EMT Practice Test

1. Question Content...


Question List

Question1: What are two supported Symantec Endpoint Protection Manager authentication types? (Select two.)

Question2: What is a function of the Symantec Endpoint Protection client?

Question3: Which step must be completed to set up two sites to replicate?

Question4: Which setting can an administrator configure in the LiveUpdate Policy?

Question5: A company allows users to create firewall rules. During the course of business, users are accidentally
adding rules that block a custom internal application.
Which steps should the Symantec Endpoint Protection administrator take to prevent users from blocking
the custom application?

Question6: Which protection engine should be enabled to drop malicious vulnerability scans against a client system?

Question7: A user added a daily 10:00 scheduled scan to their Symantec Endpoint Protection 12.1 client. After
reviewing the logs, the user confirms that the scan failed to start at 10:00. Why did the scan fail to start?

Question8: A Symantec Endpoint Protection 12.1 (SEP) administrator suspects that newly arrived computers are
infected with a virus. Which steps should the administrator take when installing the SEP client on the new
computers?

Question9: An employee is taking leave for four months and the employee's workstation will be powered off and
locked in an office. Why does the workstation disappear from the Symantec Endpoint Protection Manager
(SEPM) Reports and Client view after 30 days?

Question10: Refer to the exhibit.

Which settings can impact the Files trusted count?

Question11: Refer to the exhibit.

A company has created a specific firewall policy that allows only certain traffic. Which traffic is allowed in
the firewall policy displayed in the exhibit?

Question12: Which task should an administrator perform to troubleshoot operation of the Symantec Endpoint Protection
embedded database?

Question13: An administrator enabled the default application control rule "Block writing to USB Drives", but needs to
modify it so that clients can write to a specific make and model of company-authorized, encrypted USB
drive. How should the administrator proceed?

Question14: An administrator is reviewing an Infected Clients Report and notices that a client repeatedly shows the
same malware detection. Although the client remediates the files, the infection continues to display in the
logs.
Which two functions should be enabled to automate enhanced remediation of a detected threat and its
related side effects? (Select two.)

Question15: An administrator needs to customize the Application and Device Control policy to exclude all USB devices
except for a specific, company-issued USB thumb drive. Which function or program, provided with the
Symantec Endpoint Protection 12.1 software, should the administrator use to customize the environment?

Question16: A company has a small number of systems in their Symantec Endpoint Protection Manager (SEPM) group
with federal mandates that AntiVirus definitions undergo a two week testing period. After being loaded on
the client, the tested virus definitions must remain unchanged on the client systems until the next set of
virus definitions have completed testing. All other clients must remain operational on the most recent
definition sets. An internal LiveUpdate Server has been considered as too expensive to be a solution for
this company.
What should be modified on the SEPM to meet this mandate?

Question17: In Symantec Endpoint Protection 12.1 Enterprise Edition, what happens when the license expires?

Question18: What is a supported migration path for Symantec Endpoint Protection?

Question19: Which two criteria can be used to determine hosts in a host group? (Select two.)

Question20: A company plans to expand its Symantec Endpoint Protection 12.1 (SEP) infrastructure by creating a
second site for use in replication. At a minimum, which two tasks need to be completed to create the
second site? (Select two.)

Question21: What is the file scan workflow order when Shared Insight Cache and reputation are enabled?

Question22: An administrator is testing a new Application and Device Control policy. One of the rule sets being tested
blocks the notepad.exe application from running. After pushing the policy to a test client, the administrator
finds that notepad.exe is still able to run. The administrator verifies that the rule set is enabled in the
Application and Device Control policy. Which two may be preventing the policy from performing the
application blocking? (Select two.)

Question23: An administrator gets a browser certificate warning when accessing the Symantec Endpoint Protection
Manager (SEPM) Web console. Where can the administrator obtain a self-signed certificate to prevent this
warning from appearing?

Question24: How many Symantec Endpoint Protection Managers can connect to an embedded database?

Question25: Which task is unavailable for administrative accounts that authenticate using RSA SecurID Authentication?

Question26: A clean file in a proprietary application has been quarantined by SONAR. How can an administrator fix the
broken application from the Symantec Endpoint Protection Manager console?

Question27: In which two areas can host groups be used? (Select two.)

Question28: An administrator needs to check when and by which account a policy was modified. Which log query
should the administrator use?

Question29: An administrator is in the process of recovering from a disaster and needs the keystore password to
update the certificate on the Symantec Endpoint Protection Manager (SEPM). From which two locations
can the administrator obtain this information? (Select two.)

Question30: An administrator wants to ensure that all clients consider the content from the website www.symantec.com
as safe. Where can the administrator configure this?

Question31: Administrators at a company share a single terminal for configuring Symantec Endpoint Protection. The
administrators want to ensure that each administrator using the console is forced to authenticate using
their individual credentials. They are concerned that administrators may forget to log off the terminal, which
would easily allow others to gain access to the Symantec Endpoint Protection Manager (SEPM) console.
Which setting should the administrator disable to minimize the risk of non-authorized users logging into the
SEPM console?

Question32: An administrator makes a change in the Active Directory structure which has been imported into the
Symantec Endpoint Protection Manager (SEPM). By default, when will the change automatically be
reflected in the SEPM?

