Cross-Site Scripting injects malicious script into a trusted page so the victim's browser executes attacker-controlled code. Common XSS outcomes include session or cookie theft, unauthorized actions, and data exposure. Option C (Cookie Stealing) is correct because cookie stealing is a classic XSS impact.

Why the other options are incorrect:

A. Spyware Callback: Spyware Callback is outbound C2 protection. It is not the browser/URL control being tested here.

B. Anonymizers: Anonymizer controls restrict proxy/anonymity services. They do not represent the malicious-content category in this question.

D. IRC Tunneling: IRC tunneling is a specific evasive communication method. The question’s answer is the broader protection control being tested.

ZDX monitoring uses two major probe types: Web Probes and Cloud Path Probes. Web Probes measure application availability and page-fetch behavior, while Cloud Path Probes show hop-by-hop path quality, latency, packet loss, and network path conditions. Option D (Web Probe and Cloud Path Probe) is correct because those are the supported ZDX probe types.

Why the other options are incorrect:

A. Page Fetch Time Probe and Cloud Path Probe: Page Fetch Time is a metric from web probing; the pair listed is not the clean Web Probe and CloudPath Probe grouping used by ZDX.

B. Web Probe and Page Fetch Time Probe: A Web Probe is valid, but Page Fetch Time is a metric rather than the second probe type. The network path probe is CloudPath.

C. Page Fetch Time Probe and Server Response time Probe: Server Response Time measures how long the destination application takes to respond to a probe or request.

Downloaders are malware whose primary job is to retrieve and install additional payloads. They are frequently used as a first-stage infection because the initial file can be small and then pull ransomware, RATs, infostealers, or other malware after execution. Option C (Downloaders) is correct because a downloader's purpose is specifically to deliver other malware.

Why the other options are incorrect:

A. RAT: A remote access trojan gives an attacker interactive control over a compromised host after infection.

B. Maldocs: A malicious document uses macros, embedded objects, or exploit content to run code when opened.

D. Exploitation tool: An exploitation tool attacks a vulnerability. A downloader is the malware type whose purpose is to fetch and install additional malware.

Data Loss Prevention is the central feature of Zscaler Data Protection. It detects sensitive information using engines, dictionaries, labels, EDM/IDM, and contextual controls, then applies actions such as block, notify, coach, quarantine, or remediate. Option A (Data loss prevention) is correct because DLP is the named core feature for protecting sensitive data.

Why the other options are incorrect:

B. Stopping reconnaissance attacks: Stopping reconnaissance is about hiding attack surface. Data protection addresses exfiltration and accidental data loss.

C. DDoS protection: DDoS protection absorbs or blocks traffic floods. It does not inspect sensitive content leaving through web and cloud channels.

D. Log analysis: Log analysis helps detect and investigate events after collection. DLP use cases prevent the sensitive transfer itself.

Zscaler inspection policies are order-sensitive: the first matching rule determines the inspection action. When an administrator needs to inspect everything except one URL category, the exception must appear above the broad inspect-all rule. Otherwise the generic rule matches first and the exception is never reached. Option B (First the policy for the exception Category, then further down the list the policy for the generic "inspect all.") is correct because the category-specific bypass must be evaluated before the generic inspection rule.

Why the other options are incorrect:

A. Both policies are incompatible, so it is not possible to have them together: The policies are compatible when ordered correctly. The specific bypass rule must be evaluated before the broad inspect-all rule.

C. First the policy for the generic "inspect all", then further down the list the policy for the exception Category: Putting the inspect-all rule first catches the traffic before the category exception can run. The category bypass must sit above the generic inspect rule.

D. All policies both generic and specific will be evaluated so no specific order is required: SSL inspection rules are order-sensitive. A broad generic rule placed above the exception can catch the traffic first and prevent the bypass rule from taking effect.