Palo Alto EDU-190: Traps
Question 10 of 58. Which kind of information is stored in the file agent.id on the endpoint? A. machine ID generated by the agent B. agent license ID associated with the endpoint C. agent installation package ID generated by the Traps Management Service D. identifier for the agent created by the Traps Management Service
?
Question 11 of 58. Which statement is incorrect regarding the out-of-box default profiles? A. Settings in the default profiles cannot be altered by customers. B. The default profiles cannot be deleted by customers. C. The name of the default profiles is Default, and it can be renamed by customers. D. The next content update by Palo Alto Networks can update settings in the default profiles.
?
Question 13 of 58. Which statement is incorrect regarding the out-of-box default policy rules? A. A default policy rule always is evaluated first. B. Each platform has one separate default policy rule. C. The Target field for the default policy rule is Any. D. The order of default policy rules cannot be changed.
?
Question 14 of 58. Which statement is incorrect regarding the Directory Sync Service (DSS)? A. A DSS instance can support multiple Active Directory domains. B. It provides read-only Active Directory domain information for Traps services. C. It does not require an authentication code to be activated. D. A Traps Management Service instance can integrate with multiple Directory Sync Service instances.
?
Question 15 of 58. Which EPM can block the attack types categorized as Software Logic Flaw? A. DLL Security B. Exploit Kit Fingerprint C. Brute Force Protection D. APC Protection
?
Question 16 of 58. Which approach is not among the best practices for general troubleshooting? A. use a divide-and-conquer approach to eliminate irrelevant variables whenever possible B. know what is "normal" for the domain C. generate testable failure hypothesis D. attempt to verify the problem in test and production environments before acting
?
Question 17 of 58. Which protection technique prevents areas of memory designated as containing data from running as executable code? A. Address Space Layout Randomization B. Heap Spray and Memory Limit Checks C. Return-Oriented Programming Mitigation D. Data Execution Prevention
?
Question 18 of 58. Which setting is not configurable in the User Interface section of an Agent Settings Profile? A. Disable access to the Traps console B. Hide tray icon C. Hide Traps user notifications D. Disable access to the Traps files
?
Question 19 of 58. Which two statements about the exploit and malware attack vectors are correct? (Choose two.) A. An exploit is a malformed data file processed by a legitimate application or the kernel. B. Malware usually has a small payload. C. Malware does not rely on any application vulnerability. D. Malware "tricks" the legitimate application into running the attacker's code. E. An exploit intends to control the machine directly.
?
Question 20 of 58. Which statement is incorrect regarding the status of an endpoint on the Traps Management Service user interface? A. The Inactive Threshold is 7 days. B. When the status becomes Zombie, the agent license returns to the license pool. C. Endpoint status is updated by periodic heartbeats. D. An endpoint is removed from the Traps Management Service 365 days after it enters the Zombie state. E. The Zombie Threshold is 90 days.
?
Question 21 of 58. Which statement is incorrect about Traps periodic malware scanning? A. can scan mapped network drives B. available only for Windows endpoints C. can scan removable drives D. does not run on VDI endpoints
?
Question 22 of 58. Which EPM can block the attack types using the OS functions? A. UASLR B. ROP Mitigation C. Memory Limit Heap Spray Check D. DLL Security E. JIT Mitigation
?
Question 23 of 58. Which Traps malware protection module can eliminate the Candy Drop and Drive By Download attack methods? A. Trusted Signers B. Administrative Override C. WildFire D. Local Analysis E. Restrictions
?
Question 24 of 58. Which statement is incorrect regarding the Logging Service in relation to the Traps Management Service? A. Each Logging Service instance can serve only a single Traps Management Service instance. B. Currently the Traps Management Service and Logging Service must be in the same region. C. The Traps Management Service comes with a 100GB Logging Services instance for free. D. Administrators can view Traps logs in the Traps Management Service user interface.
?
Question 25 of 58. Which two options are not encapsulated into a SAM message? (Choose two.) A. quarantine restores B. hash exceptions C. content updates D. agent uninstall request E. agent upgrade requests
?