Question33: A computer is configured in Mixed Control mode. The administrator creates and applies a Firewall policy to
the computer that has a rule that allows FTP traffic above the blue line and another rule that blocks LDAP
traffic below the blue line. On the computer, local rules are created to allow LDAP traffic and block FTP
traffic. Which traffic flow behavior should be expected on the local computer?

Question34: A large software company has a small engineering department that is remotely located over a slow WAN
connection. Which method will deploy the Symantec Endpoint Protection 12.1 (SEP) clients to the remote
site using the smallest amount of network bandwidth?

Question35: A Symantec Endpoint Protection Manager (SEPM) administrator notices performance issues with the
SEPM server. The Client tab becomes unresponsive in the SEPM console and .DAT files accumulate in
the "agentinfo" folder.
Which tool should the administrator use to gather log files to submit to Symantec Technical Support?

Question36: A Symantec Endpoint Protection (SEP) administrator creates a firewall policy to block FTP traffic and
assigns the policy to all of the SEP clients. The network monitoring team informs the administrator that a
client system is making an FTP connection to a server. While investigating the problem from the SEP
client GUI, the administrator notices that there are zero entries pertaining to FTP traffic in the SEP Traffic
log or Packet log. While viewing the Network Activity dialog, there is zero inbound/outbound traffic for the
FTP process.
What is the most likely reason?

Question37: Users report abnormal behavior on systems where Symantec Endpoint Protection is installed.
Which tool can an administrator run on the problematic systems to identify the likely cause of the abnormal
behavior?

Question38: An administrator is responsible for the Symantec Endpoint Protection architecture of a large, multi-national
company with three regionalized data centers. The administrator needs to collect data from clients;
however, the collected data must stay in the local regional data center. Communication between the
regional data centers is allowed 20 hours a day.
How should the administrator architect this organization?

Question39: How can an administrator proactively obtain information about unknown devices on a network?

Question40: Company A acquires Company B.
Company B has 200 employees. Multiple firewall rules, based on collections of client addresses, are required to allow the new employees access to Company A's resources
and permissions to use approved network applications. Which feature should be used to minimize the
amount of time needed to create rules for these new clients?

Question41: Which policy should an administrator modify to enable Virtual Image Exception (VIE) functionality?

Question42: Which Symantec Endpoint Protection 12.1 feature allows an administrator to prevent users from
downloading files that are unsafe?

Question43: A Symantec Endpoint Protection administrator needs to comply with a service level agreement stipulating
that all definitions must be internally quality assurance tested before being deployed to customers.
Which step should the administrator take?

Question44: A company is building a new Symantec Endpoint Protection Manager (SEPM) and building email
notifications that will go to the security team. Which two notification conditions should the team implement
into the SEPM? (Select two.)

Question45: What is a function of Symantec Insight?

Question46: An administrator reports that the Home, Monitors, and Report pages are absent in the Symantec Endpoint
Protection Management console when the administrator logs on.
Which action should the administrator perform to correct the problem?

Question47: A Microsoft SQL Server containing a Symantec Endpoint Protection Manager (SEPM) database has
encountered an unrecoverable hard drive failure. An administrator has rebuilt the Microsoft SQL Server
and has confirmed that the SEPM can connect with the SQL Server. Which step should the administrator
take next?

Question48: An organization employs laptop users who travel frequently. The organization needs to acquire log data
from these Symantec Endpoint Protection clients periodically. This must happen without the use of a VPN.
Internet routable traffic should be allowed to and from which component?

Question49: Which tool should the administrator run before starting the Symantec Endpoint Protection Manager
upgrade as a Symantec Best Practice?

Question50: A company is setting up a new environment with three Symantec Endpoint Protection Managers (SEPM)
and wants to set one SEPM to act as the primary reporting server. Where in the SEPM should the
administrator configure the priority reporting server to be used for running scheduled reports and
notifications?

Question51: An administrator enables the "Learn applications that run on the client computers" setting for a group of
clients. Later, when using the Search for Applications function, the administrator is unable to find results.
What is the cause of the problem?

Question52: An administrator has defined a rule to allow traffic to and from a specific server by its Fully Qualified
Domain Name (FQDN), because the server's IP address varies based on the office in which a client is
located. The administrator attempts to verify the rule and finds that the traffic is being blocked. The logs list
the IP address of the server instead of its FQDN. What does the administrator need to do within the firewall
policy to allow the rule to work correctly?

Question53: A company is transitioning from using policies based on the individual that logs in to the client machine to
policies based only on the client machine. Which Symantec Endpoint Protection 12.1 change will the
organization need to perform?

Question54: Which two items should an administrator enter in the License Activation Wizard to activate a license?
(Select two.)

Question55: How are Insight results stored?

Question56: An administrator needs to increase the access speed for client files that are stored on a file server.
Which configuration should the administrator review to address the read speed from the server?

Question57: Which action can an administrator take to improve the Symantec Endpoint Protection Manager (SEPM)
dashboard performance and report accuracy?

Question58: A company wants its clients to use the Group Update Provider (GUP) that is closest to them, but is
concerned about what happens if the GUP is unavailable or goes offline. Which two options could mitigate
this issue? (Select two.)

Question59: What are two criteria that Symantec Insight uses to evaluate binary executables? (Select two.)

Question60: An administrator set the remediation options for Security Risks to the defaults (Quarantine, then Delete).
However, the security team is the only team authorized to have Hack Tools on their systems. Which two
steps must the administrator complete to accomplish this? (Select two.)

