During the Recovery phase of an incident response, it is critical for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post-incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.

In Symantec Endpoint Protection (SEP), when files are blocked by hash in the deny list policy, SHA256 is supported in addition to MD5. SHA256 provides a more secure hashing algorithm compared to MD5 due to its longer hash length and higher resistance to collisions, making it effective for uniquely identifying and blocking malicious files based on their fingerprint.

Application Control in Symantec Endpoint Protection (SEP) provides the SEP team with the ability to control and monitor the behavior of applications. This technology enables administrators to set policies that restrict or allow specific application behaviors, effectively controlling the environment and reducing risk from unauthorized or harmful applications. Here’s how it works:

Policy-Based Controls: Administrators can create policies that define which applications are allowed or restricted, preventing unauthorized applications from executing.

Behavior Monitoring: Application Control can monitor application actions, detecting unusual or potentially harmful behaviors and alerting administrators.

Enhanced Security: By controlling application behavior, SEP helps mitigate threats by preventing suspicious applications from affecting the environment, which is particularly valuable in post-outbreak recovery and ongoing health checks.

Application Control thus strengthens endpoint defenses by enabling real-time management of application behaviors.

A ranged query in Symantec Endpoint Security returns or excludes data that falls between two specified values for a given field . This type of query is beneficial for filtering data within specific numeric or date ranges. For instance:

Numeric Ranges: Ranged queries can be used to filter data based on a range of values, such as finding log entries with file sizes between certain values.

Date Ranges: Similarly, ranged queries can isolate data entries within a specific date range, which is useful for time-bound analysis.

This functionality allows for more targeted data retrieval, making it easier to analyze and report specific subsets of data.

In Symantec Endpoint Protection (SEP) Application Control policies, applications are managed through lists: an Allowed list (applications approved for use) and a Blocked list (applications restricted or prohibited). When a user encounters an application that is not explicitly on either the Allowed or Blocked list, it falls into a neutral category.

For accessing this application, the typical process includes:

Requesting an Override: The user can initiate a request to temporarily or permanently allow access to the application. This process usually involves contacting the administrator or following a specified override protocol to gain necessary permissions.

Administrator Review: Upon receiving the override request, the administrator evaluates the application to ensure it aligns with organizational security policies and compliance standards.

Override Approval: If deemed safe, the application may be added to the Allowed list, granting the user access.

This request mechanism ensures that unlisted appli

An Endpoint Activity Recorder (EAR) full dump consists of all recorded events that occurred on an endpoint . This comprehensive data capture includes every relevant activity, such as process executions, file accesses, and network connections, providing a full history of events on the endpoint for detailed forensic analysis.

Purpose of EAR Full Dump :

EAR full dumps offer a complete activity record for an endpoint, enabling incident responders to thoroughly investigate the behaviors and potential compromise pathways associated with that device.

This level of detail is crucial for in-depth investigations, as it captures the entire context of actions on the endpoint rather than isolating to a single process or file.

Why Other Options Are Incorrect :

Options A and B suggest limiting the dump to events related to a single file or process, which does not represent a full dump.

All events in the SEDR database (Option D) is inaccurate, as the full dump is specific to the events on a particular endpoint.

References : An EAR full dump includes all recorded events on an endpoint, offering a comprehensive activity log for investigation​.

The maximum number of Symantec Endpoint Protection Managers (SEPMs) that a single Management Platform can connect to is 50 . This limit ensures that the management platform can handle communication, policy distribution, and reporting across connected SEPMs without overloading the system.

Significance of the 50 SEPM Limit :

This limitation is in place to ensure stable performance and effective management, especially in large-scale deployments where multiple SEPMs are required to support extensive environments.

Relevance in Large Enterprises :

Organizations managing endpoints across multiple locations often use several SEPMs, and the platform’s 50-manager limit allows scalability while maintaining centralized management.

References : The SEPM connection limits are documented as part of the architecture specifications for Symantec Endpoint Protection​.

When an Incident Responder determines that an endpoint is compromised, the first action to contain the threat is to use the Isolation feature in Symantec Endpoint Detection and Response (SEDR). Isolation effectively disconnects the affected endpoint from the network, thereby preventing the malicious threat from communicating with other systems or spreading within the network environment. This feature enables the responder to contain the threat swiftly, allowing further investigation and remediation steps to be conducted without risk of lateral movement by the attacker.

In antimalware solutions, Level 5 intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of both false positives (legitimate files mistakenly flagged as threats) and false negatives (malicious files mistakenly deemed safe) may still occur.

This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.

The Firewall provides a complementary layer of protection to Intrusion Prevention System (IPS) in Symantec Endpoint Protection.

Firewall vs. IPS :

While IPS detects and blocks network-based attacks by inspecting traffic for known malicious patterns, the firewall controls network access by monitoring and filtering inbound and outbound traffic based on policy rules.

Together, these tools protect against a broader range of network threats. IPS is proactive in identifying malicious traffic, while the firewall prevents unauthorized access.

Two-Layer Defense Mechanism :

The firewall provides control over which ports, protocols, and applications can access the network, reducing the attack surface.

When combined with IPS, the firewall blocks unauthorized connections, while IPS actively inspects and prevents malicious content within allowed traffic.

Why Other Options Are Not Complementary :

Host Integrity focuses on compliance and configuration validation rather than direct network traffic protection.

Network Protection and Antimalware are essential but do not function as second-layer defenses for IPS within network contexts.

References : Symantec Endpoint Protection’s network protection strategies outline the importance of firewalls in conjunction with IPS for comprehensive network defense​.