Question 26 of 58. Which information is provided by a Directory Sync Service (DSS) agent to be authenticated for the DSS instance communication? A. authentication token B. username-password C. pre-shared key D. agent certificate
?
Question 27 of 58. In which folder is the tool cytool for Linux located? A. /usr/traps/bin B. /var/traps/bin C. /lib/traps/bin D. /opt/traps/bin
?
Question 28 of 58. At which interval does the Directory Sync Service (DSS) agent collect the attributes of domain objects and send them to the DSS instance? A. 12 hours B. 5 minutes C. 24 hours D. 1 hour
?
Question 29 of 58. Which part of the process virtual address space is used if the process needs to allocate extra memory at run time? A. text B. heap C. code D. stack
?
Question 30 of 58. Which action is not applicable for Security events? A. create exception B. import data from CSV C. retrieve Security event data D. archive E. export data to CSV
?
Question 31 of 58. When does a Traps license associated with an endpoint not return to the pool of available licenses? A. For non-persistent VDI, when the user logs off or ends the VDI session. B. When the Traps license associated with the specific Traps agent expires. C. When the Traps agent is uninstalled. D. When the Traps agent is disconnected from the Traps service for more than 90 days. E. When the Traps endpoint is deleted from the Traps Management Service.
?
Question 32 of 58. Which setting is configurable in the Agent Settings Profile for Linux endpoints? A. Agent Security B. Disk Space C. User Interface D. Uninstall Password
?
Question 33 of 58. Which three Traps malware protection modules can issue a malware verdict for a file? (Choose three.) A. WildFire B. Restrictions C. Local Analysis D. Administrative Override E. Trusted Signers
?
Question 34 of 58. Which statement is incorrect regarding the Logging Service? A. sold in 2TB increments B. uses the reporting capabilities directly from Panorama C. can be activated from the Cloud Services Portal with an AuthCode D. can be activated from the Customer Support Portal by retrieving the license on Panorama
?
Question 35 of 58. Which type of protection as configurable in the exploit profiles and protects endpoints from attacks that leverage common OS mechanisms such as DLL-loading processes to execute malware? A. Browser Exploits Protection B. Logical Exploits Protection C. Exploit Protection for Additional Processes D. Known Vulnerable Processes Protection E. Operating System Exploit Protection
?
Question 36 of 58. Which Traps Management Service element should the administrator use for file investigations? A. File Analytics B. Endpoint logs C. Security events D. Server logs
?
Question 37 of 58. Which Traps agent operation is forwarded to the closest region? A. /operations B. /verdicts C. /reports D. /scanning
?
Question 38 of 58. Which two protection methods are not among the Traps multi-method threat prevention features? (Choose two.) A. application and kernel exploit preventions B. behavioral-based anti-ransomware prevention C. signature-based malware detection D. trusted signers blacklisting E. Machine Learning-based exploit and malware analysis F. administrator verdict overrides
?
Question 39 of 58. Which two log types are not valid in the Traps Management Service? (Choose two.) A. WildFire B. Quarantine C. Endpoint D. Data Retrieval E. Server F. Restore Candidate
?
Question 41 of 58. Which two exceptions are not valid objects that an administrator can create on the Traps Management Service user interface? (Choose two.) A. WildFire B. Process C. Administrator D. Hash E. Support
?
Question 42 of 58. What is the name of the Traps Agent log on the endpoints? A. trapsd.log B. service.log C. cyvera.log D. agent.log E. traps.log
?
Question 43 of 58. In the cyber-attack life cycle, which two methods or tools are not part of the Reconnaissance phase? (Choose two.) A. port evasion B. packet sniffer C. shell access D. port scan E. shoulder surf
?
Question 44 of 58. Which three Traps malware protection modules can move a malicious executable file to the quarantine folder? (Choose three.) A. Trusted Signers B. Local Analysis C. Restrictions D. Administrative Override E. WildFire F. Path Whitelisting
?
