CCNA Endpoint Protection Questions

75 of 80 questions · Page 1/2 · Endpoint Protection topic · Answers revealed

1
Multi-Selectmedium

A company is deploying Cisco Secure Endpoint and wants to ensure that endpoints are protected against zero-day exploits. Which two features should be enabled to provide this protection? (Choose two.)

Select 2 answers
A.File Reputation
B.Exploit Prevention
C.Malware Analytics (sandboxing)
D.Application Control
E.Device Control
AnswersB, C

Exploit Prevention protects against exploit techniques used by zero-day attacks.

Why this answer

Exploit Prevention (B) is correct because it uses exploit-specific signatures and behavioral monitoring to block common exploitation techniques (e.g., heap spray, ROP, SEH overwrite) without relying on known malware signatures, making it effective against zero-day exploits. Malware Analytics (C) is correct because it detonates suspicious files in a sandboxed environment to analyze behavior and detect previously unknown threats, providing protection against zero-day malware before signatures are available.

Exam trap

Cisco often tests the distinction between signature-based detection (File Reputation) and behavior-based detection (Exploit Prevention and Malware Analytics), leading candidates to mistakenly choose File Reputation because they assume it covers all unknown threats.

2
MCQmedium

An incident responder uses the Cisco AMP for Endpoints console to investigate a potential malware outbreak. The endpoint shows multiple files with high prevalence and cloud verdicts of 'unknown'. The responder wants to quickly identify files that were executed from a malicious parent process. Which console feature best assists this analysis?

A.Device Trajectory to review the event timeline.
B.Group Policy to check applied policies.
C.Dashboard to view overall threat scores.
D.File Search to find files with unknown verdict.
AnswerA

Device Trajectory shows process execution details and parent-child relationships.

Why this answer

Option B is correct because the Device Trajectory feature provides a time-ordered sequence of events, including parent-child process relationships. Option A is wrong because File Search only lists files, not process relationships. Option C is wrong because the Dashboard gives a high-level overview.

Option D is wrong because the Group Policy shows policy settings, not events.

3
MCQhard

Based on the exhibit, what is the most likely reason that traffic matching the AMP_block access-list is not being blocked?

A.The remark command is incorrectly formatted
B.The policy-map does not include a pass or block action for the access-list
C.The access-list is not referenced in any policy-map or class-map
D.The access-list is not applied to an interface
AnswerC

The access-list must be referenced in a policy-map (e.g., via a class-map) to be enforced; the exhibit shows no such reference.

Why this answer

Option D is correct. The AMP_block access-list is defined but not referenced in any policy-map, so it is not applied to traffic. Option A is wrong because the policy-map uses inspect commands, which do not automatically apply access-lists.

Option B is wrong because remarks do not affect functionality. Option C is wrong because an access-list applied globally on an FTD does not require an interface; however, the issue is that it is not referenced in a policy, not that an interface is missing.

4
MCQmedium

A security administrator notices that several endpoints in the finance department are exhibiting unusual network behavior, including connections to known malicious IP addresses. The administrator has deployed Cisco Secure Endpoint (formerly AMP for Endpoints) with TETRA and has enabled the built-in firewall. What is the best course of action to quickly identify the root cause and contain the threat?

A.Disable the built-in firewall on the endpoints to allow full traffic inspection by the TETRA engine.
B.Use the Cisco Secure Endpoint console to review the TETRA engine's real-time traffic analysis and isolate the affected endpoints.
C.Wait for the weekly threat report from Cisco Talos to identify the malware family and then apply a signature update.
D.Uninstall the Cisco Secure Endpoint connector and reinstall it with a fresh policy.
AnswerB

TETRA provides real-time traffic analysis; the console allows immediate visibility and isolation.

Why this answer

Option B is correct because Cisco Secure Endpoint with TETRA provides real-time traffic analysis and endpoint isolation capabilities directly from the console. The TETRA engine inspects network flows using behavioral analysis and machine learning, and the administrator can immediately isolate affected endpoints to prevent lateral movement while reviewing the root cause.

Exam trap

Cisco often tests the misconception that disabling security controls (like the firewall) will improve detection, when in fact the TETRA engine operates independently and isolation is the correct containment step.

