrators must have the ability toperform manual scans for these clients from the Symantec Endpoint Protection Manager. In addition, themanual scans need to be customized according to the different clients, for example by customizing whethermemory is scanned and which folder locations are scanned. How can the environment be configured to providethis ability while minimizing management overhead?

A. Configure one Virus and Spyware Protection policy with a customized On-Demand scan and set differentException policies for each group.B. Configure one Virus and Spyware Protection policy with three customized On-Demand scans. C. Configureone Virus and Spyware Protection policy with three customized Scheduled scans and setting the schedule toManual.D. Configure a different Virus and Spyware Protection policy for each group with customized On- Demandscans.


QUESTION 59A Symantec Endpoint Protection 12.1 group has two defined locations based on whether clients are attached tothe local network or are remote. The local network location has an administrator- defined scan scheduled tobegin each Monday at 09:00. The remote location has an administrator- defined scan scheduled to begin eachWednesday night at 21:00. All systems are used daily and remain powered on all night. Some users in thegroup have laptops, while the other users have standard desktops. Assuming the laptops are taken home andused each night, what is the effect?

A. All clients will run scans only on Monday."Pass Any Exam. Any Time." - www.actualtests.com 23B. All clients will run scans both on Monday and Wednesday. C. The laptops will run scans only on Wednesday,while the desktops will run scans only on Monday. D. The laptops will run scans both the Monday andWednesday, while the desktops will run scans only on Monday.


QUESTION 60Which two actions can a user take during an in-progress scheduled scan? (Select two.)

A. disableB. stopC. pauseD. skipE. reschedule


QUESTION 61

A user added a daily 10:00 scheduled scan to their Symantec Endpoint Protection 12.1 client. After reviewingthe logs, the user confirms that the scan failed to start at 10:00. Why did the scan fail to start?

A. Tuning Options were set for best application performance. B. "Delay scheduled scans when running onbattery" was enabled. C. Scan Progress options were set to "Do not show progress".D. The Windows scheduler service was disabled.


QUESTION 62A Symantec Endpoint Protection 12.1 client is running a user-defined scan when a scheduled,

"Pass Any Exam. Any Time." - www.actualtests.com 24administrator-defined scan is scheduled to launch. What is the effect on the client?

A. The user-defined scan will be paused in order to launch the administrator-defined scan. B. Theadministrator-defined scan will launch after the user-defined scan completes. C. The user-defined scan will becanceled in order to launch the administrator-defined scan. D. The administrator-defined scan will be skippedand the user-defined scan will continue.


QUESTION 63Which protection technology assists in protecting documents in real-time when accessed or modified?

A. SONARB. Reputation ScansC. Auto-ProtectD. Scheduled Scans


QUESTION 64A Symantec Endpoint Protection 12.1 administrator has the Virus and Spyware Protection policy configuredwith Auto-Protect enabled. The administrator is confronted with computer performance issues. Which twooptions can the administrator use to improve performance? (Select two.)

A. Enable the option to Trust Files on Remote Computers Running Auto-Protect.B. Enable the Risk Tracer option.C. Edit the autoprotect.xml and increase the cache value.D. Enable the option of Network Cache.E. Enable the Preserve File Times option.


QUESTION 65"Pass Any Exam. Any Time." - www.actualtests.com 25An administrator is modifying a Virus and Spyware Protection policy for a Symantec Endpoint Protection 12.1(SEP) client because it is demonstrating poor boot performance. Which option should the administratorconsider to alleviate this problem?

A. Ensure that Risk Tracer is disabled.

B. Load Auto-Protect during the startup of SEP.C. Enable File Cache across reboots.D. Modify the policy to use Insight Cache.


QUESTION 66Which technology uses heuristics to scan outbound email?

A. Internet Email Auto-ProtectB. Microsoft Outlook Auto-ProtectC. Lotus Notes Auto-ProtectD. SONAR


QUESTION 67Which type of email does Internet Email Auto-Protect support?

A. IMAP based emailB. HTTP/s based emailC. SMTP based emailD. Outlook Web Access (OWA)


QUESTION 68"Pass Any Exam. Any Time." - www.actualtests.com 26Refer to the exhibit.

In the use case displayed in the exhibit, why is the administrator unable to save the changes to this file?

A. Application Control is preventing Notepad from accessing the host file.B. SONAR is set to block host file modifications.C. Tamper Protection is enabled.D. The Auto-Protect feature detected a malicious activity.


QUESTION 69What could be an adverse effect of activating aggressive mode on the SONAR policy?

A. false negativesB. false positivesC. performance issuesD. higher rejection rateAnswer: BExplanation/Reference:Explanation:


QUESTION 70Which two options are available when configuring high risk detection in SONAR? (Select two.)

A. BlockB. SkipC. Quarantine

D. Log E. Delete


QUESTION 71Acrobat Reader is being targeted by a threat using process injection. Which feature of SONAR is sandboxingAcroread32.exe so that the threat is prevented from dropping its payload?

A. Commercial Application DetectionB. Suspicious Behavior DetectionC. System Change EventsD. Signature Based Detection


QUESTION 72Which two options are available when configuring DNS change detected for SONAR? (Select two.)

