CCNA Content Security Questions

18 of 93 questions · Page 2/2 · Content Security topic · Answers revealed

76
MCQmedium

An organization is migrating from on-premises Cisco ESA to Cisco Cloud Email Security (CES). They need to ensure that email encryption policies remain consistent after migration. What is the best approach to migrate the encryption policies?

A.Export the configuration from on-premises ESA and import into CES
B.Use the Cisco ESA API to migrate policies automatically
C.Recreate the policies manually in CES based on existing documentation
D.Synchronize the two appliances using Cisco Security Management Suite
AnswerA

Export/import preserves exact policy settings and is the recommended migration approach.

Why this answer

Exporting the configuration from on-premises ESA and importing into CES ensures consistency. Option A is wrong because manual re-creation is error-prone. Option C is wrong because using the API requires custom scripting and may not capture all policies.

Option D is wrong because there is no direct synchronization feature between on-premises and cloud ESA.

77
Drag & Dropmedium

Drag and drop the steps to implement Cisco Umbrella (formerly OpenDNS) for DNS-layer security in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with registration, add network identity, point DNS to Umbrella, set policies, then verify.

78
MCQmedium

An email administrator sees the above log entry in the Cisco ESA. What will happen to the email?

A.The email will be quarantined and an administrator will review it
B.The email will be dropped and not delivered
C.The email will be encrypted before delivery
D.The email will be delivered with a warning
AnswerA

Quarantine action holds the email for review.

Why this answer

The log entry indicates that the email triggered a content filter action set to 'quarantine' in the Cisco ESA. When an email is quarantined, it is held in a designated quarantine mailbox for administrative review, allowing the administrator to release, delete, or further analyze the message. This is the default behavior for policies that require human intervention before delivery.

Exam trap

Cisco often tests the distinction between 'quarantine' (administrative review required) and 'drop' (silent discard) to see if candidates understand that quarantine preserves the message for later action, while drop permanently removes it.

How to eliminate wrong answers

Option B is wrong because 'drop' means the email is silently discarded without any notification or quarantine, which is not indicated by the log entry. Option C is wrong because encryption is a separate action applied during delivery, not a quarantine action, and the log does not reference any encryption policy. Option D is wrong because delivering with a warning would add a header or subject tag but still deliver the email, whereas the log shows the email was not delivered and was instead held for review.

79
MCQmedium

During a security audit, it is discovered that some users are bypassing the proxy by using HTTPS tunnels over port 443. The WSA is configured with an explicit proxy mode. What additional configuration is needed to prevent such bypass?

A.Implement a firewall rule to block outbound HTTP/HTTPS traffic except from the WSA
B.Enable SSL decryption on the WSA
C.Configure identity-based authentication for all users
D.Create a custom URL category for tunneling websites and block them
AnswerA

This forces all web traffic through the proxy, preventing bypass.

Why this answer

When using explicit proxy, clients must be configured to use the proxy. To prevent bypass, configure the firewall to block outbound HTTP/HTTPS traffic from non-proxy sources, or use transparent proxy with WCCP. Option A is wrong because enabling SSL decryption alone does not force traffic through proxy.

Option B is wrong because authenticating users does not prevent bypass. Option D is wrong because creating a deny URL category for tunnels is ineffective.

80
MCQmedium

A company uses Cisco WSA in transparent mode. They want to bypass proxy processing for all traffic to a specific internal server (10.0.0.5) to reduce latency. They create an access policy with a custom URL category and add the server's IP to the 'Proxy Bypass' list. However, traffic to that server is still being proxied. What is the most likely cause?

A.The IP address is incorrectly formatted in the bypass list
B.The access policy is placed after a deny rule
C.The proxy bypass list does not apply in transparent mode; instead use network ACLs to bypass WSA
D.The client is required to authenticate
AnswerC

In transparent mode, bypass must be done at the network level (WCCP redirect ACL or PBR) to avoid sending traffic to WSA.