How to eliminate wrong answers

Option A is wrong because disabling the built-in firewall removes a critical layer of defense and does not improve TETRA's inspection; TETRA operates independently of the host firewall. Option C is wrong because waiting for a weekly Talos report is too slow for an active threat, and signature updates are reactive rather than providing immediate containment. Option D is wrong because reinstalling the connector with a fresh policy is disruptive, time-consuming, and does not address the need for rapid root cause analysis and containment.

5
MCQeasy

A network administrator notices that an endpoint running the AMP connector is not sending events to the cloud. The connector status shows 'Connected' in the AMP console. What is the most likely cause?

A.The AMP license has expired.
B.The endpoint is behind a proxy that does not allow HTTPS traffic to the AMP cloud.
C.Inbound firewall rules block incoming connections to the AMP connector.
D.The AMP connector service is stopped on the endpoint.
AnswerB

The connector can establish a TCP connection (appear connected) but event submission over HTTPS fails through the proxy.

Why this answer

The AMP connector status shows 'Connected' in the AMP console, which indicates that the endpoint has successfully established a TCP connection and authenticated with the AMP cloud. However, if the endpoint is behind a proxy that does not allow HTTPS (TCP/443) traffic to the AMP cloud, the connector may appear connected (due to a persistent keep-alive or cached status) but cannot send event data because the proxy is blocking the actual data-plane traffic. This is a common misconfiguration where the proxy allows the initial handshake but filters subsequent HTTPS requests.

Exam trap

Cisco often tests the distinction between a 'Connected' status (which only indicates a control-plane or registration state) and actual data-plane functionality (event uploads), leading candidates to overlook proxy or firewall egress issues that block HTTPS traffic.

How to eliminate wrong answers

Option A is wrong because an expired AMP license would prevent the connector from authenticating or registering, resulting in a 'Disconnected' or 'Unlicensed' status, not 'Connected'. Option C is wrong because inbound firewall rules block incoming connections to the endpoint, but the AMP connector initiates outbound HTTPS connections to the cloud; inbound rules are irrelevant for event uploads. Option D is wrong because if the AMP connector service is stopped on the endpoint, the connector would not be able to maintain a 'Connected' status in the AMP console; the status would show 'Disconnected' or 'Offline'.

6
Multi-Selecthard

Which TWO of the following are valid action types that can be assigned to a file in an AMP policy rule?

Select 2 answers
A.Scan
B.Monitor
C.Quarantine
D.Block
E.Delete
AnswersC, D

Quarantine moves the file to a secure location and prevents access.

Why this answer

Options B and D are correct. AMP policy rules can set actions such as 'Block' (B) and 'Quarantine' (D). Option A is incorrect because 'Delete' is not a direct action in AMP; quarantine effectively removes it.

Option C is incorrect because 'Monitor' is a logging level, not an action. Option E is incorrect because 'Scan' is not an action; scanning is inherent.

7
MCQeasy

A small business uses Cisco AMP for Endpoints with a cloud-based console. The owner receives an email from Cisco that the AMP connector on a specific endpoint has gone offline. The endpoint is a Windows 10 laptop used for remote work. The owner checks the AMP console and sees the endpoint's last check-in was three days ago. The owner contacts the remote user, who says the laptop is running normally and they can access the internet. What should the owner do to resolve the issue?

A.Instruct the user to disable Windows Firewall temporarily.
B.Ask the user to install the latest Windows updates.
C.Ask the user to uninstall and reinstall the AMP connector.
D.Instruct the user to restart the AMP connector service (Cisco AMP for Endpoints Connector).
AnswerD

Restarting the service often resolves check-in issues.

Why this answer

Option C is correct because the most likely issue is that the AMP connector service has stopped or crashed. Restarting the service will re-establish communication. Option A (reinstall connector) is unnecessary.

Option B (check firewall) is less likely since internet access works. Option D (update Windows) is not directly related.

8
MCQmedium

Refer to the exhibit. The file invoice.pdf was determined to be malicious by the AMP cloud, yet the endpoint allowed it to execute. What is the most likely reason?