Question61: Which statement describes a difference between Virtual Image Exceptions (VIE) and Shared Insight Cache
(SIC)?

Question62: What does SONAR use to reduce false positives?

Question63: Which two can be used when defining location switching criteria for the Symantec Endpoint Protection 12.1
client? (Select two.)

Question64: A large set of static PDF files stored on a single virtual client system, which is running on an ESX server,
need to be scanned daily by a scheduled scan. Which two features should be employed to minimize
performance impact on the client during scanning of these files? (Select two.)

Question65: A company organizes its clients into two groups, the Symantec Endpoint Protection Manager (SEPM)
group with all the SEPMs and a Desktops group with all other systems. An Application and Device Control
policy is used with the "Block modifications to hosts file" rule set enabled. This policy is applied to all
groups in the company. How can an administrator modify the hosts file on the SEPM systems, while
minimizing risks posed to the company?

Question66: A financial company has a security policy that prevents banking system workstations from connecting to
the internet. Which Symantec Endpoint Protection 12.1 protection technology will be prevented from
working on the company's workstations?

Question67: A Symantec Endpoint Protection administrator needs to prevent users from modifying files in a specific
program folder that is on all client machines.
What does the administrator need to configure?

Question68: According to Symantec best practices, which two tasks should be completed after creating file fingerprint
lists, but prior to enabling System Lockdown? (Select two.)

Question69: An administrator is troubleshooting a Symantec Endpoint Protection (SEP) replication.
Which component log should the administrator check to determine whether the communication between
the two sites is working correctly?

Question70: When the Symantec Endpoint Protection 12.1 client firewall defends against a MAC spoof attack, what
does it drop?

Question71: A user is unknowingly about to connect to a malicious website and download a known threat within a .rar
file. All Symantec Endpoint Protection technologies are installed on the client's system.
In which feature set order must the threat pass through to successfully infect the system?

Question72: A Symantec Endpoint Protection Manager (SEPM) administrator is importing from an Active Directory
environment. The administrator needs to know which object types are being imported. Which two object
types are imported into the SEPM from Active Directory? (Select two.)

Question73: Where in the Symantec Endpoint Protection (SEP) management console will a SEP administrator find the
option to allow all users to enable and disable the client firewall?

Question74: A company has three groups of clients: Laptops, Desktops, and Servers. Administrators must have the
ability to perform manual scans for these clients from the Symantec Endpoint Protection Manager. In
addition, the manual scans need to be customized according to the different clients, for example by
customizing whether memory is scanned and which folder locations are scanned. How can the
environment be configured to provide this ability while minimizing management overhead?

Question75: In a management server list, Symantec Endpoint Protection Manager (SEPM) A is added to Priority 1, and
SEPM B is added to Priority 2. This setup will provide which service?

Question76: Which type of email does Internet Email Auto-Protect support?

Question77: A company has an application that requires network traffic in both directions to multiple systems at a
specific external domain. A firewall rule was created to allow traffic to and from the external domain, but
the rule is blocking incoming traffic.
What should an administrator enable in the firewall policy to allow this traffic?

Question78: Which feature can be configured to increase or decrease performance of scheduled scans?

Question79: An administrator needs to ensure that a specific network threat can be detected. The attack signatures for
this threat may be found across multiple packets. What can the administrator do to ensure the best chance
of detecting this threat?

Question80: Which command attempts to find the name of the drive in the private region and to match it to a disk media
record that is missing a disk access record?

Question81: Refer to the exhibit.

A company is using a custom application that writes its application settings in the registry. An administrator
plans to prevent users from modifying these values, while ensuring that the custom application still
functions correctly. An Application and Device Control policy is created with an application rule to block
access to create, delete, or write attempts, for the registry keys used by the custom application. One way
to ensure users are prohibited from the registry keys, but the custom application can still modify them, is to
add an Application Control exception for the custom application. What is another way to ensure this
functionality?

Question82: Where are directory servers added before importing Organizational Units (OU) or adding administrators to
the Symantec Endpoint Protection Manager?

Question83: Which Symantec Endpoint Protection 12.1 component provides services to improve the performance of
virtual client scanning?

Question84: Which notification action can be performed when a security-related condition is met?

Question85: An administrator needs to exclude some servers from an Intrusion Prevention System (IPS) policy. When
specifying an excluded host in an IPS policy, which two methods can be used? (Select two.)

Question86: Which setting can an administrator change that will result in the greatest impact on the speed of delivery of
Symantec Endpoint Protection policy changes to the endpoints?

Question87: Refer to the exhibit.

An administrator uses the search criteria displayed in the exhibit.
Which results are returned from the query?

Question88: A financial company enforces a security policy that prevents banking system workstations from connecting
to the Internet.
Which Symantec Endpoint Protection technology is ineffective on this company's workstations?

Question89: A company is currently testing Symantec Endpoint Protection 12.1 on 100 clients. The company has
decided to deploy SEP to an additional 20,000 clients. They are concerned about the number of clients
supported on a single Symantec Endpoint Protection Manager (SEPM). What should the company do to
ensure that the SEPM can support the clients?

Question90: Which two sources can a Macintosh client use to download content? (Select two.)

Question91: A company is concerned that its clients may be out-of-date and it wants to ensure that all running
applications are protected with Symantec's latest definitions, even if they are unavailable on the Symantec
Endpoint Protection 12.1 (SEP) client. How could the company configure SEP to achieve this goal?

