EMT Practice Test

1. Question Content...


Question List

Question1: Which threat is an example of an Advanced Persistent Threat (APT)?

Question2: How can an Incident Responder generate events for a site that was identified as malicious but has NOT triggered any events or incidents in ATP?

Question3: What is the role of Cynic within the Advanced Threat Protection (ATP) solution?

Question4: An Incident Responder wants to investigate whether msscrt.pdf resides on any systems.
Which search query and type should the responder run?

Question5: An ATP Administrator set up ATP: Network in TAP mode and has placed URLs on the blacklist.
What will happen when a user attempts to access one of the blacklisted URLs?

Question6: What is the main constraint an ATP Administrator should consider when choosing a network scanner model?

Question7: An ATP Administrator has deployed ATP: Network, Endpoint, and Email and now wants to ensure that all connections are properly secured.
Which connections should the administrator secure with signed SSL certificates?

Question8: Which threat is an example of an Advanced Persistent Threat (APT)?

Question9: Which two widgets can an Incident Responder use to isolate breached endpoints from the Incident details page? (Choose two.)

Question10: Why is it important for an Incident Responder to analyze an incident during the Recovery phase?

Question11: Which best practice does Symantec recommend with the Endpoint Detection and Response feature?

Question12: Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an incident for an After Actions Report?

Question13: Which section of the ATP console should an ATP Administrator use to create blacklists and whitelists?

Question14: Malware is currently spreading through an organization's network. An Incident Responder sees some detections in SEP, but there is NOT an apparent relationship between them.
How should the responder look for the source of the infection using ATP?

Question15: Which action should an Incident Responder take to remediate false positives, according to Symantec best practices?

Question16: An Incident Responder has reviewed a STIX report and now wants to ensure that their systems have NOT been compromised by any of the reported threats.
Which two objects in the STIX report will ATP search against? (Choose two.)

Question17: Which final steps should an Incident Responder take before using ATP to rejoin a remediated endpoint to the network, according to Symantec best practices?

Question18: What occurs when an endpoint fails its Host Integrity check and is unable to remediate?

Question19: An Incident Responder wants to run a database search that will list all client named starting with SYM.
Which syntax should the responder use?

Question20: Where can an Incident Responder view Cynic results in ATP?

Question21: Which threat is an example of an Advanced Persistent Threat (APT)?

Question22: A medium-sized organization with 10,000 users at Site A and 20,000 users at Site B wants to use ATP:
Network to scan internet traffic at both sites.
Which physical appliances should the organization use to act as a network scanner at each site while using the fewest appliances and assuming typical network usage?

Question23: Which stage of an Advanced Persistent Threat (APT) attack do attackers break into an organization's network to deliver targeted malware?

Question24: An Incident Responder documented the scope of a recent outbreak by reviewing the incident in the ATP manager.
Which two entity relationship examples should the responder look for and document from the Incident Graph? (Choose two.)

Question25: An Incident Responder is going to run an indicators of compromise (IOC) search on the endpoints and wants to use operators in the expression.
Which tokens accept one or more of the available operators when building an expression?

Question26: Which two user roles allow an Incident Responder to blacklist or whitelist files using the ATP manager?
(Choose two.)

Question27: Which two database attributes are needed to create a Microsoft SQL SEP database connection? (Choose two.)

Question28: Which stage of an Advanced Persistent Threat (APT) attack do attackers send information back to the home base?

Question29: Which attribute is required when configuring the Symantec Endpoint Protection Manager (SEPM) Log Collector?

Question30: Which two actions can an Incident Responder take in the Cynic portal? (Choose two.)

Question31: An Incident Responder notices traffic going from an endpoint to an IRC channel. The endpoint is listed in an incident. ATP is configured in TAP mode.
What should the Incident Responder do to stop the traffic to the IRC channel?

Question32: What does a Quarantine Firewall policy enable an ATP Administrator to do?

Question33: An Incident Responder discovers an incident where all systems are infected with a file that has the same name and different hash. As a result, the organism view has multiple entries for the malicious file.
What is causing this issue?

Question34: Which National Institute of Standards and Technology (NIST) cybersecurity function includes Risk Assessment or Risk Management Strategy?

Question35: What is the minimum amount of RAM required for a virtual deployment of the ATP Manager in a production environment?

Question36: Which prerequisite is necessary to extend the ATP: Network solution service in order to correlate email detections?

Question37: Which two tasks should an Incident Responder complete when recovering from an incident? (Choose two.)

Question38: What is the earliest stage at which a SQL injection occurs during an Advanced Persistent Threat (APT) attack?

Question39: How does an attacker use a zero-day vulnerability during the Incursion phase?

Question40: How should an ATP Administrator configure Endpoint Detection and Response according to Symantec best practices for a SEP environment with more than one domain?

Question41: Which default port does ATP use to communicate with the Symantec Endpoint Protection Manager (SEPM) web services?