Section 12 Understanding Endpoint Security Technologies
false negative
A malicious file was executed on a host but it was not detected by the host-based IPS. What is this kind of incident known as?
submits the file to the cloud for future analysis
When endpoint malware protection detects that an unknown file has been received on an endpoint, what does the malware protection do with the file?
file trajectory
Which Cisco AMP for endpoints feature is used during post-incident investigations to determine the source (patient zero) of the malware?
TCP wrappers
Which Linux security control should be used with a personal firewall to provide an additional layer of protection at the application layer, and to permit or deny access to a specific service?
host-based personal firewall
Which endpoint security technology should be used to prevent any incoming connections to the host?
application whitelisting
Which method is a permissive security control in which only specified applications can run on an end host, while all other applications are prevented?
HIPS combines the capabilities of antivirus, antispyware, and personal firewall software.
Which one of the following statements is true about host-based IPS (HIPS)?
Malware authors deploy several techniques to bypass sandbox analysis.
Which statement is true about sandboxing?
Whitelisting denies all traffic that is not explicitly permitted. A blacklist can identify IP addresses, applications, domains, or URLs to be explicitly denied.
Which two of the following statements are correct about blacklists and whitelists? (Choose two.)
Most antivirus software uses signature-based malware detection. Antivirus software may use heuristics with other methods to detect malware.
Which two of the following statements are true about host-based anti-virus software? (Choose two.)
Antivirus and antispyware tools primarily work after the infection has occurred. Antivirus and antispyware tools provide a line of defense, but their efficacy is dropping.
Which two of the following statements are true about malware protection? (Choose two.)
Go back to the system where the file was previously seen and quarantine the malicious file.
After a file disposition changes from unknown to malicious, what is the next step that should be taken?
by verifying the router's image digital signature hash
An attacker used social engineering to gain administrative access to a router, then altered the router image. How can an analyst detect that the router's image has been altered?
endpoint malware protection
An end user's host becomes infected with a virus because the end user browsed to a malicious website. Which endpoint security technology can be used to best prevent such an incident?
actions that have been performed on the victim's host
During incident investigations, what does the AMP for endpoints device trajectory feature show?
It indicates that the file has been changed in some way and there may be an issue to be resolved.
File integrity checking tools work by calculating hash values of important files, storing the hash values, and periodically comparing those hash values to hash values that it calculates later. If a file hash value comparison results in a mismatch, what does that indicate?
avoid triggering malicious activities when it is run within a virtual environment
How does malware evade sandbox detection?
by executing it in memory and injecting malicious code into a legitimate process that is currently running
How is malware that is not on the whitelist able to execute?
Protect a mobile host while connected to non-secured networks. Detect malware delivered to the host via an encrypted channel.
What can a HIPS do that a NIPS cannot? (Choose two.)
allow unsolicited incoming connections to the victim's machine
What is the attacker trying to gain by turning off the Windows Firewall on the victim's Windows machine?
Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks.
What is the primary difference between a host-based firewall and a traditional firewall?
to determine exactly what a file does before it is labeled malicious or benign
What is the primary reason to use a sandbox to analyze unknown suspicious files?
It uses signature-based detection.
What is the reason that most anti-virus solutions cannot detect zero-day attacks?
the private key that was used to sign the original image
When an attacker modifies a system image that has been digitally signed, what does the attacker need in order to also change the digital signature of the image?