Question92: A Symantec Endpoint Protection (SEP) administrator performed a disaster recovery without a database
backup.
In which file should the SEP administrator add "scm.agent.groupcreation=true" to enable the automatic
creation of client groups?

Question93: Which Symantec Endpoint Protection defense mechanism provides protection against threats that
propagate from system to system through the use of autorun.inf files?

Question94: Which exception type can be configured?

Question95: An administrator wants to make sure users are warned when they decide to download potentially malicious
files. Which option should the administrator configure?

Question96: The Security Status on the console home page is failing to alert a Symantec Endpoint Protection (SEP)
administrator when virus definitions are out of date.
How should the SEP administrator enable the Security Status alert?

Question97: Multiple Windows virtual clients running on an ESX server need to be scanned daily by a scheduled scan.
Which feature should an administrator use to improve scan performance on the clients?

Question98: In addition to performance improvements, which two benefits does Insight provide? (Select two.)

Question99: A company deploys Symantec Endpoint Protection client to its sales staff who travel across the country.
Which deployment method should the company use to notify its sales staff to install the client?

Question100: Refer to the exhibit.

An administrator has configured the Symantec Endpoint Protection Manager (SEPM) to use Active
Directory authentication. The administrator defines a new Symantec Endpoint Protection administrator
named Sep_SysAdmin, configured to use Directory Authentication.
Which password needs to be entered when the administrator logs in to the SEPM console as
Sep_SysAdmin?

Question101: A LiveUpdate policy allows for configuring single Group Update Providers (GUPs) or multiple GUPs from a
list. What is a limitation when using multiple GUPs?

Question102: By default, the Client User Interface control is set to Server Control. Which two actions will the user who is
logged in as a Windows administrator be able to perform? (Select two.)

Question103: What is an appropriate use of a file fingerprint list?

Question104: Which two criteria can be used to determine hosts in a host group? (Select two.)

Question105: A company plans to install six Symantec Endpoint Protection Managers (SEPMs) spread evenly across
two sites. The administrator needs to direct replication activity to SEPM3 server in Site 1 and SEPM4 in
Site 2.
Which two actions should the administrator take to direct replication activity to SEPM3 and SEPM4?
(Select two.)

Question106: What is a valid Symantec Endpoint Protection (SEP) single site design?

Question107: Where is a file encrypted and saved to when the "Backup files before attempting to repair them" setting is
enabled?

Question108: A Symantec Endpoint Protection (SEP) administrator receives multiple reports that machines are
experiencing performance issues. The administrator discovers that the reports happen about the same
time as the scheduled LiveUpdate.
Which setting should the SEP administrator configure to minimize I/O when LiveUpdate occurs?

Question109: Which two criteria can an administrator use to determine hosts in a host group? (Select two.)

Question110: An administrator is designing a new single site Symantec Endpoint Protection environment. Due to
perimeter firewall bandwidth restrictions, the design needs to minimize the amount of traffic from content
passing through the firewall.
Which source must the administrator avoid using?

Question111: Which statement is true about the Database Backup and Restore utility?

Question112: Which action does the Shared Insight Cache (SIC) server take when the whitelist reaches maximum
capacity?

Question113: An administrator is modifying a Virus and Spyware Protection policy for a Symantec Endpoint Protection
12.1 (SEP) client because it is demonstrating poor boot performance. Which option should the
administrator consider to alleviate this problem?

Question114: What is the likely impact of increasing the Download Insight sensitivity?

Question115: For replication, Symantec recommends that the number of sites be kept to five for optimum performance.
What can be done to reduce the number of sites?

Question116: Which Symantec Endpoint Protection 12.1 component provides single-sign-on to the Symantec Endpoint
Protection Manager and other products, along with cross-product reporting?

Question117: An administrator configures the scan duration for a scheduled scan. The scan fails to complete in the
specified time period.
When will the next scheduled scan occur on the computer?

Question118: What are two default access rights for various types of Symantec Endpoint Protection Manager
Administrator accounts? (Select two.)

Question119: Which client log shows that a client is downloading content from its designated source?

Question120: Which two actions can a user take during an in-progress scheduled scan? (Select two.)

Question121: According to Symantec, what is a botnet?

Question122: A large oil company has a small exploration department that is remotely located and rarely has internet
connectivity. Which client type would allow the exploration department to configure their own security
policies?

Question123: An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager
(SEPM). The administrator adds an account named Sep_SysAdmin in the SEPM. This account is
configured to use Active Directory Authentication. Which two settings can the administrator configure for
the Sep_SysAdmin account? (Select two.)

Question124: Which two are policy types within the Symantec Endpoint Protection Manager? (Select two.)

Question125: Refer to the exhibit.

The status of two clients on the Symantec Endpoint Protection Manager is provided in the exhibit. They
indicate that the clients are "Offline". What does the Offline status indicate?

Question126: A company creates free web access computers for use in public areas, such as airports. The software
provided on the computers will be static and the systems must be secure. What should be used to restrict
unauthorized applications from running on these computers?

Question127: Which tool should an administrator use to discover and deploy the Symantec Endpoint Protection client to
new computers?

Question128: You have just started a relayout operation in a live test environment, and you want to limit the impact of
your work on concurrent testing activities. You also want to accommodate the need to constrain a relayout
job's performance impact on concurrent activities.
What would you do to perform this task?

