Sophos Technician
SophosCloudInstaller_<time_and_date_stamp>.log
If an installation of Sophos Central failed on a Windows computer, which log file would you refer to first to help diagnose the problem?
False
TRUE or FALSE: AD sync needs to be installed on a DC?
Tamper Protection is enabled
The option to stop the AutoUpdate service is greyed out in Windows Services. What is the most likely reason for this?
Alerts are created when an action is required
Which of the following statements is TRUE about alerts?
389
AD Sync is not working, you have successfully pinged the DC by both name and IP address. Which port do you use with telnet to confirm the LDAP port is accessible?
True
TRUE or FALSE: All quarantined data is encrypted in SafeStore.
60 mins
AutoUpdate performs its first check 5 minutes after the service starts. At what interval does AutoUpdate then check for software, threat detection data and other available updates?
Global settings > Controlled Updates
By default, computers get the latest Sophos product updates automatically, where can an admin change this to allow control over updates?
netsh winhttp show proxy
Enter the command you would use to display the current configuration of the system proxy. _____
netsh winhttp reset proxy
Enter the command you would use to remove the currently configured system proxy.
ping 172.16.2.20
Enter the command you would use to test IP network connectivity to the address 172.16.2.20. _____
Restart the update cache service
If the Windows Firewall service is stopped or disabled when the Update Cache is deployed, then the firewall rule to allow TCP 8191 will not have been created. How do you resolve this?
From the device page From a threat case
In which 2 places can you create a forensic snapshot?
SHA-256 The file paths The certificate
In which 3 ways can you allow a quarantined file to be restored?
Sophos Intercept X
On a Windows computer, which component logs information to the 'Sophos.log' file?
True
TRUE or FALSE: A single instance of AD Sync can synchronise from multiple domains in a forest?
True
TRUE or FALSE: AD Sync will delete groups and users with no Central Admin role when they are no longer present in the search results?
True
TRUE or FALSE: C:\TEMP should never be whitelisted in Sophos Central.
True
TRUE or FALSE: Only PE files can be restored from SafeStore through the user interface.
True
TRUE or FALSE: Sophos recommends disabling HTTPS inspection for Sophos updating traffic.
True
TRUE or FALSE: Tamper Protection is enabled by default in Sophos Central.
False
TRUE or FALSE: The default Update Cache TCP port of 8191 can be modified.
True
TRUE or FALSE: You can deploy an update cache without a Message Relay.
True
TRUE or FALSE: You can recover the Tamper Protection password for a deleted endpoint in Sophos Central.
nslookup
The Central Admin Dashboard shows that none of your endpoints are using one of your update caches. When pinging the update cache by name it fails. What command do you use to investigate this further?
Use settings > website management to override the category for the website URL to one which is not blocked
Web Control has been configured to block access to a category, but this is preventing access to a desired location. Which of the following methods can be used to allow access to this site without allowing access to other sites in the same category?
To remove malware and PUA's To move all detected items to SafeStore
What are the 2 primary functions of Sophos Clean? Choose two (2).
ipconfig /flushdns
What command can be used to clear the DNS cache?
Define the issue
What is the first step of the troubleshooting process?
To detect malicious file encryption by ransomware
What is the function of CryptoGuard?
To detect man-in-the-middle attacks
What is the function of Safe Browsing in Intercept X?
To prevent malicious behavior in software
What is the function of application lockdown in Intercept X?
C:\ProgramData\Sophos\AutoUpdate\data\warehouse
What is the location of AutoUpdate's warehouse on a protected endpoint?
Domain user
What is the minimum type of user required to connect to AD to gather the user and group information?
Root Cause Analysis
What is the second step of the troubleshooting process?
zero-day threats
What is the term for an attack that uses techniques that anti-virus does not yet detect?
Resolve and verify
What is the third step of the troubleshooting process?
Read
What permissions does the user need to connect to AD to gather the user and group information?