Why this answer

In transparent mode, the Cisco WSA intercepts traffic at the network layer without explicit client configuration. The 'Proxy Bypass' list is designed for explicit proxy deployments where clients are configured to send traffic to the WSA; it does not function in transparent mode because the WSA cannot distinguish bypass requests from intercepted traffic. To bypass proxy processing in transparent mode, you must use network ACLs on upstream routers or switches to redirect traffic away from the WSA, or configure WCCP exclusion rules.

Exam trap

Cisco often tests the misconception that the 'Proxy Bypass' list is a universal bypass mechanism across all deployment modes, when in fact it only applies to explicit proxy configurations, not transparent mode.

How to eliminate wrong answers

Option A is wrong because IP address formatting errors (e.g., typos or subnet mismatches) would cause a different failure, but the bypass list itself is not applicable in transparent mode, so formatting is irrelevant. Option B is wrong because access policy ordering (e.g., a deny rule before the bypass policy) could affect traffic matching, but the core issue is that the bypass list mechanism is non-functional in transparent mode, not a policy sequence problem. Option D is wrong because client authentication requirements do not prevent bypass list functionality; authentication is a separate policy action and does not override the fundamental limitation of the bypass list in transparent mode.

81
MCQhard

A company uses Cisco WSA with multiple authentication realms (LDAP, RADIUS, and local). They want to require multi-factor authentication (MFA) for external users but allow single sign-on (SSO) for internal corporate users. Which configuration approach should be used?

A.Use a single authentication realm with both LDAP and RADIUS configured, and rely on the client IP to choose method
B.Configure a SSL VPN on WSA to differentiate user groups
C.Configure two authentication realms: one for internal (LDAP with Kerberos SSO) and one for external (RADIUS with MFA), then assign each realm to appropriate access policies
D.Use SAML authentication with an Identity Provider that supports MFA
AnswerC

Multiple realms allow different authentication methods per policy.

Why this answer

Option C is correct because Cisco WSA supports multiple authentication realms, allowing you to assign different realms to different access policies. By configuring an internal realm with LDAP and Kerberos SSO for seamless authentication, and a separate external realm with RADIUS and MFA for stronger security, you can enforce MFA only for external users while maintaining SSO for internal users. This approach directly maps authentication methods to user groups based on policy, not on client IP or a single realm.

Exam trap

Cisco often tests the misconception that a single authentication realm can handle multiple authentication methods simultaneously, or that features like SSL VPN or SAML alone can solve policy-based MFA differentiation without realm-level configuration.

How to eliminate wrong answers

Option A is wrong because a single authentication realm cannot simultaneously support both LDAP and RADIUS as separate methods; WSA realms are configured with one primary authentication protocol, and relying on client IP to choose the method is not a supported feature for differentiating MFA vs. SSO. Option B is wrong because SSL VPN is not a feature of Cisco WSA; WSA is a web proxy and does not terminate VPN connections, so this configuration is irrelevant and would not differentiate user groups for authentication.

Option D is wrong because while SAML with an IdP can support MFA, it does not inherently allow you to enforce MFA only for external users while using SSO for internal users within the same WSA configuration; you would still need separate realms or policies to differentiate the authentication flow, and SAML alone does not provide the granular policy-based realm assignment that option C does.

82
MCQeasy

An administrator wants to prevent confidential data (e.g., credit card numbers) from being sent via email using Cisco ESA. Which feature should be enabled and configured with the appropriate dictionary?

A.Outbreak Filters with file reputation
B.Anti-Spam with URL reputation
C.Message Filters with regex pattern matching
D.Data Loss Prevention (DLP) with a predefined credit card dictionary
AnswerD

DLP is designed for sensitive data detection using predefined dictionaries.

Why this answer

Cisco ESA's Data Loss Prevention (DLP) feature is specifically designed to inspect outbound messages for sensitive data patterns, such as credit card numbers, using predefined dictionaries. By enabling DLP and selecting the appropriate credit card dictionary, the administrator can enforce policies to block or quarantine emails containing confidential information, directly addressing the requirement.