A. BlockB. SkipC. QuarantineD. LogE. Delete



QUESTION 73A company is building a new Symantec Endpoint Protection Manager and is setting the remediation actions forthreats in the Virus and Spyware Protection policy. For security risks, the first action is set to Repair and thesecond action is Quarantine. In this environment, Symantec Endpoint Protection 12.1 (SEP) has been deployedto a small group of clients for testing. Which condition would cause Auto-Protect to stop sending notificationsand stop logging the event after three detections?

A. A client continuously downloads the same security risk. B. File System Auto Protect is malfunctioning on theSEP Client.C. SEP services on the client are stopped.D. SEP is unable to read virus definitions.


QUESTION 74An administrator set the remediation options for Security Risks to the defaults (Quarantine, then Delete).However, the security team is the only team authorized to have Hack Tools on their systems. Which two stepsmust the administrator complete to accomplish this? (Select two.)

A. Create a specific group for Security Team.B. Turn on inheritance for the Security Team group.C. Assign a Virus and Spyware Protection policy with customized remediation options set.D. Set a specific location for the My Company group.E. Unlock the padlock in Auto-Protect for Remote Access.

Answer: ACExplanation/Reference:Explanation:

QUESTION 75Where is a file encrypted and saved to when the "Backup files before attempting to repair them" setting isenabled?

A. the local Windows Temp (C:\Windows\Temp) directoryB. the local Quarantine folderC. the FileBackup folder within the Application Data\Symantec directory D. the local Symantec EndpointProtection Temp folder"Pass Any Exam. Any Time." - www.actualtests.com 29


QUESTION 76In which two situations would Symantec Endpoint Protection 12.1 (SEP) generate a Left Alone action? (Selecttwo.)

A. Another scan is in progress.B. The detected file is in use.C. There are limited permissions to the file on the system.D. The file is marked for deletion by Windows on reboot.E. Virus definitions are corrupt or missing.


QUESTION 77A company is deploying Symantec Endpoint Protection 12.1 and configuring remediation options within theVirus and Spyware Protection policy. They are considering enabling "Terminate processes automatically" withinthe remediation options. If this feature is enabled, which two characteristics will the user see when the clientmust terminate a process to remove or repair a risk? (Select two.)

A. When this option is enabled, the client automatically takes the necessary action without notifying users. B.When a restart is required, the machine automatically reboots and the user is unable to opt out of the restart.C. When this option is enabled, the client notifies the user of ending processes to mitigate the threat. D. Whenthis option is enabled, the client generates an entry in the Risk logs that a process was terminatedautomatically.E. When a restart is required, the user is allowed to save data and close open applications or to opt out of therestart.



QUESTION 78An administrator is reviewing risk logs in the Symantec Endpoint Protection Manager (SEPM) and notices thatsome entries list that the "Risk was partially removed". The administrator wants to determine whether additionalsteps are necessary to remediate the threat. How should the administrator proceed?

A. Review the threat writeup and run a full system scan on the machine. B. Perform a repair of the SymantecEndpoint Protection install on the machine. C. Submit infected file to Security Response to see if it is a new

variant. D. Change remediation actions in the Virus and Spyware Protection policy in the SEPM.


QUESTION 79A clean file in a proprietary application has been quarantined by SONAR. How can an administrator fix thebroken application from the Symantec Endpoint Protection Manager console?

A. Restore the application with the Client Deployment Wizard.B. Allow the application from the Monitor Logs view.C. Run the Enable Auto-Protect command on the client.D. Run a new scan with a newer set of definitions.


QUESTION 80Which Symantec Endpoint Protection 12.1 feature allows an administrator to prevent users from downloadingfiles that are unsafe?

A. SONARB. InsightC. Application ControlD. Trusted Web Domain exceptions



QUESTION 81A company is concerned that its clients may be out-of-date and it wants to ensure that all running applicationsare protected with Symantec's latest definitions, even if they are unavailable on the Symantec EndpointProtection 12.1 (SEP) client. How could the company configure SEP to achieve this goal?

A. Enable SONAR with High Risk detections set to Quarantine. B. Enable Insight Lookup as part of a dailyscheduled scan. C. Enable Insight for Community and Symantec Trusted Files.D. Enable and apply an Intrusion Prevention policy.


QUESTION 82What is the likely impact of increasing the Download Insight sensitivity?

A. It would block files that trend towards a poor reputation and decrease false positives. B. It would allow onlyfiles with a good reputation and decrease false positives. C. It would allow only files that trend toward a goodreputation and increases false positives. D. It would block files that have a poor reputation and decrease falsepositives.


QUESTION 83

A customer is downloading newly-created company files from an internal website and is being blocked byDownload Insight based on reputation. How can the customer prevent this?

A. Change the minimum number of days in the Download Insight settings. B. Change the minimum number ofusers in the Download Insight settings. C. Increase the sensitivity slider in the Download Insight settings. D.Enable the option to trust files downloaded from an intranet website in the Download Insight settings."Pass Any Exam. Any Time." - www.actualtests.com 32


QUESTION 84An administrator wants to make sure users are warned when they decide to download potentially maliciousfiles. Which option should the administrator configure?