A.The endpoint was not up to date with the latest AMP connector patches.
B.The AMP policy was configured to allow files with a certain confidence level or based on a custom rule.
C.The file was not analyzed locally because local analysis was disabled.
D.The AMP connector lost connectivity after sending the file and fell back to a local allow policy.
AnswerB

The log explicitly states the action was due to a policy rule that allows on low confidence, overriding the malicious determination.

Why this answer

Option D is correct because the policy rule 'Allow on low confidence' overrides the cloud verdict. Option A is wrong because the patch level is not indicated as an issue. Option B is wrong because the file was analyzed locally, and a verdict was returned.

Option C is wrong because the action was explicit, not a fallback

9
MCQhard

Refer to the exhibit. An analyst reviews the log from a Cisco Secure Endpoint connector. The file 'invoice.pdf.exe' was quarantined. What best describes the detection process that occurred?

A.The file was blocked at execution time by Exploit Prevention.
B.The cloud reputation was unknown, but local analysis detected malicious behavior, triggering quarantine.
C.The cloud reputation determined the file was malicious and instructed the connector to quarantine.
D.The file was executed and then reverted by the retrospective engine.
AnswerB

Log shows cloud result UNKNOWN, then local analysis verdict Malicious.

Why this answer

Option B is correct because the log shows the file 'invoice.pdf.exe' was quarantined based on local analysis after the cloud reputation returned an unknown verdict. Cisco Secure Endpoint uses a multi-layered approach: if the cloud reputation is unknown, the connector performs local analysis (e.g., static analysis, behavioral monitoring) to detect malicious behavior. In this case, the local analysis flagged the file as malicious, triggering the quarantine action.

Exam trap

Cisco often tests the distinction between cloud reputation, local analysis, and retrospective analysis — the trap here is assuming that quarantine always requires a malicious cloud verdict, when in fact local analysis can independently trigger quarantine when the cloud verdict is unknown.

How to eliminate wrong answers

Option A is wrong because Exploit Prevention blocks exploits at execution time by monitoring for specific exploit techniques (e.g., heap spray, ROP), not by analyzing file reputation or behavior after execution; the log indicates quarantine after analysis, not a block at execution. Option C is wrong because the cloud reputation was unknown, not malicious; if the cloud had determined the file was malicious, it would have instructed the connector to block or quarantine immediately without requiring local analysis. Option D is wrong because the retrospective engine reverts files after they have been executed and later found malicious via cloud or local analysis; the log shows quarantine during the initial analysis, not a post-execution revert.

10
MCQeasy

Refer to the exhibit. A security engineer reviews the Cisco Secure Endpoint policy. If an endpoint is offline when a user downloads a file, what will happen?

A.The file will be held until the endpoint comes online and a cloud lookup completes.
B.The file will be quarantined due to the aggressive exploit prevention level.
C.The file will be allowed because local cache will store an unknown disposition.
D.The file will be blocked immediately by scan-on-write.
AnswerC

Local cache stores unknown disposition; file is allowed until cloud lookup can be performed later.

Why this answer

When an endpoint is offline, Cisco Secure Endpoint cannot perform a cloud lookup to determine the file's disposition. The local cache stores the disposition as 'unknown' for files that have not been seen before, and the file is allowed to execute because the default action for an unknown disposition in an offline scenario is to permit the file. This behavior is controlled by the policy setting for 'Unknown' files, which defaults to 'Allow' when the cloud is unreachable.

Exam trap

Cisco often tests the misconception that offline endpoints will block or quarantine unknown files, when in fact the default behavior is to allow them based on local cache and policy settings for unknown dispositions.

How to eliminate wrong answers

Option A is wrong because Cisco Secure Endpoint does not hold files in a pending state when offline; it uses local caching and allows unknown files by default rather than queuing them for later cloud lookup. Option B is wrong because the aggressive exploit prevention level does not cause file quarantine for offline downloads; exploit prevention focuses on behavioral analysis and exploit detection, not on offline file disposition decisions. Option D is wrong because scan-on-write is a real-time scanning feature that blocks files based on known malware signatures, but it cannot block a file with an unknown disposition when the endpoint is offline and no local signature match exists.

