The configuration shown enables Predictive Machine Learning, Process Memory Scan, Document Exploit Protection, and other advanced technologies beyond just pattern-based detection. This means Deep Security Agents will use more than just patterns downloaded from the Smart Protection Network to detect malware.

The Context setting in Deep Security policies gives agents location awareness (such as "Office," "Data Center," or "Untrusted"), which affects Firewall and Intrusion Prevention rules. The context can change dynamically based on network/environment, allowing adaptive protection.

From the official documentation:

"Context provides location awareness and is associated with Firewall and Intrusion Prevention rules, allowing policies to adapt rule application based on the protected computer's environment."

Option B is correct.

Options A, C, D are incorrect (context is not associated with Anti-Malware, Web Reputation, Log Inspection, or Integrity Monitoring rules).

In the exhibit, under "Agent Self Protection," the toggle is disabled (blue switch is to the left, "No"), which means the self-protection feature is off.

This means local users/administrators on the server can uninstall, stop, or modify the agent via standard Windows tools (like the Control Panel).

Option A is incorrect: "Automatically send Policy changes to computers" is set to "No," so policy changes will not be pushed instantly; they’ll take effect at the next agent heartbeat.

Option C is incorrect: Heartbeat interval is set to 22 minutes (not 10).

Option D is incorrect: The alert threshold is for "missed heartbeats" and is set to 3, but the heartbeat interval is 22 minutes, not 20.

The Integrity Monitoring module is specifically designed to detect and alert when files, directories, or system configurations on a protected computer are changed, modified, or tampered with. This is exactly the functionality described in the question.

From the official documentation:

“Integrity Monitoring detects and reports changes to files, directories, and system settings in real time, providing the capability to alert administrators about unauthorized modifications.”

Option A is correct.

Option B is incorrect; there is no File Inspection Module.

Option C is incorrect because Deep Security does provide this capability.

Option D is incorrect; Intrusion Prevention detects exploits, not file changes.

Deep Security Relays are specialized agents that distribute security updates (such as anti-malware patterns, rules, and engine updates) to other agents within the network. Regular Deep Security Agents connect to Relays to receive these updates, reducing the load on the Deep Security Manager and external bandwidth usage.

From the official documentation:

"Relays are agents that download security updates from the Trend Micro Update Server or the Deep Security Manager and then distribute these updates to other agents on the network."

Option D is correct: Agents communicate with relays to obtain security updates.

Option A is incorrect: Only 64-bit agents can be promoted to relays in recent versions.

Option B is incorrect: Relays retain all protection module functions after being promoted.

Option C is partially correct but not as precise as D; relays distribute, but do not "process" requests in the sense of approving/handling agent-side logic.

Recommendation scans in Deep Security are used to recommend rules for:

Intrusion Prevention

Integrity Monitoring

Log Inspection

Firewall and Application Control do not use recommendation scans for their rule or inventory management.

When Maintenance Mode is enabled for Application Control, any new or changed software is automatically added to the list of allowed software. This feature is intended to support software installation, patching, or upgrades without manual intervention.

From the official documentation:

"When a computer is in Maintenance Mode, Application Control allows all new software to run and automatically adds it to the inventory of allowed software."

When the Deep Security Agent’s network driver intercepts traffic, its primary network operations include stateful inspection (context of traffic and connection), verification of packet integrity for suitability, and detection of certain types of attacks, including reconnaissance scans.

However, anti-malware scan configuration and exclusion lists pertain to file system operations (not network packet inspection). Packets are not compared against anti-malware exclusion lists at the network driver level.

From the official documentation:

“The network driver intercepts packets and examines them for threats. This includes analyzing packets in context, verifying integrity, and checking for reconnaissance or suspicious activity. Anti-malware exclusions are applied at the file system level, not at the network packet analysis stage.”

Option B is correct (not performed at this network layer).

Options A, C, and D all describe valid operations at the network driver level.

In agentless (VMware-integrated) implementations, scan caching allows the Deep Security Virtual Appliance to remember which files have already been scanned on any VM on the same host. If the same file appears on another VM, it doesn't need to be scanned again, significantly improving performance and reducing resource usage.

Deep Security offers several ways to monitor tenant usage in a multi-tenant environment:

Chargeback reports in the Manager Web console provide detailed usage breakdowns per tenant.

The REST API enables automated, programmatic collection of usage data.

The Statistics tab within tenant properties displays real-time and historical usage information.

From the official documentation:

“Administrators can monitor usage with built-in Chargeback reports, by querying the Statistics tab in tenant properties, or by using the REST API for automated data collection and reporting.”