Pass the Symantec Endpoint Security 250-580 Questions and answers with CertsForce

In Symantec Endpoint Protection (SEP) Application Control policies, applications are managed through lists: an Allowed list (applications approved for use) and a Blocked list (applications restricted or prohibited). When a user encounters an application that is not explicitly on either the Allowed or Blocked list, it falls into a neutral category.

For accessing this application, the typical process includes:

Requesting an Override:The user can initiate a request to temporarily or permanently allow access to the application. This process usually involves contacting the administrator or following a specified override protocol to gain necessary permissions.

Administrator Review:Upon receiving the override request, the administrator evaluates the application to ensure it aligns with organizational security policies and compliance standards.

Override Approval:If deemed safe, the application may be added to the Allowed list, granting the user access.

This request mechanism ensures that unlisted appli

Aranged queryin Symantec Endpoint Security returns or excludesdata that falls between two specified values for a given field. This type of query is beneficial for filtering data within specific numeric or date ranges. For instance:

Numeric Ranges:Ranged queries can be used to filter data based on a range of values, such as finding log entries with file sizes between certain values.

Date Ranges:Similarly, ranged queries can isolate data entries within a specific date range, which is useful for time-bound analysis.

This functionality allows for more targeted data retrieval, making it easier to analyze and report specific subsets of data.

To view all devices impacted by asuspicious file, the administrator should go to theDiscovered Items list, select the specific file, and then view the impacted devices from theDetails page.

Steps to View Impacted Devices:

Navigate to theDiscovered Items listwithin the management console.

Locate and select the suspicious file in question to open itsDetails page.

On the Details page, a list of devices associated with the file is displayed, providing insights into which endpoints are potentially impacted by the suspicious activity.

Why Other Options Are Less Suitable:

Options A and B do not provide the specific device list for a selected file.

Option D is incorrect as it implies selecting by device first rather than by suspicious file.

References: The Discovered Items list and file-specific Details page allow administrators to trace a file’s footprint across multiple devices​.

ThePush Discoveryprocess in Symantec Endpoint Protection requires theLocalAccountTokenFilterPolicyregistry value to be configured on Windows endpoints. This registry setting enables remote management and discovery operations by allowing administrator credentials to pass correctly when discovering and deploying SEP clients.

Purpose of LocalAccountTokenFilterPolicy:

By adding this value to the Windows registry, administrators ensure that SEP can discover endpoints on the network and initiate installations or other management tasks without being blocked by local account filtering.

How to Configure the Registry:

The administrator should addLocalAccountTokenFilterPolicyin the Windows Registry underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and set it to 1.

This configuration allows for remote actions essential forPush Discovery.

Reasoning Against Other Options:

Push EnrollmentandDevice Enrollmentare distinct processes and do not require this registry setting.

Auto Discoverypassively finds systems and does not rely on registry changes for remote access.

References: Configuring theLocalAccountTokenFilterPolicyregistry value is necessary for enabling remote management functions during the Push Discovery process in SEP​.

Symantec Endpoint Detection and Response (EDR) hunts and detects Indicators of Compromise (IoCs) bysearching the EDR database and other data sources directly. This direct search approach allows EDR to identify malicious patterns or artifacts that may signal a compromise.

How EDR Hunts IoCs:

By querying the EDR database along with data from connected sources, administrators can identify signs of potential compromise across the environment. This includes endpoint logs, network traffic, and historical data within the EDR platform.

The platform enables security teams to look for specific IoCs, such as file hashes, IP addresses, or registry modifications associated with known threats.

Why Other Options Are Less Suitable:

Viewing PowerShell processes (Option B) or detecting memory exploits with SEP (Option C) are specific techniques but do not represent the comprehensive IoC-hunting approach.

Detonating suspicious files in sandboxes (Option D) is more of a behavioral analysis method rather than direct IoC hunting.

References: Direct database and data source searches are core to EDR’s hunting capabilities, as outlined in Symantec’s EDR operational guidelines​.