Get CheckPoint 156-590 Exam Practice Questions - Real and Updated

Answer : D

The correct answer is D. Newly created domains. DGA means Domain Generation Algorithm, a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point's Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA, and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is ''newly created domains.'' Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

Answer : B

The correct answer is B. Exclusions. In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection, including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions. Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.

Answer : C

The correct answer is C. Accept. Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

Answer : A

The correct answer is A. Infected host identification. Malware DNS Trap is designed to help identify compromised clients by redirecting malicious DNS resolution to a controlled false IP address and then observing which internal hosts attempt to connect to that trap address. Check Point's R81.20 Threat Prevention guide states that Malware DNS Trap can be used to detect compromised clients by checking logs with connection attempts to the false IP address. It also notes that internal DNS servers can be added to better identify the origin of malicious DNS requests.

This makes the primary operational benefit host attribution. While DNS security can block or prevent malicious DNS-related activity, DNS Trap's distinctive value is showing which internal endpoint is likely infected or attempting malicious communication. Option B is more aligned with URL Filtering or URL reputation, not DNS Trap. Option C describes a blocking outcome, but it misses the key trap mechanism and attribution purpose. Option D is incorrect because the usual DNS Trap use case concerns internal clients generating suspicious outbound DNS or follow-up connections, not inbound malicious DNS queries. Reference topics: Malware DNS Trap, Anti-Bot & Advanced DNS, false IP address, compromised-client detection, infected-host investigation.

Answer : D

The correct answer is D. The rule is contained on a single line. There are two logical sections: Rule Header and Rule Options. SNORT signatures are supported in Check Point Threat Prevention as custom IPS-style protections, and their structure follows the standard SNORT rule model. Official Snort documentation states that the rule header includes the text before the first parenthesis, while the body contains the rule options between parentheses. It also shows a complete rule with header and option definitions. The classic Snort rule reference describes the two logical sections as the rule header and rule options.

In the exam wording, the expected construction is a single-line rule composed of these two logical sections. The header defines the coarse traffic selector and action, such as alert/drop, protocol, source, destination, ports, and direction. The options define the detailed detection logic, such as message, content match, flow, metadata, and signature identifier. ''Payload'' is not the correct formal name for the second logical section, which eliminates options A and C. Option B uses the correct logical sections but incorrectly states that the rule is contained on two lines. Reference topics: SNORT Signature Support, custom IPS protections, Rule Header, Rule Options, signature syntax.