A. the Notifications tab under the admin-defined scan settings B. the Notifications tab under Auto-ProtectsettingsC. the Network Protection Security event notification in location-specific settings D. the Notifications tab underDownload Insight settings



A user runs a full scan on a system and is confused by the "Files trusted" count. Which option will result in thefiles being left unscanned?


A. Enabling the "Only when files are executed" setting in the Virus and Spyware Protection policy. B. Enablingthe "Do not scan files when trusted processes access the files" setting in the Virus and Spyware Protectionpolicy.C. Enabling Insight in the Virus and Spyware Protection policy. D. Enabling the file cache settings in the Virusand Spyware Protection policy.


QUESTION 86A customer reports that users are able to download new files from the internet and execute those files on theirown computers. What can be configured to prevent this?

A. Decrease the Download Insight sensitivity.B. Change the action for unproven files in Download Insight. C. Change the second action for malicious files inDownload Insight. D. Change the first action for malicious files in Download Insight.


QUESTION 87A computer is configured in Mixed Control mode. The administrator creates and applies a Firewall policy to thecomputer that has a rule that allows FTP traffic above the blue line and another rule that blocks LDAP trafficbelow the blue line. On the computer, local rules are created to allow LDAP traffic and block FTP traffic. Whichtraffic flow behavior should be expected on the local computer?

A. Both FTP and LDAP traffic are allowed.B. Both FTP and LDAP traffic are blocked.C. FTP is blocked and LDAP is allowed.D. FTP is allowed and LDAP is blocked.




A company has created a specific firewall policy that allows only certain traffic. Which traffic is allowed in thefirewall policy displayed in the exhibit?

A. traffic on port 23 from Telnet (telnet.exe)B. traffic on port 25 from Outlook (outlook.exe)C. traffic on port 110 from Outlook (outlook.exe)D. traffic on port 80 from Internet Explorer (iexplore.exe) E. traffic on port 443 from Internet Explorer(iexplore.exe)


QUESTION 89A company is running the Symantec Endpoint Protection 12.1 firewall and wants to ensure that DNS traffic isallowed. Which feature should be enabled in the firewall policy?

A. DNS exceptionB. DNS LookupC. Reverse DNS LookupD. Smart DNS

Answer: DExplanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 35Explanation:QUESTION 90A system administrator created a firewall policy that allows certain applications and blocks others. However,some applications are being blocked that should be allowed. Which log should be viewed to troubleshoot thisissue?

A. Application logB. System log

C. Traffic logD. Control log


QUESTION 91An administrator has defined a rule to allow traffic to and from a specific server by its Fully Qualified DomainName (FQDN), because the server's IP address varies based on the office in which a client is located. Theadministrator attempts to verify the rule and finds that the traffic is being blocked. The logs list the IP address ofthe server instead of its FQDN. What does the administrator need to do within the firewall policy to allow therule to work correctly?

A. Enable DNS lookup.B. Enable reverse DNS lookup.C. Disable Smart DNS.D. Disable NetBIOS Protection.


QUESTION 92A company is running the Symantec Endpoint Protection 12.1 firewall with the default policy. At the bottom ofthe ruleset, there is a rule called "Block all other IP traffic and log" which will block all IP traffic. A financialapplication is being blocked by this rule. What should be changed to allow the application without sacrificingsecurity?


A. The existing rule should be changed.B. A new rule should be created.C. An existing rule should be deleted.D. An existing rule needs to be reordered.


QUESTION 93A company has a firewall policy with a rule that allows all applications on all ports. An administrator needs tomodify the policy so that it allows Internet Explorer to communicate to any website, but only on port 80 and 443.In addition, the company only wants this modification to affect traffic from Internet Explorer. The administratorcreated a new rule at the top of the ruleset that allows Internet Explorer on port 80 and 443.Which step should the administrator take next?

A. Move the new rule below the Allow Applications rule.B. Delete the Allow All Applications rule.C. Modify the Allow All Applications rule to exclude Internet Explorer. D. Create a new rule above the Allow AllApplications rule to block Internet Explorer.


QUESTION 94The Symantec Endpoint Protection 12.1 (SEP) client indicates that the Virus and Spyware Protection (AV)definitions are current, while the Intrusion Prevention System (IPS) signatures are one day older. How can anadministrator determine whether this SEP client is up-to-date?

A. The administrator can tell the client is up-to-date because the AV definitions are the latest. B. Theadministrator can tell the client is out-of-date because the IPS signatures are old. C. The administrator needs toreview the client Computer Status logs to determine whether the client is up-to- date.D. The administrator needs to review the Symantec Security Response page to determine whether the client isup-to-date.



QUESTION 95A company selected Opera 10 as its corporate browser. Drive-by downloads are occurring and SONARintercepts the resulting scripts. How should the company proceed to minimize the occurrence of drive-bydownloads?

A. Upgrade to Opera 11.B. Use Internet Explorer or Firefox.C. Enable browser protection.D. Reboot the Symantec Endpoint Protection client.


QUESTION 96Which Intrusion Prevention feature is updated automatically?

