When a threat is detected within an organization’s environment, preventing its spread becomes crucial. Symantec Endpoint Protection (SEP) allows administrators to create Application and Device Control policies that target specific threat files to block them across the network. To block a known malicious file, the administrator should:

Identify the File MD5 Hash: The MD5 hash serves as a unique "fingerprint" for the malicious file, ensuring that the specific file version can be accurately identified across systems.

Create an Application Content Rule: Using the Application and Device Control feature, the administrator can create a content rule that targets the identified file by its MD5 hash, effectively blocking it based on its fingerprint.

Apply the Rule Across Endpoints: Once created, this rule is applied to endpoints, preventing the file from executing or spreading.

This method ensures precise blocking of the threat without impacting other files or processes.

To reduce the risk of unauthorized access when administrators forget to log off, the setting "Allow users to save credentials when logging on" should be disabled in Symantec Endpoint Protection Manager (SEPM). Disabling this option ensures that administrators are required to enter their credentials each time they access the SEPM console, preventing automatic logins and reducing the chance of someone else gaining access without permission.

Purpose of Disabling Saved Credentials :

By preventing credential saving, SEPM forces each administrator to authenticate manually on every session, thus improving security.

This setting is particularly useful in shared environments, as it prevents the console from retaining login information when an administrator fails to log out.

Why Other Options Are Less Relevant :

Delete clients that have not connected (Option B) pertains to endpoint clients, not administrator logins.

Lock account after unsuccessful attempts (Option C) protects against brute-force attempts but does not address saved credentials.

Allow administrators to reset passwords (Option D) is related to password management rather than login persistence.

References : Disabling saved credentials is a best practice to enforce unique logins for each session, enhancing security in shared console environments​.

When adding device control rules, General "catch all" rules should be placed at the bottom of the rule list. This approach ensures that:

Specificity Precedes Generality: Specific rules (like those for device type or model) are applied first, allowing fine-grained control over device access.

Efficient Rule Processing: Placing general rules last prevents them from inadvertently overriding more specific rules, which could lead to unintended access restrictions or allowances.

This ordering helps maintain effective and targeted control over devices, while still providing a fallback catch-all rule to manage unspecified devices.

To allow the use of a remote administration tool detected as Hacktool.KeyLoggPro without interference from SEP, the administrator should create a Known Risk exception for the tool. This exception type allows specific files or applications to bypass detection, thereby avoiding quarantine or blocking actions.

Steps to Create a Known Risk Exception :

In the SEP management console, navigate to Policies > Exceptions .

Choose to create a Known Risk exception and specify the tool’s executable file or file path to prevent SEP from identifying it as a threat.

Why Known Risk Exception is Appropriate :

This type of exception is designed for tools that SEP detects as potentially risky (like hacktools or keyloggers) but are authorized for legitimate use by the organization.

Creating this exception allows the tool to operate without being flagged or quarantined.

Reasons Other Options Are Less Effective :

Tamper Protect exceptions only prevent SEP from being tampered with by other applications.

Application to Monitor exceptions monitor applications without preventing quarantine actions.

SONAR exceptions are specific to behavior-based detections, not risk definitions.

References : Creating Known Risk exceptions is the recommended approach when allowing specific tools in SEP that may otherwise be detected as threats​.

In Symantec Endpoint Detection and Response (SEDR) , the Block List feature allows administrators to manually block a specific file hash identified as malicious. By adding the hash of the malicious file to the Block List, SEDR ensures that the file cannot execute or interact with the network, preventing further harm. This manual blocking capability provides administrators with direct control over specific threats detected in their environment.

For organizations with Symantec Endpoint Protection Manager (SEPM) servers that do not have internet access and require updates only within a specific maintenance window, the JDB file method is an effective solution:

Offline Content Distribution: JDB files can be downloaded on an internet-connected device and then manually transferred to SEPM, allowing it to update content offline.

Flexible Timing: Since JDB files can be applied during the maintenance window, this method adheres to time restrictions, avoiding disruption during business hours.

Using JDB files ensures that SEPM remains updated in environments with limited connectivity or strict operational schedules.

In the Discovery phase of a cyber attack, attackers attempt to map the network, identify vulnerabilities, and gather information. Firewall and Intrusion Prevention System (IPS) are the most effective security controls to mitigate threats associated with this phase:

Firewall: The firewall restricts unauthorized network access, blocking suspicious or unexpected traffic that could be part of reconnaissance efforts.

IPS: Intrusion Prevention Systems detect and prevent suspicious traffic patterns that might indicate scanning or probing activity, which are common in the Discovery phase.

Together, these controls limit attackers’ ability to explore the network and identify potential vulnerabilities.

To notify administrators of performance issues on the SEPM, they should add a Server health alert . This type of alert is specifically designed to monitor the health of the SEPM, triggering notifications when performance drops or errors occur.

Configuration Steps :

Set up a Server health alert in the SEPM, specifying the conditions that define poor server health.

Configure the alert frequency and designate an email address for notifications, ensuring that administrators receive timely updates.

Why Other Options Are Incorrect :

System event alerts (Option A) cover general system events but are less specific to performance.

Authentication alerts (Option B) focus on login and access issues.

Client security alerts (Option C) are related to endpoint security rather than SEPM server performance.

References : Server health alerts are tailored for monitoring SEPM’s performance, making them the ideal choice for tracking server health​.

To control which remote consoles and servers have access to the Symantec Endpoint Protection Management (SEPM) server , an administrator should edit the Server Properties and adjust the Server Communication Permission under the General tab. This setting specifies which remote systems are authorized to communicate with the management server, enhancing security by limiting access to trusted consoles and servers only. Adjusting the Server Communication Permission helps manage server access centrally and ensures only approved systems interact with the management server.

The Process View feature in Symantec Endpoint Detection and Response (EDR) provides a detailed and comprehensive view of activities associated with an infected endpoint. It displays a graphical representation of processes, their hierarchies, and interactions, which helps security teams understand the behavior and spread of malware on the system.

Advantages of Process View :

Process View shows the relationship between different processes, including parent-child structures, which can reveal how malware propagates or persists on an endpoint.

This visualization is instrumental in tracking the full impact of an infection, helping administrators identify malicious activities linked to specific processes.

Why Other Options Are Less Suitable :

Entity View is more focused on broader data relationships, not specific infected process activities.

Full Dump and Endpoint Dump refer to memory or system dumps, which are useful for in-depth forensic analysis but do not provide an immediate, clear picture of endpoint activity.

References : Process View is designed within EDR for tracking endpoint infection paths and behavioral analysis​.