Question 45 of 58. Which connection-related information is not asked in the LDAP Configuration page of the Directory Sync Service (DSS) agent on the endpoint? A. Bind DN B. Bind Password C. Security Protocol D. Bind Username
?
Question 46 of 58. Which option is not available in the Type field of the target specification of a policy rule? A. AD OU B. Agent C. User D. AD Group E. Group
?
Question 47 of 58. In which target does the Traps Management Service use the directory information provided by the associated Directory Sync Service (DSS) instance? A. policy rule B. Security events C. endpoint group D. profile setting
?
Question 48 of 58. Which exploitation technique is based on finding small useful chunks of code (gadgets) in existing modules that end with a RET machine instruction? A. Data Execution Prevention Circumvention B. Return-Oriented Programming C. Heap Spray D. NOP Sled
?
Question 49 of 58. Which type of elements cannot be imported during migration from the Endpoint Security Manager to the Traps Management Service? A. hash overrides B. trusted signers C. whitelisted paths D. exploit policy rules
?
Question 5 of 58. Which two malware protection modules are not used during Traps malware scanning? (Choose two.) A. Execution Restrictions B. Hash Control C. WildFire D. Local Analysis E. Trusted Signers
?
Question 50 of 58. Which endpoint action on the Traps Management Service user interface applies only to the Windows endpoint? A. upgrade Traps B. retrieve Tech Support Files C. delete endpoints D. uninstall Traps E. initiate malware scanning
?
Question 51 of 58. Which profile type is not valid? A. Agent Settings Profiles B. Forensic Profiles C. Malware Profiles D. Restriction Profiles E. Exploit Profiles
?
Question 52 of 58. Which statement is incorrect regarding the Heartbeat operation invoked by agents to communicate with the Traps Management Service instance? A. always directed to the closest region B. not configurable C. can be forced by the command cytool checkin D. periodic every 5 minutes
?
Question 53 of 58. Which is not a valid status of a Security event? A. New B. Assigned C. Closed D. Investigating
?
Question 54 of 58. Which Traps Management Service exception object can be created to disable one specific EPM on a protected process? A. Exploit B. Hash C. Policy D. Process
?
Question 55 of 58. When the Tech Support File is generated, which option is not valid for the macOS endpoints? A. retrieve the file from the Traps Management Service user interface B. click the Generate button on the Agent Console on the endpoint C. download and run GetLogsUtil to manually gather the file D. use the command cytool log collect on the endpoint
?
Question 56 of 58. Which option is incorrect regarding quarantining? A. quarantined files stored locally on endpoints B. disabled by default C. not available for malware identified in network drives D. only for Windows and macOS endpoints
?
Question 57 of 58. Which is the "Re" step in the DIReC methodology used for problem solving? A. Resolve B. Reuse C. Recovery D. Restore
?
Question 58 of 58. Traps agents are authenticated by their Traps Management Service instance using a Palo Alto Networks implementation of the authentication token such as the OAuth 2.0 bearer token. Which statement is incorrect regarding this token? A. sent by the agent to the Traps Management Service in most core API calls B. provided to the agent by the Traps Management Service during agent provisioning C. can be regenerated by the tool cytool D. encrypted and stored locally in the cloud_frontend.db persist database E. sent in the HTTPS Request Header named X-Auth
?
Question 6 of 58. From the customer's perspective, which is not a direct benefit of cloud-based implementation of the Traps Management Service? A. The Traps deployment is auto-scaled. B. Accumulated Traps data provides a foundation for new detection and response capabilities. C. The Traps deployment stores the logs in the cloud-based Logging Service. D. New management features are automatically distributed.
?
Question 7 of 58. Which type of ongoing Traps forensics data collection information is captured only at the attack time? A. IP address and OS version B. filename and file hash of the executable C. username and computer name D. time of execution E. filenames of the non-executable files opened by the executable
?
Question 8 of 58. Which is not an option in defining a dynamic endpoint group? A. VDI/non-VDI option B. domain name C. Traps agent version D. IP address range
?