A. Intrusion Prevention custom signaturesB. SNORT syntaxC. Auto-ProtectD. Generic Exploit Blocking


QUESTION 97An administrator needs to exclude some servers from an Intrusion Prevention System (IPS) policy. Whenspecifying an excluded host in an IPS policy, which two methods can be used? (Select two.)

A. DNS hostB. IP addressC. MAC addressD. DNS domainE. subnet



QUESTION 98An administrator needs to ensure that a specific network threat can be detected. The attack signatures for thisthreat may be found across multiple packets. What can the administrator do to ensure the best chance ofdetecting this threat?

A. Ensure that Symantec IPS signatures are updated.B. Create custom IPS signatures.C. Enable TCP resequencing.D. Create a Firewall rule for this threat.


QUESTION 99A company organizes its clients into two groups: the Symantec Endpoint Protection Manager (SEPM) groupwith all the SEPMs and a Desktops group with all other systems. An Application and Device Control policy isused with the "Block modifications to hosts file" rule set enabled. This policy is applied to all groups in thecompany. How can an administrator modify the hosts file on the SEPM systems, while minimizing risks posedto the company?

A. Withdraw the policy from all clients, modify the hosts files, and reassign the policy. B. Withdraw the policyfrom the SEPM group, modify the hosts files, and reassign the policy. C. Modify the hosts file using anoperating system-based system account. D. Temporarily disable Network Threat Protection on each clientwhen modifying the hosts file.

Answer: BExplanation/Reference:Explanation:QUESTION 100An administrator needs to customize the Application and Device Control policy to exclude all USB devicesexcept for a specific, company-issued USB thumb drive. Which function or program, provided with theSymantec Endpoint Protection 12.1 software, should the administrator use to customize the environment?


A. DevViewer.exeB. Sep_SupportTool.exeC. SOIS.exeD. vietool.exe



A USB mouse is plugged in to a system that uses the device control displayed in the exhibit. What is theexpected behavior?

A. The mouse is blocked until the user adds the device as a local client exception. B. The mouse is blockeduntil an administrator adds the device to the exception policy. C. The mouse will work as normal because theHuman Interface Device exclusion takes precedence. D. The mouse will work as normal because Mousedevices are missing from Blocked Devices.




A company is using a custom application that writes its application settings in the registry. An administratorplans to prevent users from modifying these values, while ensuring that the custom application still functionscorrectly. An Application and Device Control policy is created with an application rule to block access to create,delete, or write attempts, for the registry keys used by the custom application. One way to ensure users areprohibited from the registry keys, but the custom application can still modify them, is to add an ApplicationControl exception for the custom application. What is another way to ensure this functionality?

A. Add an application rule to allow access to create, delete, or write attempts, to the custom application folder.B. Add an application rule to allow access to read attempts for the registry keys. C. Add an application rule setthat allows access to read attempts for the registry keys. D. Add an application rule to allow access to create,delete, or write attempts for the custom application.


QUESTION 103A company needs to prevent users from modifying files in a specific program folder that is on all clientmachines. What needs to be configured?"Pass Any Exam. Any Time." - www.actualtests.com 41

A. a file and folder exception in the Exception policyB. an application rule set in the Application and Device Control policy C. a file fingerprint list and System

LockdownD. a custom IPS signature in the Intrusion Prevention policy


QUESTION 104An administrator is testing a new Application and Device Control policy. One of the rule sets being tested blocksthe notepad.exe application from running. After pushing the policy to a test client, the administrator finds thatnotepad.exe is still able to run. The administrator verifies that the rule set is enabled in the Application andDevice Control policy. Which two may be preventing the policy from performing the application blocking?(Select two.)

A. An Application exception has been configured in the Exceptions policy.B. System Lockdown has been configured for the client.C. Network Threat Protection needs to be installed on the client.D. The rule set is in the "Test (log only)" mode.E. A rule set with conflicting rules exists higher up in the policy.

Answer: DEExplanation/Reference:Explanation:

QUESTION 105An administrator enabled the default application control rule "Block writing to USB Drives", but needs to modifyit so that clients can write to a specific make and model of company-authorized, encrypted USB drive. Howshould the administrator proceed?

A. Edit the rule set and add the device ID to the exceptions. B. Edit the rule set and add a condition after theblock condition to allow access to the specific device. C. Edit the rule set and add a rule after the block rule toallow access to the specific device. D. Using DevViewer, plug the device into the Symantec Endpoint ProtectionManager and select "Add Device to Manager".



QUESTION 106An administrator enables the "Learn applications that run on the client computers" setting for a group of clients.Later, when using the Search for Applications function, the administrator is unable to find results. What is thecause of the problem?

A. The administrator is a limited administrator without rights to view reports. B. Application learning is disabledunder communication settings at the site level. C. Submissions are disabled on the Symantec EndpointProtection client by the user. D. Pull mode is enabled and is unsupported by application learning.


QUESTION 107A company creates free web access computers for use in public areas, such as airports. The software providedon the computers will be static and the systems must be secure. What should be used to restrict unauthorizedapplications from running on these computers?

