The Command Status page is where an administrator should track the progress of issued device

commands in Symantec Endpoint Security. This page provides:

Real-Time Command Updates: It shows the current status of commands, such as "Pending,"

"Completed," or "Failed," providing immediate insights into the command's execution.

Detailed Progress Tracking: Command Status logs offer details on each command, enabling the

administrator to confirm that actions, such as scans, updates, or reboots, have been successfully

processed by the endpoint.

The Command Status page is essential for effective device management, as it helps administrators

monitor and verify the outcome of their issued commands.

When a user attempts to connect to a malicious website and download a known threat, the threat

passes through SEP’s Firewall, Intrusion Prevention System (IPS), and Download Insight in that order.

This layered approach helps prevent threats at different stages of the attack chain.

Threat Path Through SEP Protection Features:

Firewall: Blocks or allows network connections based on policy, filtering initial traffic to potentially

dangerous sites.

IPS: Monitors and blocks known patterns of malicious activity, such as suspicious URLs or network

behavior, providing another layer of defense.

Download Insight: Analyzes file reputation and blocks known malicious files based on reputation

data, which is especially effective for files within archives like .rar files.

Why This Order is Effective:

Each layer serves as a checkpoint: the Firewall controls network access, IPS scans for malicious traffic,

and Download Insight assesses files for risk upon download, ensuring thorough protection.

Why Other Orders Are Incorrect:

Options with Download Insight or IPS preceding the Firewall do not match SEP’s operational order of

defense.

Reference: SEP’s multi-layered protection approach involves firewall and IPS filtering prior to

download reputation analysis, enhancing overall system security​.

The Application and Device Control technology within Symantec Endpoint Protection (SEP) is

responsible for blocking unauthorized software behaviors, such as preventing a downloaded program

from installing browser plugins. This feature is designed to enforce policies that restrict specific

actions by applications, which includes controlling program installation behaviors, access to certain

system components, and interactions with browser settings. Application and Device Control

effectively safeguards endpoints by stopping potentially unwanted or malicious modifications to the

browser, thus protecting users from threats that may arise from unverified or harmful plugins.

A file fingerprint list is used to prevent specific programs from running by identifying them through

unique file attributes (such as hashes). This list allows administrators to create block rules based on

known malicious or unwanted file fingerprints, ensuring these programs cannot execute on the

system. This approach is particularly effective in enforcing application control and preventing

unauthorized software from running.

In Integrated Cyber Defense Manager (ICDm), a tenant can encompass multiple domains, allowing

organizations with complex structures to manage security across various groups or departments

within a single tenant. Each tenant represents an overarching entity, while domains within a tenant

enable separate administration and policy enforcement for different segments, providing flexibility in

security management across large enterprises.

In Symantec Endpoint Protection (SEP) Application Control policies, applications are managed

through lists: an Allowed list (applications approved for use) and a Blocked list (applications

restricted or prohibited). When a user encounters an application that is not explicitly on either the

Allowed or Blocked list, it falls into a neutral category.

For accessing this application, the typical process includes:

Requesting an Override: The user can initiate a request to temporarily or permanently allow access

to the application. This process usually involves contacting the administrator or following a specified

override protocol to gain necessary permissions.

Administrator Review: Upon receiving the override request, the administrator evaluates the

application to ensure it aligns with organizational security policies and compliance standards.

Override Approval: If deemed safe, the application may be added to the Allowed list, granting the

user access.

This request mechanism ensures that unlisted appli

During the Recovery phase of an incident response, it is critical for an Incident Responder to copy

malicious files to the SEDR file store or create an image of the infected system. This action preserves

evidence associated with the incident, allowing for thorough investigation and analysis. By securing a

copy of the malicious files or system state, responders maintain a record of the incident that can be

analyzed for root cause assessment, used for potential legal proceedings, or retained for post-

incident review. Documenting and preserving evidence ensures that key information is available for

future reference or audits.

In Symantec Endpoint Protection, the Discovery Agent designation is assigned to a computer

responsible for identifying unmanaged devices within a network. This role is crucial for discovering

endpoints that lack protection or are unmanaged, allowing the administrator to deploy agents or

take appropriate action. Configuring a Discovery Agent facilitates continuous monitoring and helps

ensure that all devices on the network are recognized and managed.

To create a daily summary of network threats detected, an administrator should use the Network

Risk Report template. This report template provides a comprehensive overview of threats within the

network, including:

Summary of Threats Detected: It consolidates data on threats, providing a summary of recent

detections across the network.

Insight into Network Security Posture: The report helps administrators understand the types and

frequency of network threats, enabling them to make informed decisions on security measures.

Daily Monitoring: Using this report on a daily basis allows administrators to maintain an up-to-date

view of the network’s risk profile and respond promptly to emerging threats.

The Network Risk Report template is ideal for regular monitoring of network security events.

To minimize I/O impact when LiveUpdate occurs, the LiveUpdate schedule should be adjusted.

Here’s why this solution is effective:

Reduced System Impact During Peak Hours: By scheduling LiveUpdate during off-peak times, system

resources are freed up during high-usage periods, reducing the likelihood of performance issues.

Efficient Resource Allocation: Adjusting the schedule allows LiveUpdate to run at times when

endpoint resources are less likely to be needed for user activities, minimizing its impact on

performance.

Maintaining Regular Updates: This approach ensures that updates still occur regularly without

impacting endpoint performance during work hours.

This method is optimal for managing resource load and maintaining smooth performance during

scheduled updates.