Test the deployment script
What step do you need to take before you bulk deploy Sophos Central to endpoints using a startup script in GPO?
decoded warehouse
When clearing the local AutoUpdate cache prior to forcing an update, which 2 of the following folders do you need to rename? Choose two
DC=SOPHOS,DC=LOCAL
When configuring AD synchronization, what location was defined by default in filters under the User Discovery Filters tab?
Windows client firewall blocking traffic
When investigating an updating issue on one of your endpoints, you used the telnet command to connect to dci.sophosupd.com on port 443. This confirmed that there is a problem using a direct connection. What is most likely to be causing this?
Germany United States Ireland
When setting up a new Sophos Central account, which 3 of the following are the datacentre locations you may select? Choose three (3).
4 hours
When troubleshooting an endpoint, how long can you override the Sophos Central policy for?
Global Settings
Where can the AD Sync tool be obtained from?
The Threat Library
Where can you find more information about a specific threat?
Program Data\Sophos\SafeStore Program Data\Sophos\Sophos Anti-Virus\SafeStore
Where can you find the SafeStore quarantine folders on a Windows Endpoint? Choose two (2).
Active Directory Sync Utility
Where do you check to see if the AD sync schedule has been configured correctly?
Update > Update configuration
Where in the Endpoint Self Help Tool will show if an endpoint is using a proxy for updating?
In the Threat Protection policy
Where is automatic self-isolation enabled?
%ProgramData%\Sophos\CloudInstaller\Logs
Where is the 'SophosCloudInstaller_<time_and_date_stamp>.log' found?
/private/var/log
Where is the 'install.log' found on a Mac OS X endpoint?
%ProgramData%\sophos\sophos cloud AD sync\logs
Where is the AD sync log location?
Sophos Endpoint Self Help Sophos Central
Which 2 methods does Sophos provide that will display the status of all Sophos services on Windows computers? Choose two (2).
An unknown file An executable file in a temporary file location
Which 2 of the following are malicious file indicators? Choose two (2).
The threat was found in an archive The threat was found in a mailbox
Which 2 of the following are reasons why manual cleanup may be required? Choose two (2).
Ability to disable Tamper Protection Administrative rights to the network and AD Administrative rights to the endpoint
Which 3 of the following are required to perform troubleshooting on an endpoint? Choose three (3).
Tamper Protection
Which feature would protect the Sophos installation from becoming disabled by malware?
Sophos Anti-Virus
Which installer runs the Competitor Removal Tool (CRT)?
ipconfig
Which of the following Windows tools do you use to display the network configuration?
nslookup
Which of the following Windows tools do you use to resolve IP addresses to hostnames and hostnames to IP addresses?
Ping
Which of the following Windows tools do you use to test IP network connectivity?
The connection was NOT blocked and the threat has NOT been cleaned up
Which of the following statements is TRUE for a C2/Generic-B detection?
The connection was blocked but the root cause has NOT been cleaned up
Which of the following statements is TRUE for a C2/Generic-C detection?
Virus Removal tool
Which of these cleanup tools will scan for root kits?
--quiet
Which switch will prevent the installer from being displayed during a scripted deployment?
To protect against vulnerabilities in software
Why is it important to apply updates and patches to all applications and operating systems across your network?
Date and time are incorrect on the Update Cache server
Why would the 'Last time updated from cache' status show as 'in a year'?
The Update Cache server has run out of disc space
You see the following error in the SophosUpdate.log:WARN [WARN] copy from upstream failed: Cannot write resource: C:/Programdata/sophos/autoupdate/data/warehouse/9548-885What could this indicate?
Boot into Safe Mode and disable Tamper Protection via the Registry Retrieve the password for the deleted endpoint within Central so you can then enter this within the local Endpoint UI
You wish to uninstall the Sophos Endpoint software from a Windows 10 computer. However, Tamper Protection is enabled, and the device is no longer present within Central Admin. Which 2 of following are supported methods of removal? Choose two (2).