A. client security settings and Tamper ProtectionB. blocked devices in an Application and Device Control policy C. file fingerprint list and System Lockdown

D. custom IPS signatures in an Intrusion Prevention policy


QUESTION 108What is a benefit of enabling Browser Intrusion Prevention?

A. It uses a reputation and cloud-based technology to monitor and identify attacks on Internet Explorer andFirefox.B. It sends traffic results to a dedicated Symantec server to determine whether the traffic is legitimate. C. Itmonitors traffic on supported browsers by using attack signatures and heuristics. D. It improves performance byallowing clients to share Intrusion Prevention scan results."Pass Any Exam. Any Time." - www.actualtests.com 43


QUESTION 109Company A acquires Company B. Company B has 200 employees. Multiple firewall rules, based on collectionsof client addresses, are required to allow the new employees access to Company A's resources andpermissions to use approved network applications. Which feature should be used to minimize the amount oftime needed to create rules for these new clients?

A. Application rule setsB. Host groupsC. Built-in rulesD. Network Services

Answer: BExplanation/Reference:Explanation:QUESTION 110Which two criteria can be used to determine hosts in a host group? (Select two.)

A. DNS domainB. SubnetC. Gateway addressD. WINS serverE. DHCP server

Answer: ABExplanation/Reference:Explanation:


A. MAC addressB. registry keyC. management server connection"Pass Any Exam. Any Time." - www.actualtests.com 44D. DNS host E. network connection type


QUESTION 112According to Symantec best practices, which two tasks should be completed after creating file fingerprint lists,but prior to enabling System Lockdown? (Select two.)

A. Add any approved applications.B. Move the Symantec Endpoint Protection Managers to a separate group. C. Log unapproved applications. D.Run the checksum.exe command on the clients.D. Enable application learning.


QUESTION 113Which port is used by default for replication between sites?

A. 2967B. 8014C. 8443D. 9090


QUESTION 114A company has deployed Symantec Endpoint Protection 12.1 in their corporate environment using a multi-sitedesign. If an administrator makes policy changes in the United States site, when will the changes appear in theEuropean site?

A. after the next heartbeatB. after the next replication intervalC. immediately"Pass Any Exam. Any Time." - www.actualtests.com 45D. after the policy changes are saved


QUESTION 115In a management server list, Symantec Endpoint Protection Manager (SEPM) A is added to Priority 1, andSEPM B is added to Priority 2. This setup will provide which service?

A. load balancingB. replicationC. failoverD. clustering


QUESTION 116Which two configuration elements are needed in order to add a replication partner? (Select two.)

A. SQL Server IP and sa passwordB. administrator name and passwordC. site-to-site VPN tunnelD. replication server name and port

E. internet access


QUESTION 117Which two are optional when replicating between Symantec Endpoint Protection Managers? (Select two.)

A. groupsB. policies"Pass Any Exam. Any Time." - www.actualtests.com 46C. logsD. contentE. locations


QUESTION 118What is the default replication frequency when adding an additional site to a Symantec Endpoint Protection 12.1deployment?

A. 1 hourB. 8 hoursC. dailyD. Autoreplicate


QUESTION 119Which step must be completed to set up two sites to replicate?

A. Add a new Management Server list with the replication partner added. B. Launch the Replication Wizardfrom the Admin page and follow the prompts.C. Install a SQL server on at least one site.D. Install a Symantec Endpoint Protection Manager Server and database as a replication partner.


QUESTION 120Which authentication method must be used to provide the ability to reset forgotten passwords?

A. RSA SecurID AuthenticationB. Smart Card Authentication"Pass Any Exam. Any Time." - www.actualtests.com 47C. Symantec Management Server AuthenticationD. Directory Authentication


QUESTION 121An employee is taking leave for four months and the employee's workstation will be powered off and locked in

an office. Why does the workstation disappear from the Symantec Endpoint Protection Manager (SEPM)Reports and Client view after 30 days?A. Administrators used the "reclaim license" option.B. The SEPM purges offline clients after a set amount of time. C. The SEPM quarantines offline clients after aset amount of time.D. The SEPM purges clients with expired licenses.


QUESTION 122How frequently does Symantec recommend that a Symantec Endpoint Protection Manager site checkLiveUpdate for content updates?

A. every hourB. every 4 hoursC. once a dayD. twice a day


QUESTION 123Which two should be considered when enabling Application Learning in an environment? (Select two.)


A. Application Learning requires Virus and Spyware Protection. B. Application Learning should be deployed ona small group of systems in the enterprise. C. Application Learning can generate significant CPU or memoryuse on a Symantec Endpoint Protection Manager.D. Application Learning can be used without using application-based firewall rules, Application Control rules, orCentralized Exceptions.E. Application Learning is dependent on a properly configured firewall.


QUESTION 124Where are directory servers added before importing Organizational Units (OU) or adding administrators to theSymantec Endpoint Protection Manager?

A. Site propertiesB. Server propertiesC. localhost propertiesD. Import Server properties


QUESTION 125A company is setting up a new environment with three Symantec Endpoint Protection Managers (SEPM) andwants to set one SEPM to act as the primary reporting server. Where in the SEPM should the administratorconfigure the priority reporting server to be used for running scheduled reports and notifications?