Exam trap

Cisco often tests the distinction between content inspection features (DLP) and threat-focused features (Outbreak Filters, Anti-Spam), leading candidates to confuse message filters or outbreak filters with DLP's specialized data classification capabilities.

How to eliminate wrong answers

Option A is wrong because Outbreak Filters with file reputation are designed to block malicious attachments based on file reputation and outbreak rules, not to inspect message content for sensitive data patterns like credit card numbers. Option B is wrong because Anti-Spam with URL reputation focuses on identifying and blocking spam emails based on sender reputation and malicious URLs, not on detecting confidential data within the email body or attachments. Option C is wrong because Message Filters with regex pattern matching can be used for custom content inspection, but they lack the predefined, comprehensive dictionaries and compliance-focused policies that DLP provides for sensitive data like credit card numbers, making DLP the correct and more efficient solution.

83
MCQhard

A network administrator is troubleshooting an issue where users cannot send emails with attachments larger than 10 MB through the Cisco Email Security Appliance (ESA). The ESA is configured with a mail flow policy that has a maximum message size of 20 MB. What is the most likely cause of the issue?

A.The mail flow policy maximum message size is set too low.
B.The HAT (Host Access Table) maximum message size is set to 10 MB.
C.The outgoing mail policy has a smaller attachment size limit.
D.The ESA default maximum attachment size is 10 MB.
AnswerD

The default maximum attachment size in ESA is 10 MB, which restricts attachments even if the overall message size is larger.

Why this answer

The Cisco ESA has a built-in default maximum attachment size of 10 MB, which is separate from the mail flow policy's maximum message size. Even though the mail flow policy allows messages up to 20 MB, the attachment size limit is enforced by the ESA's default configuration, which caps individual attachments at 10 MB. This default can be overridden in the mail flow policy or system settings, but if not explicitly changed, it remains the limiting factor.

Exam trap

The trap here is that candidates confuse the mail flow policy's maximum message size with the attachment size limit, assuming that increasing the message size automatically allows larger attachments, when in fact they are independently configured.

How to eliminate wrong answers

Option A is wrong because the mail flow policy maximum message size is set to 20 MB, which is already larger than the 10 MB attachment limit, so it is not the cause. Option B is wrong because the HAT (Host Access Table) controls sender-based access and rate limiting, not attachment size limits; attachment size is governed by mail flow policies or system defaults. Option C is wrong because outgoing mail policies do not have a separate attachment size limit; the attachment size is controlled by the same mail flow policy or global default settings.

84
MCQeasy

A network administrator is configuring Cisco Email Security Appliance (ESA) to prevent outgoing spam. The company wants to ensure that all outgoing emails contain a legal disclaimer and that any email with more than 20 recipients is delayed. Which two features should be combined?

A.Outgoing mail policy with Disclaimer action and Destination Controls
B.Data Loss Prevention (DLP) and Outbreak Filters
C.Antivirus scanning
D.Message Filters with content scanning
AnswerA

The Disclaimer action adds the legal text, and Destination Controls can set recipient rate limits.

Why this answer

Option A is correct because the requirement to add a legal disclaimer is met by the Disclaimer action within an Outgoing Mail Policy, and the requirement to delay emails with more than 20 recipients is met by Destination Controls, which allow rate-limiting based on recipient count per message. These two features are specifically designed for outgoing email control and can be combined in a single mail policy.

Exam trap

Cisco often tests the distinction between Mail Policies (which include Disclaimer and Destination Controls) and Message Filters (which are more granular but lack Destination Controls), leading candidates to incorrectly choose Message Filters for both requirements.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) focuses on detecting and blocking sensitive data in emails, not adding disclaimers or delaying messages based on recipient count; Outbreak Filters are designed to detect and block new malware outbreaks, not for disclaimer insertion or recipient-based delays. Option C is wrong because Antivirus scanning only detects and removes malware in email attachments, it does not add disclaimers or enforce recipient count limits. Option D is wrong because Message Filters with content scanning can add disclaimers but cannot enforce recipient-based delays; Destination Controls are a separate feature not available within Message Filters.

