The answer is that the file will be allowed because the local cache stores an unknown disposition when the endpoint is offline. This occurs because Cisco Secure Endpoint (formerly AMP for Endpoints) relies on a cloud lookup to determine a file’s reputation; when the endpoint cannot reach the cloud, it cannot verify the file’s safety. The local cache records the file as having an “unknown” disposition, and by default, the policy for unknown files is set to “Allow” when the cloud is unreachable, permitting execution. On the Cisco SCOR / CCNP Security Core 350-701 exam, this concept tests your understanding of offline file execution behavior and the importance of cloud connectivity in AMP’s decision-making process. A common trap is assuming that an unknown disposition automatically blocks the file, but in offline mode, the default action is to allow it unless the policy is explicitly configured to block. Memory tip: “Offline unknown equals allowed by default.”
350-701 Endpoint Protection and Detection Practice Question
This 350-701 practice question tests your understanding of endpoint protection and detection. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. A security engineer reviews the Cisco Secure Endpoint policy. If an endpoint is offline when a user downloads a file, what will happen?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The file will be allowed because local cache will store an unknown disposition.
When an endpoint is offline, Cisco Secure Endpoint cannot perform a cloud lookup to determine the file's disposition. The local cache stores the disposition as 'unknown' for files that have not been seen before, and the file is allowed to execute because the default action for an unknown disposition in an offline scenario is to permit the file. This behavior is controlled by the policy setting for 'Unknown' files, which defaults to 'Allow' when the cloud is unreachable.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The file will be held until the endpoint comes online and a cloud lookup completes.
Why it's wrong here
The policy does not hold files; timeout is 5 seconds.
✗
The file will be quarantined due to the aggressive exploit prevention level.
Why it's wrong here
Exploit Prevention does not affect file reputation.
✓
The file will be allowed because local cache will store an unknown disposition.
Why this is correct
Local cache stores unknown disposition; file is allowed until cloud lookup can be performed later.
Related concept
Read the scenario before looking for a memorised answer.
✗
The file will be blocked immediately by scan-on-write.
Why it's wrong here
Scan-on-write triggers a scan, but if cloud is unavailable, unknown files are allowed.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the misconception that offline endpoints will block or quarantine unknown files, when in fact the default behavior is to allow them based on local cache and policy settings for unknown dispositions.
Detailed technical explanation
How to think about this question
Cisco Secure Endpoint (formerly AMP for Endpoints) uses a local cache to store file dispositions (malicious, clean, unknown) obtained from cloud lookups. When offline, the endpoint relies on this cache; if a file's SHA-256 hash is not in the cache, it is assigned an 'unknown' disposition, and the policy's 'Unknown' action (default: Allow) is applied. This behavior is defined in the policy's 'File Analysis' settings, where administrators can choose to block, allow, or quarantine unknown files, but the default allows execution to avoid breaking legitimate software.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Endpoint Protection and Detection — This question tests Endpoint Protection and Detection — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The file will be allowed because local cache will store an unknown disposition. — When an endpoint is offline, Cisco Secure Endpoint cannot perform a cloud lookup to determine the file's disposition. The local cache stores the disposition as 'unknown' for files that have not been seen before, and the file is allowed to execute because the default action for an unknown disposition in an offline scenario is to permit the file. This behavior is controlled by the policy setting for 'Unknown' files, which defaults to 'Allow' when the cloud is unreachable.
What should I do if I get this 350-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.