A. Local Host propertiesB. Local Site properties

C. Scheduled reportsD. Server properties



QUESTION 126A company suffered a catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM)which was using a remote Microsoft SQL Server. The administrator has all required backups. The administratorrestores the hardware and the operating system with the required software (including SEPM).What is the next step in the recovery procedure?

A. Export the server certificate from the SEPM console.B. Customize the SEPM configuration using the recovery file.C. Restore the SQL database to realign with SEPM restore.D. Replace the Sylink.xml using the SylinkDrop.exe.


QUESTION 127An administrator is in the process of recovering from a disaster and needs the keystore password to update thecertificate on the Symantec Endpoint Protection Manager (SEPM). From which two locations can theadministrator obtain this information? (Select two.)

A. SEPM replication partnersB. original installation logC. disaster recovery fileD. settings.properties fileE. Sylink.xml file from the SEPM


QUESTION 128An administrator notices that the Symantec Endpoint Protection Manager (SEPM) embedded database isgrowing large and is taking longer to back up than desired. How can backup performance of the database beimproved?

A. Change the number of backups to keep.B. Reduce the number of log entries under Log Settings.C. Change the backup frequency from Weekly to Daily.D. Configure incremental backups in the SEPM."Pass Any Exam. Any Time." - www.actualtests.com 50


QUESTION 129A Microsoft SQL Server containing a Symantec Endpoint Protection Manager (SEPM) database hasencountered an unrecoverable hard drive failure. An administrator has rebuilt the Microsoft SQL Server and hasconfirmed that the SEPM can connect with the SQL Server. Which step should the administrator take next?

A. Select Rebuild Indexes from the SEPM console.

B. Launch Checksum.exe database integrity tool.C. Use the Backup and Restore utility included with SEPM.D. Select Truncate Transaction Logs from the SEPM.


QUESTION 130Which operation can be performed using the Database Back Up and Restore utility found in the Windows Startmenu?

A. on-demand backup of the databaseB. scheduled monthly backup of the databaseC. selection of the Symantec Endpoint Protection Manager to backup D. selection of the backup location


QUESTION 131A company suffered catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM). Theadministrator restores the hardware and the operating system with the required software (including SEPM). Theadministrator then runs the SEPM Database Back Up and Restore utility. What is the most importantconsideration?

A. Ensure that the Microsoft SQL services are disabled on the server."Pass Any Exam. Any Time." - www.actualtests.com 51B. Ensure that the SEPM service is set to Manual and Running. C. Ensure that the SEPM service is set toAutomatic and Stopped. D. Ensure that the embedded database service is set to Disabled and Stopped.


QUESTION 132An administrator has installed Symantec Endpoint Protection 12.1 using an embedded database. Which twodatabase maintenance tasks are available in the Symantec Endpoint Protection Manager console? (Selecttwo.)

A. truncating database transaction logsB. limiting the client installation log entriesC. rebuilding of database indexesD. deleting clients who have not connected recently from the console E. limiting the number of backups to keep


QUESTION 133An administrator is restoring a Microsoft SQL Symantec Endpoint Protection 12.1 database and installing a newSymantec Endpoint Protection Manager (SEPM). After completing the restore, the administrator notices that theclients are unable to connect to the SEPM. Which step did the administrator forget when performing therestore?

A. restoring the client certificateB. restoring the server certificateC. importing the previously backed up dataD. setting the SQL client folder


QUESTION 134"Pass Any Exam. Any Time." - www.actualtests.com 52How can an administrator proactively obtain information about unknown devices on a network?

A. Use the Client Deployment Wizard feature to locate unmanaged endpoints.B. Create an Unmanaged Computer notification.C. Schedule an audit report to send to the administrator.D. Run the Symantec Endpoint Discovery Tool.

Answer: BExplanation/Reference:Explanation:QUESTION 135A company is building a new Symantec Endpoint Protection Manager (SEPM) and building email notificationsthat will go to the security team. Which two notification conditions should the team implement into the SEPM?(Select two.)

A. Unknown UserB. Invalid Host NameC. Risk OutbreakD. Group Update Provider FailureE. Authentication Failure

Answer: CEExplanation/Reference:Explanation:

QUESTION 136An administrator needs to determine which versions of Symantec Endpoint Protection (SEP) are currently in thenetwork. Which report provides this information?

A. Client Inventory reportB. Deployment reportC. SEP Product Versions reportD. Audit Inventory report



QUESTION 137Which notification action can be performed when a security-related condition is met?

A. Send an SNMP trap.B. Alert with a GUI popup on the admin console.C. Run a batch file or another executable file.D. Send an alert to a client.


QUESTION 138An administrator needs to check when and by which account a policy was modified. Which log query should the

administrator use?

A. ComplianceB. AuditC. AccessD. SystemAnswer: BExplanation/Reference:Explanation:

QUESTION 139Which Symantec Endpoint Protection Manager feature allows an administrator to view and modify commonlyaccessed reports?