Question129: What is the default replication frequency when adding an additional site to a Symantec Endpoint Protection
12.1 deployment?

Question130: An administrator changes the Virus and Spyware Protection policy for a specific group that disables Auto-
Protect. The administrator assigns the policy and the client systems applies the corresponding policy serial
number. Upon visual inspection of a physical client system, the policy serial number is correct. However,
Auto-Protect is still enabled on the client system.
Which action should the administrator take to ensure that the desired setting is in place on the client?

Question131: Which Symantec Endpoint Protection Management (SEPM) database option is the default for deployments
of fewer than 1,000 clients?

Question132: An administrator is re-adding an existing Replication Partner to the local Symantec Endpoint Protection
Manager site.
Which two parameters are required to re-establish this replication partnership? (Select two.)

Question133: A Symantec Endpoint Protection administrator must block traffic from an attacking computer for a specific
time period.
Where should the administrator adjust the time to block the attacking computer?

Question134: An administrator has installed Symantec Endpoint Protection 12.1 using an embedded database. Which
two database maintenance tasks are available in the Symantec Endpoint Protection Manager console?
(Select two.)

Question135: A company has a firewall policy with a rule that allows all applications on all ports. An administrator needs
to modify the policy so that it allows Internet Explorer to communicate to any website, but only on port 80
and 443. In addition, the company only wants this modification to affect traffic from Internet Explorer. The
administrator created a new rule at the top of the ruleset that allows Internet Explorer on port 80 and 443.
Which step should the administrator take next?

Question136: Which Symantec Endpoint Protection 12.1 component uses reputation to evaluate a file?

Question137: A company has deployed Symantec Endpoint Protection 12.1 in their corporate environment using a multi-
site design. If an administrator makes policy changes in the United States site, when will the changes
appear in the European site?

Question138: A company is experiencing a malware outbreak. The company deploys Symantec Endpoint Protection
12.1, with only Virus and Spyware Protection, Application and Device Control, and Intrusion Prevention
technologies. Why would Intrusion Prevention be unable to block all communications from an attacking
host?

Question139: How frequently does Symantec recommend that a Symantec Endpoint Protection Manager site check
LiveUpdate for content updates?

Question140: A Symantec Endpoint Protection 12.1 (SEP) administrator is remotely deploying SEP clients, but the
clients are failing to install on Windows XP. Which two could be preventing installation? (Select two.)

Question141: Which two Symantec Endpoint Protection components are used to distribute content updates? (Select
two.)

Question142: Which command line syntax invokes the Symantec Endpoint Protection Client Service to determine
whether a more recent copy of the configuration file is available on the management server?

Question143: A Symantec Endpoint Protection (SEP) client uses a management server list with three management
servers in the priority 1 list.
Which mechanism does the SEP client use to select an alternate management server if the currently
selected management server is unavailable?

Question144: Which component is required in order to run Symantec Endpoint Protection 12.1 protection technologies?

Question145: Which Symantec Endpoint Protection component enables access to data through ad-hoc reports and
charts with pivot tables?

Question146: Which two should be considered when enabling Application Learning in an environment? (Select two.)

Question147: An administrator needs to determine which versions of Symantec Endpoint Protection (SEP) are currently
in the network. Which report provides this information?

Question148: A company suffered a catastrophic hardware failure on the Symantec Endpoint Protection Manager
(SEPM) which was using a remote Microsoft SQL Server. The administrator has all required backups. The
administrator restores the hardware and the operating system with the required software (including
SEPM). What is the next step in the recovery procedure?

Question149: Refer to the exhibit.

Inheritance is turned on only for groups England, Sales, Laptops, and Manchester (highlighted). Without
turning inheritance off, which top level group must be modified to affect users in the Laptop group?

Question150: A company needs to prevent users from modifying files in a specific program folder that is on all client
machines. What needs to be configured?

Question151: What is a characteristic of a Symantec Endpoint Protection (SEP) domain?

Question152: What are two responsibilities associated with the Limited Administrator account type in Symantec Endpoint
Protection Manager? (Select two.)

Question153: Which two options are available when configuring high risk detection in SONAR? (Select two.)

Question154: Which authentication method must be used to provide the ability to reset forgotten passwords?

Question155: Which ports on the company firewall must an administrator open to avoid problems when connecting to
Symantec Public LiveUpdate servers?

Question156: A company needs to forward log data from Data Center A to Data Center B during off peak hours only.
How should the company architect its Symantec Endpoint Protection environment?

Question157: A company needs to configure an Application and Device Control policy to block read/write access to all
USB removable media on its Symantec Endpoint Protection (SEP) systems.
Which tool should an administrator use to format the GUID and device IDs as required by SEP?

Question158: A user is downloading a file from https://www.example.com to the local system. The user is able to
download and save that file even though it is a known malicious application. Why is the user able to
download the application?

Question159: Which object in the Symantec Endpoint Protection Manager console describes the most granular level to
which a policy can be assigned?

Question160: An administrator is logged in to the Symantec Endpoint Protection Manager (SEPM) console for a system
named SEPM01. The groups and policies that were previously in the SEPM01 console are unavailable and
have been replaced with unfamiliar groups and policies. What was a possible reason for this change?