11
MCQmedium

An organization is deploying Cisco Secure Endpoint (AMP) in a high-security environment where endpoints are air-gapped from the internet. The security team needs to maintain up-to-date threat intelligence without direct cloud access. They have a dedicated local server that can download feeds from the AMP cloud once and distribute to endpoints. The server runs the AMP Private Cloud software. However, after installation, endpoints are not receiving updates. The team verifies that the Private Cloud server can reach the AMP cloud via a managed proxy. The endpoints can communicate with the Private Cloud server on TCP 443. What is the most likely cause of the update failure?

A.The proxy is not properly configured to allow HTTPS from the Private Cloud to the AMP cloud.
B.The Private Cloud appliance has not been registered and licensed in the AMP console.
C.The endpoints are using an incorrect certificate to authenticate to the Private Cloud.
D.The Private Cloud server's disk is full, preventing new update downloads.
AnswerB

Registration is required to sync threat intelligence.

Why this answer

Option B is correct because the Private Cloud must be registered and licensed with Cisco to receive updates. Without registration, it cannot download threat intelligence. Option A (proxy misconfiguration) is possible but the team verified the proxy works.

Option C (endpoint certificate issue) is less likely; endpoints authenticate via policy. Option D (Private Cloud out of disk space) would log errors, but not the primary cause if the server is newly set up.

12
MCQhard

Refer to the exhibit. A network administrator configured IP Source Guard and DHCP Snooping on a switch. A host connected to GigabitEthernet0/2 with MAC address 0050.7966.6801 has been assigned IP 192.168.1.10 via DHCP. The host now tries to use IP 192.168.1.20. What will happen?

A.The switch drops all traffic from the host with source IP 192.168.1.20.
B.The switch sends an ARP probe to verify the IP is unused, then updates the binding.
C.The switch updates the binding table to allow 192.168.1.20.
D.The switch allows the traffic because the host is trusted on that port.
AnswerA

IP Source Guard filters traffic based on the binding table; unmatched source IPs are dropped.

Why this answer

IP Source Guard uses DHCP snooping binding table to enforce IP-to-port mapping. When the host at GigabitEthernet0/2 with MAC 0050.7966.6801 attempts to use IP 192.168.1.20 instead of its DHCP-assigned IP 192.168.1.10, the switch compares the source IP of the packet against the binding table. Since 192.168.1.20 is not bound to that port and MAC, the switch drops all traffic from that host with source IP 192.168.1.20, preventing IP spoofing.

Exam trap

Cisco often tests the misconception that IP Source Guard allows traffic from a trusted host or that it dynamically updates bindings via ARP, when in fact it strictly enforces the DHCP snooping binding table and drops any non-matching traffic.

How to eliminate wrong answers

Option B is wrong because IP Source Guard does not send ARP probes; it simply drops traffic that does not match the DHCP snooping binding, and it does not dynamically update bindings based on ARP. Option C is wrong because the binding table is only updated via DHCP snooping (DHCP ACK messages) or static configuration, not by the host arbitrarily changing its IP address. Option D is wrong because the host is not configured as a trusted port for DHCP snooping; trust is applied to uplink ports (e.g., toward the DHCP server), not to access ports like GigabitEthernet0/2.

13
MCQhard

A multinational company plans to deploy Cisco AMP for Endpoints across 10,000 endpoints in geographically diverse offices. The security team is concerned about WAN bandwidth usage when endpoints communicate with the AMP cloud. Which design approach best minimizes cloud communication traffic while maintaining effective protection?

A.Disable real-time file scanning and rely on scheduled scans only.
B.Reduce the frequency of file reputation lookups by setting a longer cache time.
C.Deploy a forward proxy to cache AMP cloud responses.
D.Deploy an AMP Private Cloud appliance on-site to handle local reputation queries.
AnswerD

Private Cloud provides local caching and reduces internet traffic.

Why this answer

Option D is correct because using a local private cloud appliance (like the AMP Private Cloud) keeps traffic within the LAN and reduces WAN usage. Option A is wrong because endpoint scanning frequency can be reduced, but that compromises protection. Option B is wrong because proxies add latency and do not reduce cloud queries.

Option C is wrong because disabling certain features reduces protection.

14
Matchingmedium

Match each threat type to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to steal sensitive info

Malware that encrypts data for ransom

Distributed attack to overwhelm a service

Attacker intercepts communications

Attack on unknown vulnerability

Why these pairings

These are common cybersecurity threats.