A. Favorite Reports Display list on the Monitors pageB. Scheduled Reports in the Reports sectionC. Favorite Reports Display list on the Home pageD. Summary Dropdown in the Monitors section



QUESTION 140Which two options can administrators customize on the Home page? (Select two.)

A. auto-refresh rateB. number of reportC. Favorite ReportsD. Common TasksE. types of endpoints listed



An administrator has configured the Symantec Endpoint Protection Manager (SEPM) to use Active Directoryauthentication. The administrator defines a new Symantec Endpoint Protection administrator namedSep_SysAdmin, configured to use Directory Authentication. Which password needs to be entered when theadministrator logs in to the SEPM console as Sep_SysAdmin?

A. the password for the Active Directory user that was mapped with Sep_SysAdmin B. the password for theuser named Sep_SysAdmin that was created in SEPM C. the password for the user named Sep_SysAdminthat was created in Active Directory D. the password for the Administrator account in Active Directory

Answer: AExplanation/Reference:Explanation:QUESTION 142What are two default access rights for various types of Symantec Endpoint Protection Manager Administratoraccounts? (Select two.)

A. A system administrator can view and modify the entire organization. B. An administrator can view and modifyall features in a single domain and can view reports in other domains.C. A limited administrator can view the entire organization.

"Pass Any Exam. Any Time." - www.actualtests.com 55D. An administrator can view multiple domains.E. An administrator can view and modify all features in a single domain.


QUESTION 143What are two responsibilities associated with the Limited Administrator account type in Symantec EndpointProtection Manager? (Select two.)

A. view and manage console settings for domainsB. create and manage accounts in a single domainC. create location specific policiesD. manage their own authentication typeE. remotely run commands on client computers

Answer: CEExplanation/Reference:Explanation:

QUESTION 144An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager (SEPM).The administrator adds an account named Sep_SysAdmin in the SEPM. This account is configured to useActive Directory Authentication. Which two settings can the administrator configure for the Sep_SysAdminaccount? (Select two.)

A. Password Never ExpiresB. Test AccountC. Password Expires in x Days (where x is any number)D. Check the Password StrengthE. Select the Directory Server




An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager asdisplayed in the exhibit. Which port number should be used for LDAP?

A. 389B. 636C. 637D. 639


QUESTION 146Which two can be used when defining location switching criteria for the Symantec Endpoint Protection 12.1client? (Select two.)

A. NIC descriptionB. OS typeC. MAC addressD. WINS server"Pass Any Exam. Any Time." - www.actualtests.com 57E. client version


New Questions

QUESTION 147When the Symantec Endpoint Protection 12.1 client firewall defends against a MAC spoof attack, what does itdrop?

A. ICMP responseB. IP redirectC. gratuitous ARP

D. TCP reset


QUESTION 148Which technology does the Symantec Endpoint Protection Firewall use?

A. proxy inspectionB. packet filteringC. stateful packet inspectionD. application gateway proxy


QUESTION 149A large enterprise plans to deploy Symantec Endpoint Protection 12.1 (SEP) on 36,000 virtual endpointsdistributed across 1,800 VMware ESX

servers in a single datacenter. A system administrator needs to optimize endpoint scanning

"Pass Any Exam. Any Time." - www.actualtests.com 58performance by enabling Shared Insight Cache (SIC)

server functionality. Which two configuration changes should the administrator make to minimize the number ofSIC servers that need to be

deployed? (Select two.)

A. Perform regular scans of all virtual systems with the offline image scanner. B. Enable scanningrandomization across all SEP endpoints. C. Enable virtual image exceptions across all SEP endpoints. D.Disable Insight lookups for threat detection on each virtual SEP endpoint. E. Enable download randomizationacross all SEP endpoints.


QUESTION 150An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on virtualmachines. In order to protect againstpreviously undetected threats, the administrator must regularly scan the static instance of the virtual machineimage set which includes the files that


A. Select the threat in the log and add it as an exception. B. Use the Symantec Offline Image Scanner (SOIS)on the static image.C. Ensure that virtual client tagging is enabled.D. Use the vietool to update the whitelist.


QUESTION 151

An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on virtualmachines. In order to protect against

"Pass Any Exam. Any Time." - www.actualtests.com 59previously undetected threats, the administrator must regularly scan the static instance of the virtual machineimage set which includes the files that


A. Select the threat in the log and add it as an exception. B. Use the Symantec Offline Image Scanner (SOIS)on the static image.C. Ensure that virtual client tagging is enabled.D. Use the vietool to update the whitelist.


QUESTION 152Which statement describes a difference between Virtual Image Exceptions (VIE) and Shared Insight Cache(SIC)?

A. VIE tracks executable files, whereas SIC tracks all file types. B. VIE data is stored on the local system,whereas SIC data is placed in a shared location. C. SIC tracks whitelisted and malicious files, whereas VIEtracks only whitelisted files. D. SIC can query Symantec Insight, whereas VIE is unable to make SymantecInsight queries.


QUESTION 153Which feature can be configured to increase or decrease performance of scheduled scans? A. scan frequencyB. CPU throttlingC. heartbeat intervalD. tuning options



QUESTION 154A user is downloading a file from https://www.example.com to the local system. The user is able to downloadand save that file even though it is a

known malicious application. Why is the user able to download the application?

