Get Broadcom 250-580 Exam Practice Questions - Real and Updated

Answer : A

Early Launch Antimalware (ELAM) is a feature that is designed to provide anti-malware protection during the early stages of Windows startup. When ELAM is enabled, it scans drivers and files that load during startup, especially those not digitally signed by trusted sources like Microsoft.

How ELAM Works:

ELAM loads before other drivers at startup and scans critical files and drivers, identifying potential malware that may attempt to execute before other security layers are fully operational.

Since the file observed is not digitally signed by Microsoft, ELAM would detect and analyze it at boot, preventing possible threats from initializing.

Advantages of ELAM:

It provides proactive defense against rootkits and other threats that may try to gain persistence on the system by loading during the Windows boot process.

Why Other Options Are Less Suitable:

Auto-Protect and Behavioral Analysis are effective but operate after the system has booted.

Microsoft ELAM is already enabled by default in Windows but does not provide the same customizability as SEP's ELAM feature.

Answer : B

In Symantec Endpoint Protection (SEP), when files are blocked by hash in the deny list policy, SHA256 is supported in addition to MD5. SHA256 provides a more secure hashing algorithm compared to MD5 due to its longer hash length and higher resistance to collisions, making it effective for uniquely identifying and blocking malicious files based on their fingerprint.

Answer : A

When a threat is detected within an organization's environment, preventing its spread becomes crucial. Symantec Endpoint Protection (SEP) allows administrators to create Application and Device Control policies that target specific threat files to block them across the network. To block a known malicious file, the administrator should:

Identify the File MD5 Hash: The MD5 hash serves as a unique 'fingerprint' for the malicious file, ensuring that the specific file version can be accurately identified across systems.

Create an Application Content Rule: Using the Application and Device Control feature, the administrator can create a content rule that targets the identified file by its MD5 hash, effectively blocking it based on its fingerprint.

Apply the Rule Across Endpoints: Once created, this rule is applied to endpoints, preventing the file from executing or spreading.

This method ensures precise blocking of the threat without impacting other files or processes.

Answer : B

In the MITRE ATT&CK framework, the Execution phase encompasses techniques that attackers use to run malicious code on a target system. This includes methods for exploiting software vulnerabilities to tamper directly with system memory, often by triggering unintended behaviors such as arbitrary code execution or modifying memory contents to inject malware.

Execution Phase Overview:

The Execution phase is specifically focused on methods that enable an attacker to run unauthorized code. This might involve exploiting software faults to manipulate memory and bypass defenses.

Memory Exploit Relevance:

Memory exploits, such as buffer overflows or code injections, fall into this phase as they allow attackers to gain control over system processes by tampering with memory.

These exploits can directly manipulate memory, enabling attackers to execute arbitrary instructions, thereby gaining unauthorized control over the application or even the operating system.

Why Other Phases Are Incorrect:

Defense Evasion involves hiding malicious activities rather than direct execution.

Exfiltration pertains to the theft of data from a system.

Discovery is focused on gathering information about the system or network, not executing code.

Answer : C

When an administrator uses the 'Invite User' feature to distribute the Symantec Endpoint Security (SES) client, the end-user receives a direct link via email to download the SES client. This email typically includes:

Download Link: The email provides a secure link that directs the user to download the SES client installer directly from Symantec's servers or a managed distribution location.

Installation Instructions: Clear instructions are often included to assist the end-user with installing the SES client on their device.

User Access Simplification: This approach streamlines the installation process by reducing the steps required for the user, making it convenient and ensuring they receive the correct client version.

This method enhances security and user convenience, as the SES client download is directly verified by the system, ensuring that the correct version is deployed.