The correct answer is A. zipscn . Archive Scanning is part of the Anti-Virus file-inspection workflow, where compressed archives must be unpacked and inspected before the gateway can make a final malware-prevention decision. Check Point documentation describes Archive Scanning as the configuration area used to define how the ThreatSpect engine unpacks and scans file archives . It also defines controls such as how long archive processing may continue and what action is taken if the maximum scan time is exceeded. In the Threat Prevention Administration Guide, enabling archive scanning is described as an Anti-Virus setting in which the Anti-Virus engine unpacks archives and applies proactive heuristics, with an explicit note that this feature can impact network performance.

The process name associated with this archive-processing function is zipscn . The distractors do not fit the archive-scanning function: psl_dlp and dlpu are associated with DLP/user-space processing contexts, while gzscn_proc is not the named Archive Scanning process for this blade function. Reference topics: Anti-Virus Settings, Archive Scanning, ThreatSpect engine, archive unpacking, proactive heuristics.

The correct answer is A. It lets you start over by removing all administrator overrides . Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point’s IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging , followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.

The correct answer is B. CPU Utilization . IPS protection selection and activation are based on protection metadata and profile criteria, not a direct CPU-utilization rating. The official Threat Prevention guide states that a Threat Prevention profile activates protections according to factors including performance impact of the protection , severity of the threat , confidence that a protection can correctly identify an attack , and settings specific to the Software Blade.

The same R81.20 guide shows how the Optimized profile uses these criteria: protections are set to Prevent or Detect based on Confidence Level , Performance Impact , and Severity thresholds. CPU utilization is certainly relevant in performance troubleshooting, capacity planning, and operational monitoring, but it is not one of the IPS protection-selection ratings. In practice, CPU usage is an observed runtime metric, while Performance Impact is the predefined protection attribute used by profiles to decide whether a protection should be active, detect-only, or prevented. This distinction matters in certification: IPS tuning is driven by profile attributes, while CPU utilization is reviewed afterward through monitoring tools such as CPView, logs, and performance diagnostics. Reference topics: IPS Protection ratings, Threat Prevention Profiles, Severity, Confidence Level, Performance Impact, activation criteria.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is C. user:"John Doe" AND (action:drop OR action:reject OR action:block) . Check Point log-query syntax uses field-based filters in the form field:value , Boolean operators such as AND and OR , and parentheses to group multiple criteria. The official Query Language Overview states that the basic syntax is [Field:] < Filter Criterion > , and that Boolean operators can combine multiple filters. It also shows action filtering examples such as blade:"application control" AND action:block, and explains that multiple Boolean expressions can be grouped in parentheses.

Because the user name contains a space, the value must be enclosed in double quotation marks: user:"John Doe". Without quotes, the query parser treats the words as separate criteria, which makes option B incorrect. Option A uses a hyphenated value, which changes the user name. Option D uses single quotes, while Check Point examples and expected syntax use double quotes for phrase values. The action clause is correctly grouped with OR to match logs where the IPS-related enforcement action is drop, reject, or block. Reference topics: Logs & Monitor query language, field filters, quoted strings, Boolean operators, action filtering, IPS log investigation.

The correct answer is D. Thorough protection . Deep Scanning is selected when the organization wants broader and more complete Anti-Virus inspection, even at the cost of additional processing. Check Point’s Anti-Virus settings documentation shows that administrators can configure file handling to process file types known to contain malware, process specific file-type families, or process all file types . It also states that enabling deep inspection scanning impacts performance.

This is the key tradeoff: Deep Scanning improves protection depth by expanding the set of files and content types subjected to inspection, but it is not the best choice for minimal latency or lowest resource consumption. Options A, B, and C are therefore incorrect because Deep Scanning is not primarily a performance optimization. It can require more CPU, memory, buffering, file classification, and scanning time, especially when paired with archive scanning, HTTPS Inspection, or large file transfers. Its benefit is security completeness: it reduces blind spots by inspecting more file content and providing stronger protection against malware hidden in less common or less obvious file types. Reference topics: Anti-Virus Settings, File Types, Deep Inspection Scanning, process all file types, performance impact, thorough malware protection.

The correct answer is D. Communicate forensics data collected to Government Agencies . The Forensics tracking option exists to enrich Threat Prevention logs with deeper technical context for analysis and troubleshooting. Check Point documentation states that the Forensics option adds fields to Threat Prevention logs and that the additional information gives a deeper understanding of an attack. The Monitoring Threat Prevention guidance also explains that Advanced Forensics Details can include protocol-specific details for DNS, FTP, SMTP, HTTP, and HTTPS, and that this information is used by Check Point researchers to analyze attacks.

The purpose is security analysis, incident investigation, and support-quality evidence collection, not government reporting. Options A and B accurately describe the function of Forensics tracking. Option C reflects the broader idea that forensic and diagnostic details may include gateway-related technical data for Check Point analysis, depending on configuration and feature behavior. Option D is the false statement because Check Point Threat Prevention Forensics is not defined as a mechanism for transmitting collected forensic data to government agencies. In production, enabling Forensics should be treated as a deliberate logging and privacy decision because it may add protocol and transaction context to logs. Reference topics: Threat Prevention Track Options, Forensics tracking, Advanced Forensics Details, Logs & Monitor, attack analysis.

The correct answer is C. Accept . Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is D. Newly created domains . DGA means Domain Generation Algorithm , a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point’s Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA , and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is “newly created domains.” Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

The correct answer is A. Infected host identification . Malware DNS Trap is designed to help identify compromised clients by redirecting malicious DNS resolution to a controlled false IP address and then observing which internal hosts attempt to connect to that trap address. Check Point’s R81.20 Threat Prevention guide states that Malware DNS Trap can be used to detect compromised clients by checking logs with connection attempts to the false IP address. It also notes that internal DNS servers can be added to better identify the origin of malicious DNS requests.

This makes the primary operational benefit host attribution. While DNS security can block or prevent malicious DNS-related activity, DNS Trap’s distinctive value is showing which internal endpoint is likely infected or attempting malicious communication. Option B is more aligned with URL Filtering or URL reputation, not DNS Trap. Option C describes a blocking outcome, but it misses the key trap mechanism and attribution purpose. Option D is incorrect because the usual DNS Trap use case concerns internal clients generating suspicious outbound DNS or follow-up connections, not inbound malicious DNS queries. Reference topics: Malware DNS Trap, Anti-Bot & Advanced DNS, false IP address, compromised-client detection, infected-host investigation.