Question161: An administrator notices that the Symantec Endpoint Protection Manager (SEPM) embedded database is
growing large and is taking longer to back up than desired. How can backup performance of the database
be improved?

Question162: Refer to the exhibit.

A user runs a full scan on a system and is confused by the "Files trusted" count. Which option will result in
the files being left unscanned?

Question163: The LiveUpdate Download Schedule is set to the default on the Symantec Endpoint Protection Manager
(SEPM).
How many content revisions must the SEPM keep to ensure clients that check in to the SEPM every 10
days receive xdelta content packages instead of full content packages?

Question164: In which two situations would Symantec Endpoint Protection 12.1 (SEP) generate a Left Alone action?
(Select two.)

Question165: The fake antivirus family "PC scout" infects systems with a similar method regardless of its variant. Which
SONAR sub-feature can block new variants of the same family, based on sequence of events?

Question166: A company recently purchased the Symantec Endpoint Protection 12.1 (SEP) product. It has two
datacenters and wants to configure SEP for high availability, so that if one datacenter goes down, the SEP
clients can smoothly fail over to the other datacenter. What should be done to allow SEP clients to fail over
from one datacenter to the next?

Question167: An administrator plans to implement a multi-site Symantec Endpoint Protection (SEP) deployment. The
administrator needs to determine whether replication is viable without needing to make network firewall
changes or change defaults in SEP.
Which port should the administrator verify is open on the path of communication between the two proposed
sites?

Question168: Which two Symantec Endpoint Protection 12.1 (SEP) standalone tools are available for malware scanning
and remediation? (Select two.)

Question169: Acrobat Reader is being targeted by a threat using process injection. Which feature of SONAR is
sandboxing Acroread32.exe so that the threat is prevented from dropping its payload?

Question170: A Symantec Endpoint Protection 12.1 group has two defined locations based on whether clients are
attached to the local network or are remote. The local network location has an administrator- defined scan
scheduled to begin each Monday at 09:00. The remote location has an administrator- defined scan
scheduled to begin each Wednesday night at 21:00. All systems are used daily and remain powered on all
night. Some users in the group have laptops, while the other users have standard desktops. Assuming the
laptops are taken home and used each night, what is the effect?

Question171: A system running Symantec Endpoint Protection is assigned to a group with client user interface control
settings set to mixed mode with Auto-Protect options set to Client. The user on the system is unable to turn
off Auto-Protect.
What is the likely cause of this problem?

Question172: An administrator is restoring a Microsoft SQL Symantec Endpoint Protection 12.1 database and installing a
new Symantec Endpoint Protection Manager (SEPM). After completing the restore, the administrator
notices that the clients are unable to connect to the SEPM. Which step did the administrator forget when
performing the restore?

Question173: A threat was detected by Auto-Protect on a client system.
Which command can an administrator run to determine whether additional threats exist?

Question174: Some customers report that when they run the command "smc -stop" on their clients, they are unable to
connect to network resources. What is wrong?

Question175: Which Symantec Endpoint Protection technology blocks a downloaded program from installing browser
plugins?

Question176: An administrator receives a browser certificate warning when accessing the Symantec Endpoint Protection
Manager (SEPM) Web console.
Where can the administrator obtain the certificate?

Question177: Which port is used by default for replication between sites?

Question178: In Symantec Endpoint Protection 12.1 Enterprise Edition (SEP), what happens when the Soft Enforcement
license expires?

Question179: A Symantec Endpoint Protection 12.1 administrator has the Virus and Spyware Protection policy
configured with Auto-Protect enabled. The administrator is confronted with computer performance issues.
Which two options can the administrator use to improve performance? (Select two.)

Question180: A Symantec Endpoint Protection 12.1 client is running a user-defined scan when a scheduled,
administrator-defined scan is scheduled to launch. What is the effect on the client?

Question181: Which option is unavailable in the Symantec Endpoint Protection console to run a command on the group
menu item?

Question182: After several failed logon attempts, the Symantec Endpoint Protection Manager (SEPM) has locked the
default admin account. An administrator needs to make system changes as soon as possible to address
an outbreak, but the admin account is the only account.
Which action should the administrator take to correct the problem with minimal impact to the existing
environment?

Question183: An administrator is recovering from a Symantec Endpoint Manager (SEPM) site failure.
Which file should the administrator use during an install of SEPM to recover the lost environment according
to Symantec Disaster Recovery Best Practice documentation?

Question184: Which technology does the Symantec Endpoint Protection Firewall use?

Question185: How can a Symantec Endpoint Protection 12.1 client on a Macintosh system get updates?

Question186: An administrator is reviewing risk logs in the Symantec Endpoint Protection Manager (SEPM) and notices
that some entries list that the "Risk was partially removed". The administrator wants to determine whether
additional steps are necessary to remediate the threat. How should the administrator proceed?

Question187: What is the first step an administrator should take in order to run the Virtual Image Exception Tool when
implementing a new Virtual Desktop Infrastructure?

Question188: A company deploys Symantec Endpoint Protection (SEP) to 50 virtual machines running on a single ESXi
host.
Which configuration change can the administrator make to minimize sudden IOPS impact on the ESXi
server while each SEP endpoint communicates with the Symantec Endpoint Protection Manager?

Question189: A company receives a high number of reports from users that files being downloaded from internal web
servers are blocked. The Symantec Endpoint Protection administrator verifies that the Automatically trust
any file downloaded from an intranet website option is enabled.
Which configuration can cause Insight to block the files being downloaded from the internal web servers?

