Section 6: Understanding Endpoint Security Technologies
Which two of the following statements are correct regarding blocked lists and allowed lists? (Choose two.) Allowed lists are used only to identify IP addresses to be permitted. A blocked list can identify IP addresses, applications, domains, or URLs to be explicitly denied. An allowed list denies all traffic that is not explicitly permitted. Application allowed lists will always stop the malware payloads.
A blocked list can identify IP addresses, applications, domains, or URLs to be explicitly denied. An allowed list denies all traffic that is not explicitly permitted.
What is the attacker trying to gain by turning off the Windows Firewall on the victim's Windows machine? Allow unsolicited incoming connections to the victim's machine. Block all outgoing connections from the victim's machine. Enable the victim's machine to send outbound CnC traffic back to the attacker's infrastructure. Allow a VPN connection from the victim's machine to the attacker's CnC server.
Allow unsolicited incoming connections to the victim's machine.
What can a HIPS do that a NIPS cannot? (Choose two.) Detect malware delivered to the host via an encrypted channel. Protect a mobile host while connected to non-secured networks. Block malware as it is carried across the network. Inspect traffic crossing a link in the network.
Detect malware delivered to the host via an encrypted channel. Protect a mobile host while connected to non-secured networks.
Which one of the following statements is true about host-based IPS (HIPS)? HIPS and antivirus solutions are the same thing. HIPS combines the capabilities of antivirus, antispyware, and personal firewall software. HIPS protects the host on which it is installed from known attacks only. If antivirus software is installed on a system, HIPS does not need to be installed.
HIPS combines the capabilities of antivirus, antispyware, and personal firewall software.
What is the primary difference between a host-based firewall and a traditional firewall? The host-based firewall can block traffic based on application or file type. The traditional firewall can identify and protect against malicious HTTP exploits. There is no difference between the functional aspects of host-based and traditional firewalls. Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks.
Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks.
How does malware evade sandbox detection? It changes the file's SHA or extension. It compresses the malware file. It avoids triggering malicious activities when it is run within a virtual environment. It alters the file behavior such as the protocol used for the CnC traffic.
It avoids triggering malicious activities when it is run within a virtual environment.
File integrity checking tools work by calculating hash values of important files, storing the hash values, and periodically comparing those hash values to hash values that it calculates later. If a file hash value comparison results in a mismatch, what does that indicate? It means nothing; it is a mismatch because the files hashes were compiled on different days. It means that one file did not calculate correctly and need to be recalculated. It indicates that the file has been changed in some way and there may be an issue to be resolved. It indicates that your organization has suffered a security breach and a full-scale investigation is needed as soon as possible.
It indicates that the file has been changed in some way and there may be an issue to be resolved.
Which statement is true about sandboxing? Using a sandbox technique ensures that no malware infected files can get in the network. Running a file in a sandbox guarantees that the disposition will show the threat that it poses to your environment. Malware authors deploy several techniques to bypass sandbox analysis. Using a sandbox replaces the need for expensive antivirus and firewall software.
Malware authors deploy several techniques to bypass sandbox analysis.
Which Linux security control should be used with a personal firewall to provide an extra layer of protection at the application layer, and to permit or deny access to a specific service? TCP wrappers IP tables uncomplicated firewall (UFW) host-based IPS
TCPwrappers
During incident investigations, what does the AMP for endpoints device trajectory feature show? hosts that have seen the malicious file the signature that triggered the malicious file alert actions that have been performed on the victim's host how the malware file was packed (compressed or encrypted)
actions that have been performed on the victims host
Which method is a permissive security control in which only specified applications can run on an end host, while all other applications are prevented? application blocked lists application allowed lists application deep packets inspection application recognition and detection
application allowed lists
How is malware that is not on the allowed list able to execute? by executing it in memory and injecting malicious code into a legitimate process that is currently running by changing the register setting by packing (encrypting or compressing) the file by executing it using the safe mode
by executing it in memory and injecting malicious code into a legitimate process that is currently running
An end user's host becomes infected with a virus because the end user browsed to a malicious website. Which endpoint security technology can be used to best prevent such an incident? personal firewall personal antivirus endpoint malware protection file sandboxing file integrity checks
endpoint malware protection
A malicious file was executed on a host but it was not detected by the host-based IPS. What is this kind of incident known as? true positive true negative false positive false negative
false negative
Which Cisco AMP for Endpoints feature is used during post-incident investigations to determine the source (patient zero) of the malware? file security intelligence feeds file capture file sandboxing file trajectory
file trajectory
After a file disposition changes from unknown to malicious, what is the next step that should be taken? Run the file in a sandbox to verify if it is malicious and to determine the file behaviors. Create a new IPS signature to detect the malicious file. Go back to the system where the file was previously seen and quarantine the malicious file. Run a file retrospective analysis in the cloud using machine learning to determine the file SHA.
go back to the system where the file was seen and quarantine the malicious file
Which endpoint security technology should be used to prevent any incoming connections to the host? host-based personal firewall host-based antivirus host-based IDS host-based malware protection
host-based personal firewall
What are the four key capabilities of endpoint detection and response (EDR)? (Choose four): investigation elimination sandboxing containment machine learning detection
investigation elimination containment detection
Which two of the following statements are true about host-based antivirus software? (Choose two.) User identity detection is embedded in most antivirus software code. Most antivirus software uses signature-based malware detection. antivirus software is wholly dependent on running scans to find malware that has already obtained a foothold on a system. antivirus software may use heuristics with other methods to detect malware.
most antivirus software uses signature based malware detection antivirus software may use heuristics with other methods to detect malware
An effective endpoint protection platform (EPP) must apply which three advanced anti-malware capabilities? (Choose three): sandboxing containment threat intelligence machine learning elimination
sandboxing threat intelligence machine learning
When Cisco AMP for Endpoints detects that an unknown file has been received on an endpoint, what does it do with the file? submits the file to the cloud for future analysis deletes the file executes the file to determine if it is malicious or not performs a file trajectory to determine which other systems have seen the same file
submits the file to the cloud for future analysis
When an attacker modifies a system image that has been digitally signed, what does the attacker need to also change the digital signature of the image? the digital signature of the original image the public key that was used to sign the original image the private key that was used to sign the original image the public and private keys that were used to sign the original image
the private key that was used to sign the original image
What is the reason that most antivirus solutions cannot detect zero-day attacks? The solution uses anomaly-based detection. The solution uses signature-based detection. The solution uses behavior-based detection. The solution uses a sandbox to run the file.
the solution uses signature-based detection
What is the primary reason to use a sandbox to analyze unknown suspicious files? to determine exactly what a file does, before it is labeled malicious or benign to block any suspected malware in real time, before it can infect the end user to provide evidence for post-incident forensics reports to run it in a production environment and see its effects
to determine what a file does before its labeled malicious or benign
An attacker used social engineering to gain administrative access to a router, then altered the router image. How can an analyst detect that the router's image has been altered? Verify the router's image digital signature hash. Verify the router's running configurations. Verify the router's image creation date. by verifying the router's image version.
verify the routers digital signature hash
