Endpoint Security
Complete - R2
Technical Specialist
,1.What EDR function minimizes the risk of an endpoint infecting other resources in
the environment?
A. Quarantine
B. Block
C. Deny List
D. Firewall
Answer: A
Explanation:
The function of "Quarantine" in Endpoint Detection and Response (EDR) minimizes
the risk of an infected endpoint spreading malware or malicious activities to other
systems within the network environment. This is accomplished by isolating or
restricting access of the infected endpoint to contain any threat within that specific
machine. Here’s how Quarantine functions as a protective measure:
0
58
Detection and Isolation: When EDR detects potential malicious behavior or files on an
0-
25
endpoint, it can automatically place the infected file or process in a "quarantine" area.
en
m
This means the threat is separated from the rest of the system, restricting its ability to
xa
E
execute or interact with other resources.
el
ra
Minimizing Spread: By isolating compromised files or applications, Quarantine
pa
va
ensures that malware or suspicious activities do not propagate to other endpoints,
s ti
au
reducing the risk of a widespread infection.
xh
E
Administrative Review: After an item is quarantined, administrators can review it to
ón
ci
determine if it should be deleted or restored based on a false positive evaluation. This
ra
pa
controlled environment allows for further analysis without risking network security.
re
-P
Endpoint-Specific Control: Quarantine is designed to act at the endpoint level,
0
58
applying restrictions that affect only the infected system without disrupting other
0-
25
network resources.
m
co
Using Quarantine as an EDR response mechanism aligns with best practices outlined
ad
ro
in endpoint security documentation, such as Symantec Endpoint Protection, which
B
io
ud
emphasizes containment as a critical first response to threats. This approach
st
E
supports the proactive defense strategy of limiting lateral movement of malware
de
across a network, thus preserving the security and stability of the
es
al
ri
entire system.
e
at
M
2.What priority would an incident that may have an impact on business be
considered?
A. Low
B. Critical
C. High
D. Medium
Answer: C
Explanation:
An incident that may have an impact on business is typically classified with a High
, priority in cybersecurity frameworks and incident response protocols. Here’s a
detailed rationale for this classification:
Potential Business Disruption: An incident that affects or threatens to affect business
operations, even if indirectly, is assigned a high priority to ensure swift response. This
classification prioritizes incidents that may not be immediately critical but could
escalate if not addressed promptly.
Risk of Escalation: High-priority incidents are situations that, while not catastrophic,
have the potential to impact critical systems or compromise sensitive data, thus
needing attention before they lead to severe business repercussions.
Rapid Response Requirement: Incidents labeled as high priority are flagged for
immediate investigation and containment measures to prevent further business
impact or operational downtime.
In this context, while Critical incidents involve urgent threats with immediate, severe
0
58
effects (such as active data breaches), a High priority applies to incidents with
0-
25
significant risk or potential for business impact. This prioritization is essential for
en
m
effective incident management, enabling resources to focus on potential risks to
xa
E
business continuity.
el
ra
pa
va
s ti
au
3.Which antimalware intensity level is defined by the following: "Blocks files that are
xh
E
most certainly bad or potentially bad files results in a comparable number of false
ón
ci
positives and false negatives."
ra
pa
A. Level 6
re
-P
B. Level 5
0
58
C. Level 2
0-
25
D. Level 1
m
co
Answer: B
ad
ro
Explanation:
B
io
ud
In antimalware solutions, Level 5 intensity is defined as a setting where the software
st
E
blocks files that are considered either most certainly malicious or potentially
de
malicious. This level aims to balance security with usability by erring on the side of
es
al
ri
caution; however, it acknowledges that some level of both false positives (legitimate
e
at
M
files mistakenly flagged as threats) and false negatives (malicious files mistakenly
deemed safe) may still occur.
This level is typically used in environments where security tolerance is high but with
an understanding that some legitimate files might occasionally be flagged. It provides
robust protection without the extreme strictness of the highest levels, thus reducing,
but not eliminating, the possibility of false alerts while maintaining an aggressive
security posture.
4.The SES Intrusion Prevention System has blocked an intruder's attempt to establish
an IRC connection inside the firewall.