A. A SONAR exception is in place.B. An Application Control exception for the file is in place.C. A Trusted Web Domain exception is in place.D. Download Insight exceptions are disabled.


QUESTION 155

A managed Symantec Endpoint Protection 12.1 (SEP) client is in a group that has a Virus and SpywareProtection policy specifying that all files must

be scanned. An Exceptions policy has been applied to the group by the SEP administrator. The Exceptionspolicy has an empty exclusions list. A

local user of the client has added an Exception to exclude C:\temp. What will happen if a user attempts todownload a file to the C:\temp folder?

A. The local exclusion will be ignored.B. The user will be prompted to override the group's policy.C. The local exclusion will allow malware.D. The group's policy will negate the local exception.


QUESTION 156In addition to adding exceptions directly into an Exceptions policy, what is another method of addingexceptions?

"Pass Any Exam. Any Time." - www.actualtests.com 61A. adding the exception to a policy from the Application Control log B. importing the exception into a policy fromthe Notifications window C. adding the application exception to a File Fingerprint list D. adding the exceptionfrom the Threat report


QUESTION 157An exception needs to be created for a file named "RunMe.exe" in a user's Windows 7 "My Documents" folder.The user's login name is Bob. Which

method should be used?

A. Create a file exception for "RunMe.exe" with a Prefix Variable of [USERNAME]. B. Create a file exception for"C:\Users\Bob\My Documents\RunMe.exe".C. Create a file exception for "*\RunMe.exe".D. Create a file exception for %USERPROFILE%"\My Documents\RunMe.exe".


QUESTION 158How can a Symantec Endpoint Protection 12.1 client on a Macintosh system get updates?

A. using a LiveUpdate serverB. via a Group Update ProviderC. from the Symantec Endpoint Protection ManagerD. using an .xdb file


QUESTION 159What is the first step an administrator should take in order to run the Virtual Image Exception Tool

"Pass Any Exam. Any Time." - www.actualtests.com 62when implementing a new Virtual Desktop

Infrastructure?

A. Update virus definitions.B. Install .Net 4.0 framework.C. Run a full scan.D. Install Symantec Endpoint Protection 12.1 client.Answer: DExplanation/Reference:Explanation:

QUESTION 160A large set of static PDF files stored on a single virtual client system, which is running on an ESX server, needto be scanned daily by a scheduled

scan. Which two features should be employed to minimize performance impact on the client during scanning ofthese files? (Select two.)

A. Scanning RandomizationB. Virtual Image exceptionsC. Shared Insight CacheD. Download InsightE. Offline Image Scanner


QUESTION 161A company wants to reduce or eliminate the HelpDesk calls they receive due to end users modifying, moving,or deleting configuration files. Which

component of Symantec Endpoint Protection will allow the IT administrator to prevent users from alteringconfiguration files?

A. Privilege De-escalationB. Proactive Threat Detection"Pass Any Exam. Any Time." - www.actualtests.com 63C. Application ControlD. Host Integrity


QUESTION 162Which statement is true about the Database Backup and Restore utility?

A. It backs up and restores only an embedded database.B. It allows an administrator to pause and resume backups.C. It saves database backups to the local computer.D. It backs up and restores the certificate keystore.

Answer: BExplanation/Reference:Explanation:QUESTION 163

How many Symantec Endpoint Protection Managers can connect to an embedded database?

A. oneB. twoC. fourD. unlimited


QUESTION 164All email Auto-Protect options are disabled, and an administrator receives an email from an associate with a .zip file attached. There are three files in

the .zip file that are needed for the administrator's presentation the next day. What neither of them realize isthat one of the files is infected with a

"Pass Any Exam. Any Time." - www.actualtests.com 64virus. When will File System Auto-Protect detect this infected file?

A. when the email is openedB. when the .zip file is openedC. when the .zip file is saved to the administrator's desktop D. when the email is closed


QUESTION 165A company wants its clients to use the Group Update Provider (GUP) that is closest to them, but is concernedabout what happens if the GUP is

unavailable or goes offline. Which two options could mitigate this issue? (Select two.)

A. Increase the maximum number of simultaneous downloads to clients. B. Configure the Symantec EndpointProtection Manager failover options. C. Configure GUP roaming in the external communications settings.D. Configure a failover GUP in the multiple GUP options.E. Configure the maximum bandwidth allocated to a GUP.


QUESTION 166An administrator wants to ensure that all clients consider the content from the website www.symantec.com assafe. Where can the administratorconfigure this?

A. Exception policyB. External Communication SettingsC. Security SettingsD. Browser Intrusion Prevention excluded domains

Answer: AExplanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 65Explanation:

QUESTION 167

By default, the Client User Interface control is set to Server Control. Which two actions will the user who islogged in as a Windows administrator be

able to perform? (Select two.)

A. Change Virus and Spyware Protection settings.B. Edit firewall rules below the blue line.C. Change between Push and Pull mode.D. Disable Tamper Protection.E. Edit the Intrusion Prevention policy.

Answer: ADExplanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 66