85
MCQmedium

A company uses Cisco WSA to proxy web traffic. After configuring a decryption policy to inspect HTTPS traffic to a specific external site, users report they can still access the site without any warning or interruption. Which action should the administrator take to ensure HTTPS inspection is applied?

A.Add the site to the 'HTTPS Bypass' list
B.Import the WSA root CA certificate into client browsers
C.Change the policy action from 'Passthrough' to 'Decrypt'
D.Move the decryption policy to the top of the list
AnswerC

The decryption policy must have the action set to 'Decrypt' to inspect HTTPS traffic.

Why this answer

Option C is correct because the decryption policy must have an action of 'Decrypt' to actually perform HTTPS inspection. If the policy action is set to 'Passthrough', the WSA forwards the traffic without decrypting it, so users experience no warning or interruption. Changing the action to 'Decrypt' forces the WSA to intercept the TLS handshake, decrypt the traffic, and apply security policies.

Exam trap

Cisco often tests the distinction between policy configuration (action) and trust infrastructure (CA certificate), leading candidates to mistakenly choose importing the root CA when the real issue is the policy action not being set to 'Decrypt'.

How to eliminate wrong answers

Option A is wrong because adding the site to the 'HTTPS Bypass' list would explicitly exclude it from decryption, which is the opposite of what is needed. Option B is wrong because importing the WSA root CA certificate into client browsers is necessary for users to trust the decrypted connection, but it does not enable the decryption itself; the policy action must first be set to 'Decrypt'. Option D is wrong because moving the policy to the top of the list only affects rule precedence; if the policy action is still 'Passthrough', it will still bypass decryption regardless of its position.

86
MCQhard

An engineer is troubleshooting a Cisco WSA that is failing to block malware downloads from a specific cloud storage website. The URL filtering policy is set to block the 'Cloud Storage' category, and the Web Reputation score is set to block scores below -5.0. Users can still download files. What is the most likely cause?

A.The file type is not configured for malware inspection
B.HTTPS proxy decryption is not configured
C.The L4 Traffic Monitor is not enabled
D.The users are not authenticated
AnswerA

Malware inspection only applies to specified file types; if not included, downloads pass through.

Why this answer

The Cisco WSA can block malware downloads only if it inspects the file content. If the file type is not configured for malware inspection, the WSA will allow the download even if the URL category and reputation score are set to block. This is because malware inspection requires explicit configuration of file types (e.g., .exe, .zip) to scan for threats, and without it, the WSA bypasses deep content analysis.

Exam trap

Cisco often tests the misconception that URL filtering and reputation scores alone are sufficient to block malware, but the trap here is that malware inspection must be explicitly configured for specific file types to actually scan and block malicious content.

How to eliminate wrong answers

Option B is wrong because HTTPS proxy decryption is required to inspect encrypted traffic, but the question does not specify that the cloud storage website uses HTTPS; even if it does, the core issue is that the file type is not inspected, not the lack of decryption. Option C is wrong because the L4 Traffic Monitor is used for monitoring traffic flows and does not affect malware inspection or URL filtering decisions. Option D is wrong because user authentication is not required for URL filtering or malware inspection to apply; the WSA can enforce policies based on source IP or other criteria without authentication.

87
MCQmedium

An organization uses Cisco ESA to filter inbound email. The security team notices that some phishing emails are reaching users despite having an anti-spam policy. Further analysis reveals that the emails are sent from a domain that is gray-listed but not blocked. What should the administrator do to prevent these emails without impacting legitimate emails?