15
MCQmedium

A security engineer wants to implement file reputation analysis using Cisco AMP for Endpoints. The policy must block files that are known to be malicious in the cloud and quarantine unknown files for further analysis. Which AMP policy configuration achieves this?

A.Create a policy with File Reputation rules: Malware -> Block, Unknown -> Quarantine.
B.Create a policy with Application Control to block all executables from the internet.
C.Create a policy with File Reputation rules: Malware -> Block, Unknown -> Allow.
D.Create a policy with Custom Detection rules for specific SHA256 hashes only.
AnswerA

This matches the requirement to block known malware and quarantine unknown files.

Why this answer

Option A is correct because 'File reputation' with action 'Block' for Malware and 'Quarantine' for Unknown meets the requirement. Option B is incorrect because 'Allow' for Unknown does not quarantine. Option C is incorrect because 'Custom detection' does not directly address global reputation.

Option D is incorrect because 'Application control' is for allow/block lists, not reputation.

16
MCQmedium

A company uses Cisco AMP for Endpoints and also deploys Cisco Firepower Next-Generation Firewall (NGFW) with AMP integration. The security team wants to see endpoint detections in the Firepower Management Center (FMC). What must be configured to enable this integration?

A.Enable the AMP integration in the FMC and ensure the AMP cloud account is configured with the correct API credentials.
B.Configure the AMP connectors to send Syslog events to the FMC.
C.Deploy an on-premises AMP console to forward events to FMC.
D.Configure the Firepower NGFW to be the default gateway for the endpoints.
AnswerA

The integration uses API calls between FMC and AMP cloud to exchange threat intelligence.

Why this answer

Option A is correct because the AMP connector must be registered with the AMP cloud, and the FMC must be configured to pull events via API. Option B is wrong because the firewall does not need to be the default gateway. Option C is wrong because Syslog is not the primary method; API integration is used.

Option D is wrong because the AMP cloud account is already used; the issue is registration.

17
MCQhard

A security analyst is investigating a malware incident on an endpoint protected by Cisco AMP for Endpoints. The Device Trajectory shows that a file named 'invoice.exe' was detonated from a USB drive. The file's cloud verdict was 'Unknown' at the time of execution. The analyst sees that the file spawned multiple child processes that made outbound connections to a malicious IP. The AMP policy has 'Exploit Prevention' enabled but 'File Reputation' is set to 'Monitor' only. The analyst wants to prevent similar incidents in the future without blocking legitimate applications. Which action should the analyst recommend?

A.Block all execution of applications from removable media via Group Policy.
B.Enable all Exploit Prevention rules, including those for script-based attacks.
C.Add the SHA256 hash of 'invoice.exe' to the global blacklist.
D.Change the File Reputation setting to 'Block' for files with 'Unknown' disposition.
AnswerD

Prevents execution of unknown files while allowing known good files.

Why this answer

Option B is correct because setting File Reputation to 'Block' would have prevented execution of 'Unknown' files like invoice.exe. However, this might block legitimate unknown files. Option A (blocking USB execution) is too restrictive.

Option C (enabling more exploit prevention rules) would not have stopped this file because it was malware, not an exploit. Option D (adding file hash to blacklist) is reactive and not proactive.

18
MCQeasy

Based on the exhibit, what does the 'Isolated: Yes' status indicate?

A.The connector is disconnected from the cloud and requires a reboot.
B.The connector is in a quarantine mode due to a loss of cloud connectivity.
C.The connector is permanently blocked by a firewall and needs manual reconfiguration.
D.The network component is disabled, preventing network traffic monitoring.
AnswerB

'Isolated' indicates the connector cannot reach the cloud but continues to protect with local rules.

Why this answer

Option B is correct. The 'Isolated' status means the connector is in a temporary state where it cannot communicate with the AMP cloud, but it may still function with cached rules. Option A is incorrect because a disabled network component would show 'Network Component: Disabled'.

Option C is incorrect because the connector is still connected and working in a limited capacity. Option D is incorrect because 'Isolated' does not require manual intervention; it may auto-recover.