Question190: An administrator uses ClientSideClonePrepTool to clone systems and virtual machine deployment.
What will the tool do when it is run on each system?

Question191: A Symantec Endpoint Protection 12.1 (SEP) administrator deployed SEP clients, but the SEP clients are
failing to register with the Symantec Endpoint Protection Manager (SEPM). Which solution would allow the
clients to register with the SEPM?

Question192: Which technology uses heuristics to scan outbound email?

Question193: A Symantec Endpoint Protection (SEP) administrator is remotely deploying SEP clients, but the clients are
failing to install on Windows XP.
What are two possible reasons for preventing installation? (Select two.)

Question194: Refer to the exhibit.

What does the symbol to the left of the system name, SEPMGR12, indicate?

Question195: Where can an administrator obtain the Sylink.xml file?

Question196: Which protection technology can detect botnet command and control traffic generated on the Symantec
Endpoint Protection client machine?

Question197: A large enterprise plans to deploy Symantec Endpoint Protection 12.1 (SEP) on 36,000 virtual endpoints
distributed across 1,800 VMware ESX servers in a single datacenter. A system administrator needs to
optimize endpoint scanning Cache (SIC) server functionality. Which two configuration changes should the
administrator make to minimize the number of SIC servers that need to be deployed? (Select two.)

Question198: An administrator notices that some entries list that the Risk was partially removed. The administrator needs
to determine whether additional steps are necessary to remediate the threat.
Where in the Symantec Endpoint Protection Manager console can the administrator find additional
information on the risk?

Question199: A company is running the Symantec Endpoint Protection 12.1 firewall with the default policy. At the bottom
of the ruleset, there is a rule called "Block all other IP traffic and log" which will block all IP traffic. A
financial application is being blocked by this rule. What should be changed to allow the application without
sacrificing security?

Question200: A managed service provider (MSP) is managing Symantec Endpoint Protection for a number of
independent companies. Each company has administrators who will log in from time to time to add new
clients. Administrators must be prevented from seeing the existence of other companies in the console.
What should an administrator create for each independent company?

Question201: The Symantec Endpoint Protection 12.1 (SEP) client indicates that the Virus and Spyware Protection (AV)
definitions are current, while the Intrusion Prevention System (IPS) signatures are one day older. How can
an administrator determine whether this SEP client is up-to-date?

Question202: A company wants to reduce or eliminate the HelpDesk calls they receive due to end users modifying,
moving, or deleting configuration files. Which component of Symantec Endpoint Protection will allow the IT
administrator to prevent users from altering configuration files?

Question203: An administrator needs to configure Secure Socket Layer (SSL) communication for clients. In the
httpd.conf file, located on the Symantec Endpoint Protection Manager (SEPM), the administrator removes
the hashmark (#) from the text string displayed below.
#Include conf/ssl/sslForcClients.conf<
Which two tasks must the administrator perform to complete the SSL configuration? (Select two.)

Question204: A company has a single datacenter at its main office and 10 branch offices with 100 computers in each
office. The branch offices are connected to the datacenter with a 56k network link. The customer wants the
Symantec Endpoint Protection Manager (SEPM) to be installed in the datacenter. What can be done at the
branch offices to reduce the bandwidth caused by definition updates from the Symantec Endpoint
Protection clients at each branch office?

Question205: Which Symantec Endpoint Protection client component must be installed to enable Unmanaged Detector
mode?

Question206: An administrator enabled virtual image exceptions for Auto-Protect and Administrator-Defined scans on
virtual machines. In order to protect against previously undetected threats, the administrator must regularly
scan the static instance of the virtual machine image set which includes the files that have been
whitelisted. In addition to cleaning the static image set, which additional step must the administrator
complete if threats are discovered?

Question207: An exception needs to be created for a file named "RunMe.exe" in a user's Windows 7 "My Documents"
folder. The user's login name is Bob.
Which method should be used?

Question208: An administrator creates a new domain in the Symantec Endpoint Protection Manager console.
How can the administrator copy policies from the old domain to the new domain?

Question209: Which two configuration elements are needed in order to add a replication partner? (Select two.)

Question210: A Symantec Endpoint Protection administrator is using System Lockdown in blacklist mode with a file
fingerprint list. When testing a client, the administrator notices that at least one of the files on the list is
allowed to execute.
What is the likely cause of the problem?

Question211: A Symantec Endpoint Protection 12.1 (SEP) administrator discovers that a firewall is blocking Windows file
sharing. Which method can bypass the firewall and allow the SEP clients to be installed with a minimum
amount of effort?

Question212: Drive-by downloads are a common vector of infections. Some of these attacks use encryption to bypass
traditional defense mechanisms. Which Symantec Endpoint Protection 12.1 protection technology blocks
such obfuscated attacks?

Question213: A client is unable to communicate with the Symantec Endpoint Protection Manager (SEPM) Server. The
administrator decides to replace the Sylink.xml file on the client using the SylinkDrop tool. Which two
additional tasks can be accomplished by replacing the Sylink.xml file? (Select two.)

Question214: Why does Power Eraser need Internet access?

Question215: Which two instances could cause Symantec Endpoint Protection to be unable to remediate a file? (Select
two.)

Question216:
An administrator defines the Active Directory settings in the Symantec Endpoint Protection Manager as
displayed in the exhibit. Which port number should be used for LDAP?