Question 9 of 58. How does Traps prevent zero-day application exploits? A. dynamic analysis running applications in a sandbox B. blocking one known technique in the series of exploit techniques C. behavioral analysis techniques based on endpoint baselining D. static analysis based on Machine Learning built into the Local Analysis module
?
What is the filename of the Traps Agent log on the endpoint? a. trapsd.log b. service.log c. agent.log d. cyvera.log
A
Which Traps protection module limits the attack surface by defining where and how users can run files? a. Execution Restrictions b. Path Whitelisting c. Local Analysis d. Trusted Signers
A
Which protection group in the Exploit Profile can protect applications from exploitation attempts such as exploit kits? a. Browser Exploits Protection b. Logical Exploits Protection c. Exploit Protection for Additional Processes d. Operating System Exploit Protection
A
Question 4 of 58. An administrator specifies "edunet1" as the choice of subdomain during the Traps Management Service instance activation. Which two DNS addresses does the Traps agent connect for its operations? (Choose two.) A. ch-edunet1.traps.paloaltonetworks.com B. cc-edunet1.traps.paloaltonetworks.com C. cx-edunet1.traps.paloaltonetworks.com D. ca-edunet1.traps.paloaltonetworks.com E. cz-edunet1.traps.paloaltonetworks.com
AB
Which two Traps protection modules are applicable for Linux endpoints? (Choose two.) a. Behavioral Threat Protection b. ELF file examination c. Execution Restrictions d. Password Protection e. OLF file examination
AB
Which two actions apply to security events? (Choose two.) a. retrieve security event data b. export data to CSV c. import data from CSV d. archive security event
AB
Which two options are available in the menu bar of the Traps management service? (Choose two.) a. Dashboard b. Reports c. Security d. Alert e. File
AB
Which three elements on the Traps management service use the directory information provided by the Directory Sync Service (DSS) instance? (Choose three.) a. endpoint groups b. exceptions c. policy rules d. profile settings e. security events
AB (Fix this. Only two correct answers are given in the screen shot.)
Which three fields are required during Traps management service instance activation? (Choose three.) a. subdomain name b. home region selection c. Directory Sync Service instance name d. Cortex Data Lake instance name e. Cortex XDR instance name
ABD
Which three states are valid for security events? (Choose three.) a. New b. Investigating c. Achieved d. Assigned e. Closed
ABE
Which two statements are correct regarding the Traps container support on Linux? (Choose two.) a. container implementation-agnostic b. supports only Docker and LXC c. host-based implementation d. requires one license for each container
AC
Which three profile types are provided on the Traps management service? (Choose three.) a. Restriction b. Forensic c. Exploit d. Malware e. Exceptions
ACD
Which three tabs are available on the details page of an exploit type security event? (Choose three.) a. Analysis b. Analytics c. Details d. Exception e. Quarantine
ACD
Which two methods or tools apply in the Delivery phase of the Cyber-Attack lifecycle? (Choose two.) a. email b. port-scan c.root kit d. USB
AD
Which two settings can be configured in the "User Interface" section of an Agent Settings Profile for Windows endpoints? (Choose two.) a. Hide tray icon b. Enable access to the Traps console c. Disable access to the Traps files d. Hide Traps user notifications
AD
Which two statements are correct about attack vectors? (Choose two.) a. An exploit is a malformed data file processed by legitimate applications. b. Malware usually relies on kernel vulnerabilities. c. Malicious scripts are typical examples of exploits. d. Exploits usually have a small payload.
AD
Assessment starts here Question 1 of 58. Which three CSP roles regarding Traps Management Service activation are granted for the tenant's administrator? (Choose three.) A. WildFire B. Traps C. Cortex XDR D. Cortex Data Lake E. Directory Sync Service
ADE
Question 3 of 58. Which statement is incorrect regarding the Directory Sync Service (DSS)? A. A Traps Management Service instance can integrate with at most one DSS instance. B. DSS provides read/write access to the organization's Active Directory domains. C. A DSS instance does not require an authentication code to be activated. D. A single DSS instance can connect to multiple Active Directory domains.