A.Disable the Gray Mail feature in the anti-spam policy.
B.Create a content filter to quarantine the emails based on malicious URLs or attachment type.
C.Enable Retrospective Scanning to detect the phishing emails after delivery.
D.Add the sender IP address to the SenderBase block list.
AnswerB

Targets specific threat content.

Why this answer

Option B is correct because creating a content filter to quarantine emails based on malicious URLs or attachment type directly addresses the phishing threat without affecting legitimate emails. Since the domain is gray-listed (not blocked), the anti-spam policy considers the sender as suspicious but not malicious; a content filter can inspect the email content for specific indicators of compromise (e.g., known malicious URLs or dangerous attachment types like .exe or .js) and quarantine those emails, bypassing the gray-mail classification.

Exam trap

Cisco often tests the distinction between anti-spam policies (which classify based on sender reputation and content patterns) and content filters (which allow rule-based actions on specific email attributes), leading candidates to mistakenly choose options that modify the anti-spam policy or rely on post-delivery detection instead of pre-delivery prevention.

How to eliminate wrong answers

Option A is wrong because disabling the Gray Mail feature would remove the gray-listing classification entirely, potentially allowing more spam or phishing emails to reach users, and it does not specifically block the phishing emails. Option C is wrong because Retrospective Scanning (using Cisco Advanced Phishing Protection) detects threats after delivery and can recall messages, but it does not prevent the initial delivery; the question asks to 'prevent these emails' from reaching users. Option D is wrong because adding the sender IP address to the SenderBase block list would block all emails from that IP, which could impact legitimate emails if the IP is shared or if the sender uses a legitimate mail server that is temporarily compromised.

88
MCQhard

An administrator reviewed the log entry from the Cisco ESA exhibit. The DLP policy is set to 'Continue (with disclaimer)' for credit card matches. How should the policy be changed to prevent this data leakage?

A.Remove the DLP policy assignment for the Finance mail flow.
B.Change the DLP policy action from 'Continue' to 'Drop'.
C.Lower the DLP sensitivity threshold.
D.Enable TLS encryption on the policy.
AnswerB

Drop prevents delivery of messages containing credit card numbers.

Why this answer

Option B is correct because the current DLP policy action 'Continue (with disclaimer)' allows the email to be delivered after appending a disclaimer, which does not prevent data leakage. Changing the action to 'Drop' will block the email entirely, preventing the credit card data from leaving the organization. This directly addresses the requirement to stop the data leakage.

Exam trap

Cisco often tests the misconception that adding a disclaimer or encryption is sufficient to prevent data leakage, when in fact only blocking (Drop) or quarantining the message stops the actual transmission of sensitive content.

How to eliminate wrong answers

Option A is wrong because removing the DLP policy assignment for the Finance mail flow would disable all DLP scanning for that flow, which is an overreaction and does not target the specific issue of credit card matches; it would leave other potential violations unmonitored. Option C is wrong because lowering the DLP sensitivity threshold would make the policy match more easily, potentially increasing false positives and not preventing the leakage of already-detected credit card data. Option D is wrong because enabling TLS encryption only secures the transmission channel between mail servers; it does not inspect or block the content of the email, so it cannot prevent data leakage of credit card numbers.

89
MCQmedium

An organization uses Cisco ESA and wants to implement a policy that automatically encrypts emails containing credit card numbers before delivery. What feature should be used?

A.Anti-spam engine
B.Anti-virus engine
C.Email authentication (SPF, DKIM)
D.DLP policy with encryption action
AnswerD

DLP can trigger encryption based on policy.

Why this answer

D is correct because Cisco ESA includes a Data Loss Prevention (DLP) feature that can scan email content for sensitive data patterns, such as credit card numbers (matching Luhn algorithm and known issuer prefixes). When a match is found, the DLP policy can trigger an encryption action, automatically encrypting the email before delivery to protect the sensitive information in transit.