Question217: A managed Symantec Endpoint Protection 12.1 (SEP) client is in a group that has a Virus and Spyware
Protection policy specifying that all files must be scanned. An Exceptions policy has been applied to the
group by the SEP administrator. The Exceptions policy has an empty exclusions list. A local user of the
client has added an Exception to exclude C:\temp. What will happen if a user attempts to download a file to
the C:\temp folder?

Question218: Which Intrusion Prevention feature is updated automatically?

Question219: Which step is unnecessary when an administrator creates an application rule set?

Question220: Which operation can be performed using the Database Back Up and Restore utility found in the Windows
Start menu?

Question221: An administrator wants to deploy the Symantec Endpoint Protection 12.1 (SEP) client to computers that
are lacking the Symantec Endpoint Protection client. Which tool should the administrator use to discover
and deploy the SEP client to the computers?

Question222: Which two options can administrators customize on the Home page? (Select two.)

Question223: A large software company runs a small engineering department that is remotely located over a slow WAN
connection.
Which option should the company use to install an exported Symantec Endpoint Protection (SEP) package
to the remote site using the smallest amount of network bandwidth?

Question224: A new installation of the Symantec Endpoint Protection 12.1 (SEP) is running on a trial license.
For how long can managed SEP clients receive updates?

Question225: Which Symantec Endpoint Protection 12.1 protection technology provides the primary protection layers
against zero-day network attacks?

Question226: An administrator selects the Backup files before attempting to repair the Remediations option in the Auto-
Protect policies.
Which two actions occur when a virus is detected? (Select two.)

Question227: What could be an adverse effect of activating aggressive mode on the SONAR policy?

Question228: An administrator needs to add an Application Exception. When the administrator accesses the Application
Exception dialog window, applications fail to appear.
What is the likely problem?

Question229: A company is building a new Symantec Endpoint Protection Manager and is setting the remediation
actions for threats in the Virus and Spyware Protection policy. For security risks, the first action is set to
Repair and the second action is Quarantine. In this environment, Symantec Endpoint Protection 12.1
(SEP) has been deployed to a small group of clients for testing. Which condition would cause Auto-Protect
to stop sending notifications and stop logging the event after three detections?

Question230: A company selected Opera 10 as its corporate browser. Drive-by downloads are occurring and SONAR
intercepts the resulting scripts. How should the company proceed to minimize the occurrence of drive-by
downloads?

Question231: A company suffered catastrophic hardware failure on the Symantec Endpoint Protection Manager (SEPM).
The administrator restores the hardware and the operating system with the required software (including
SEPM). The administrator then runs the SEPM Database Back Up and Restore utility. What is the most
important consideration?

Question232: Which Symantec Endpoint Protection Manager feature allows an administrator to view and modify
commonly accessed reports?

Question233: Which action does SONAR take before convicting a process?

Question234: Which action should an administrator take to prevent users from using Windows Security Center?

Question235: A company is deploying Symantec Endpoint Protection 12.1 and configuring remediation options within the
Virus and Spyware Protection policy. They are considering enabling "Terminate processes automatically"
within the remediation options. If this feature is enabled, which two characteristics will the user see when
the client must terminate a process to remove or repair a risk? (Select two.)

Question236: How can an administrator manage multiple, independent companies from one database while maintaining
independent groups, computers, and policies?

Question237: Which Symantec Endpoint Protection 12.1 component improves performance because known good files
are skipped?

Question238: Which Symantec Endpoint Protection 12.1 defense mechanism provides protection against worms like
W32.Silly.FDC, which propagate from system to system through the use of autorun.inf files?

Question239: Which action must a Symantec Endpoint Protection administrator take before creating custom Intrusion
Prevention signatures?

Question240: When can an administrator add a new replication partner?

Question241: In which client management log can an administrator identify when the client last connected to the
Symantec Endpoint Protection Manager?

Question242: In addition to adding exceptions directly into an Exceptions policy, what is another method of adding
exceptions?

Question243: A system administrator created a firewall policy that allows certain applications and blocks others.
However, some applications are being blocked that should be allowed. Which log should be viewed to
troubleshoot this issue?

Question244: A large-scale virus attack is occurring and a notification condition is configured to send an email whenever
viruses infect five computers on the network. A Symantec Endpoint Protection administrator has set a one
hour damper period for that notification condition.
How many notifications does the administrator receive after 30 computers are infected in two hours?

Question245: Which two criteria should an administrator use when defining Location Awareness for the Symantec
Endpoint Protection (SEP) client? (Select two.)

Question246: Which two considerations must an administrator make when enabling Application Learning in an
environment? (Select two.)

Question247: Which two are optional when replicating between Symantec Endpoint Protection Managers? (Select two.)

Question248: In the virus and Spyware Protection policy, an administrator sets the First action to Clean risk and sets If
first action fails to Delete risk.
Which two factors should the administrator consider? (Select two.)

Question249: An administrator is using the SylinkDrop tool to update a Symantec Endpoint Protection client install on a
system. The client fails to migrate to the new Symantec Endpoint Protection Manager (SEPM), which is
defined correctly in the Sylink.xml file that was exported from the SEPM.
Which settings must be provided with SylinkDrop to ensure the successful migration to a new Symantec
Endpoint Protection environment with additional Group Level Security Settings?