B
Which Traps management service exception object can be created to disable one specific EPM on a protected process? a. Exploit b. Process c. Hash d. Policy
B
Which two analysis methods are among the Traps multi-method malware prevention features? (Choose two.) a. Sandbox Analysis b. WildFire Analysis c. Local Analysis d. Heuristics Analysis
BC
What are three valid cytool command options? (Choose three.) a. show b. imageprep c. scan d. persist e. set
BCD
Which three widgets are available on the Dashboard of the Traps management service? (Choose three.) a. Agent Version b. Content Version c. License d. Platforms e. Security Events
BCD
Which three Traps malware protection modules can move a malicious executable file to the quarantine folder? (Choose three.) a. Execution Restrictions b. WildFire c. Hash Exceptions d. Path Whitelisting e. Local Analysis
BCE
Which three data types are updated during the Traps content update? (Choose three.) a. hash verdicts b. lists of trusted signers c. Behavioral Threat Protection rules d. Traps agent minor updates e. scripts used by the agents
BCE
Which three roles are common to all Cortex applications? (Choose three.) a. Deployment Administrator b. Account Administrator c. App Administrator d. Security Administrator e. Instance Administrator
BCE
The Directory Sync Service (DSS) agent sends collected directory attributes to the DSS instance in which two configurable intervals? (Choose two.) a. 1 hour b. 6 hours c. 10 hours d. 24 hours
BD
Which two goals are among the Traps global design perspectives? (Choose two.) a. rich set of bulk deployment features b. lightweight agent c. collaboration with the antivirus products d. extensive endpoint coverage
BD
Which two log forwarding options are available for the Log Forwarding app? (Choose two.) a. Panorama b. SMTP c. SNMP d. Syslog
BD
Which two options are correct about the Traps periodic malware scanning? (Choose two.) a. available for Windows and macOS endpoints b. does not run on the VDI endpoints c. can scan mapped network drives d. can scan removable drives
BD
Question 2 of 58. Which two settings are enabled by default? (Choose two.) A. Upload PE files for cloud analysis B. Quarantine malicious executables C. Local Analysis D. Block files with unknown verdict E. Treat grayware as malware
BE
From where do you control authorizations of the Cortex applications? a. Customer Support Portal b. Traps management service web interface c. The Hub d. Cloud Services Portal
C
Which Traps agent service request is sent to the Closest Region? a. /heartbeat b. /reports c. /get-verdict d. /scanning
C
Which exploitation technique is based on finding small useful chunks of code (gadgets) in the operating system shared libraries? a. Data Execution Prevention Circumvention b. NOP sled c. return-oriented programming d. heap spray
C
Which kind of information is stored in the agent.id file on the endpoint? a. agent license ID associated with the endpoint b. machine ID generated by the agent c. identifier for the agent d. agent installation package ID
C
Which two data types are transported in encapsulated SAM messages? (Choose two.) a. content updates b. hash exceptions c. agent uninstalls d. restore quarantine files
CD
Which two resource types are continuously monitored by the Traps endpoint data collection module? (Choose two.) a. memory b. disk c. process d. registry
CD
Question 12 of 58. Which pair represents the first and last phases of the cyber-attack life cycle? A. Weaponization - Installation B. Weaponization - Command and Control C. Reconnaissance - Installation D. Reconnaissance - Act on Objective E. Reconnaissance - Command and Control
D
Question 40 of 58. Which animal can relate protection of the address space of computer processes to the safety of coal miners in the 18th century? A. rabbit B. mouse C. parrot D. canary
D
Which Traps exploit protection module (EPM) can prevent exploits from using OS functions? a. JIT Mitigation b. ROP Mitigation c. UASLR d. DLL Security
D
Which exception type can be created by importing a JSON file? a. Process b. Hash c. Administrator d. Support
D