Exam trap

The trap here is that candidates confuse DLP with anti-spam or anti-virus engines, assuming any security feature can handle content-based encryption, but only DLP policies have the specific content inspection and policy-driven encryption action capability in Cisco ESA.

How to eliminate wrong answers

Option A is wrong because the Anti-spam engine is designed to detect and filter unsolicited bulk email (spam) based on reputation and content analysis, not to identify sensitive data like credit card numbers or apply encryption. Option B is wrong because the Anti-virus engine scans for malware signatures and malicious attachments, not for pattern-based sensitive data, and cannot enforce encryption actions. Option C is wrong because Email authentication (SPF, DKIM) validates the sender's domain and message integrity to prevent spoofing and phishing, but it does not inspect message content for credit card numbers nor apply encryption.

90
MCQhard

An enterprise is deploying a hybrid email security solution using Cisco Email Security Appliance (ESA) on-premises and Cisco Cloud Email Security (CES). The organization wants to use the cloud for spam filtering while the on-premises ESA handles DLP and encryption for sensitive data. Inbound emails should be processed by the cloud first, then sent to the on-premises ESA. Which architecture correctly implements this requirement?

A.MX record → On-premises ESA → Internal mail server, with a separate smart host via CES
B.MX record → Dual MX pointing to both CES and ESA
C.MX record → On-premises ESA → Cisco CES → Internal mail server
D.MX record → Cisco CES → On-premises ESA (internal mail server)
AnswerD

This flow ensures cloud spam filtering first, then DLP/encryption on-premises.

Why this answer

Option D is correct because it places Cisco CES (cloud) first in the email flow to handle spam filtering, then forwards the cleaned messages to the on-premises ESA for DLP and encryption before delivery to the internal mail server. This matches the requirement that inbound emails be processed by the cloud first, then the on-premises ESA, with CES acting as the initial SMTP gateway via MX record.

Exam trap

Cisco often tests the order of processing in hybrid email architectures, and the trap here is that candidates mistakenly think the on-premises ESA should be the first hop (Option C) or that dual MX records can enforce sequential processing (Option B), when in reality the MX record must point to the cloud service to ensure the correct flow.

How to eliminate wrong answers

Option A is wrong because it sends inbound emails directly to the on-premises ESA first, bypassing the cloud spam filtering, and the separate smart host via CES would only be used for outbound or relay traffic, not for the required inbound flow. Option B is wrong because dual MX records pointing to both CES and ESA would cause load balancing or failover, not sequential processing; inbound emails could arrive at either device first, violating the requirement that cloud processes first. Option C is wrong because it places the on-premises ESA before CES in the flow, meaning inbound emails hit the on-premises ESA first, which contradicts the requirement that cloud handles spam filtering before the on-premises ESA handles DLP and encryption.

91
MCQhard

A large enterprise recently migrated to Cisco Email Security Appliance (ESA) for inbound email filtering. The security team notices an increasing number of phishing emails that bypass the spam filter. Analysis shows that these emails originate from a legitimate but compromised domain (example-bank.com), use valid DKIM signatures, and have low spam scores due to carefully crafted benign text and embedded images. The team already has SenderBase enabled and uses the default spam threshold. The CEO received a convincing phishing email that led to a credential leak. Which course of action should the security team take to best mitigate this threat without causing significant false positives?

A.Increase the spam threshold to catch lower-scoring emails.
B.Enable graymail filtering to categorize these emails as bulk suspicious.
C.Create a content filter that detects the domain 'example-bank.com' in the envelope sender and sets the action to 'drop'.
D.Implement DMARC with a quarantine policy for the domain.
AnswerC

This directly blocks emails from the known malicious domain without affecting other domains, minimizing false positives.

Why this answer

Option B is correct because creating a content filter to detect the specific malicious domain in the envelope sender (MAIL FROM) and applying a 'drop' action directly blocks emails from that domain. This is a targeted approach that does not affect other domains. Option A is incorrect because graymail filtering is for newsletters and bulk mail, not for targeted phishing.

Option C is incorrect because increasing the spam threshold may cause more false positives and may still not catch these low-scoring emails. Option D is incorrect because DMARC with quarantine would only help if the domain is being spoofed, but the emails are actually coming from the legitimate domain which is compromised.

92
MCQhard

While troubleshooting an issue where Cisco ESA occasionally fails to process inbound messages, the administrator checks the listener settings and sees that the 'Pool of listeners' option is configured. The mail logs show 'Connection refused' errors during peak hours. What is the most likely cause?

A.The listener service is stopped
B.Listener pool has too few listeners or the pool is misconfigured
C.The sender's IP is blacklisted
D.DNS resolution failure for the sending MTA
AnswerB

A pool of listeners uses the same IP:port and can become exhausted if too many simultaneous connections.

Why this answer

The 'Connection refused' error during peak hours indicates that the Cisco ESA's listener service is actively rejecting new SMTP connections because the configured listener pool has reached its maximum capacity. The 'Pool of listeners' option defines a set of listener processes that handle inbound mail; if the pool size is too small for the traffic volume, new connections are refused. This is a resource exhaustion issue specific to the listener pool, not a service outage or external blocking.

Exam trap

Cisco often tests the distinction between a stopped service (which causes persistent failures) and a resource-exhausted pool (which causes intermittent failures during high load), leading candidates to mistakenly choose 'listener service is stopped' when the logs show 'Connection refused' only at peak times.

How to eliminate wrong answers

Option A is wrong because if the listener service were stopped, the error would be 'Connection refused' consistently at all times, not only during peak hours, and the mail logs would show a persistent failure rather than intermittent peak-hour issues. Option C is wrong because a blacklisted sender IP would result in a 5xx rejection with a specific anti-spam or reputation-based message in the logs, not a generic 'Connection refused' error. Option D is wrong because DNS resolution failure for the sending MTA would cause a 'Name or service not known' or timeout error during the SMTP handshake, not a 'Connection refused' which occurs at the TCP layer before any DNS lookup is relevant.

93
MCQmedium

A university is using Cisco ESA to manage email for 20,000 students and staff. They have implemented anti-spam and anti-virus policies. Recently, the IT helpdesk has been receiving complaints that legitimate emails from external senders (such as admissions notifications) are being marked as spam and quarantined. The administrators check the ESA and find that these emails are being flagged with a spam score above the threshold, but the content appears to be legitimate. The sending domains are not on any blacklist. The ESA is using default anti-spam settings. What should the administrator do to reduce false positives without compromising security?

A.Create a content filter to allow any email with 'admissions' in the subject.
B.Disable anti-spam scanning for all inbound email.
C.Add the legitimate sender domains or IPs to the ESA's whitelist (SenderBase whitelist).
D.Lower the spam threshold to decrease sensitivity.
AnswerC

Whitelist trusted senders.

Why this answer

Option C is correct because adding the legitimate sender domains or IPs to the ESA's SenderBase whitelist explicitly bypasses anti-spam scanning for those trusted sources, reducing false positives while maintaining security for all other inbound email. This approach leverages the ESA's reputation-based filtering to allow known good senders without lowering the global spam threshold or disabling protection entirely.

Exam trap

Cisco often tests the distinction between whitelisting (bypassing scanning) and content filters (applying actions after scanning), leading candidates to mistakenly choose a content filter rule that can be exploited or a threshold adjustment that worsens false positives.

How to eliminate wrong answers

Option A is wrong because creating a content filter based solely on the subject line 'admissions' is too broad and can be easily bypassed by spammers, leading to security gaps. Option B is wrong because disabling anti-spam scanning for all inbound email removes protection against spam and malware, compromising the university's email security posture. Option D is wrong because lowering the spam threshold increases sensitivity, which would actually cause more false positives, not reduce them.

← PreviousPage 2 of 2 · 93 questions total

Ready to test yourself?

Try a timed practice session using only Content Security questions.