19
Multi-Selectmedium

Which TWO of the following are valid detection methods used by Cisco AMP for Endpoints to identify malicious activity?

Select 2 answers
A.Exploit Prevention using vulnerability-based rules
B.Heuristic analysis of unknown files
C.File Reputation via cloud lookups
D.Anomaly-based behavioral detection
E.Signature-based IPS scanning
AnswersA, C

AMP Exploit Prevention blocks exploitation techniques.

Why this answer

Options A and C are correct. AMP uses File Reputation (cloud lookups based on SHA256) and Exploit Prevention (to block exploit techniques). Option B (Signature-based IPS) is not a typical AMP feature; AMP uses other methods.

Option D (Anomaly-based behavioral detection) is not standard in AMP; it's more for IDS. Option E (Heuristic analysis) is not a primary AMP detection method.

20
MCQmedium

A university IT team manages 1,000 macOS laptops for students using Cisco AMP for Endpoints. They receive reports that some students' laptops are running slowly and fans are spinning constantly. The team checks the AMP console and sees that these endpoints are performing constant file scans on user directories. The team suspects that the AMP scanning is causing high CPU usage. They want to optimize performance without compromising security. The laptops use the default AMP policy with real-time scanning enabled. What should the team do?

A.Reduce the number of alert notifications to limit AMP's background activity.
B.Increase the file scanning interval to every 30 seconds instead of real-time.
C.Add exclusions for common user data directories in the AMP policy.
D.Disable real-time scanning and rely on scheduled scans.
AnswerC

Reduces scanning of trusted files, lowering CPU usage.

Why this answer

Option D is correct because adding exclusions for known safe folders (like default user document directories) reduces unnecessary scanning. Option A (disable real-time scanning) would leave endpoints vulnerable. Option B (increase scanning interval) is not applicable to real-time scanning.

Option C (reduce notification alerts) does not affect CPU usage.

21
Matchingmedium

Match each security technology to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detect and block malicious traffic inline

Monitor and alert on suspicious activity

Control access based on rules

Protect web applications from attacks

Encrypt traffic over public networks

Why these pairings

These are common security technologies and their primary roles.

22
Multi-Selecteasy

Which TWO actions can be taken on a malicious file detected by Cisco AMP for Endpoints?

Select 2 answers
A.Allow the file after a scan
B.Block execution of the file
C.Encrypt the file to prevent harm
D.Delete the file
E.Quarantine the file into a safe location
AnswersB, E

Block prevents the file from running.

Why this answer

Options B and C are correct. AMP can block execution and quarantine the file. Option A is wrong because deleting is not a standard action.

Option D is wrong because encrypting would harm the system. Option E is wrong because allowing is opposite of protection.

23
Multi-Selecteasy

Which TWO of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Select 2 answers
A.The endpoint's last login time
B.The version of the operating system
C.MD5 hash of a malicious file
D.IP address of a command-and-control server
E.The username of the logged-in user
AnswersC, D

File hashes are common IOCs.

Why this answer

AMP can detect file hashes and IP connections as IOCs; behavioral rules are also used but not listed as typical IOCs.

24
MCQeasy

During a ransomware attack, an endpoint protected by AMP for Endpoints successfully blocked the ransomware file. Which AMP policy action was likely applied?

A.Allow
B.Quarantine
C.Detect
D.Block
AnswerD

Block prevents the file from executing, stopping ransomware.

Why this answer

When AMP for Endpoints successfully blocks a ransomware file, the 'Block' policy action is applied. This action prevents the file from executing on the endpoint by terminating the process and quarantining the file in the local quarantine, ensuring the threat is neutralized immediately. The 'Block' action is the most restrictive and is designed to stop known malware, including ransomware, from causing harm.

Exam trap

Cisco often tests the distinction between 'Detect' and 'Block' actions, where candidates mistakenly think 'Detect' can stop an attack, but it only generates alerts without preventing execution.

How to eliminate wrong answers

Option A is wrong because 'Allow' would permit the file to execute, which contradicts the scenario where the ransomware was successfully blocked. Option B is wrong because 'Quarantine' is not a standalone AMP policy action; it is a consequence of the 'Block' action, where the file is moved to quarantine after being blocked. Option C is wrong because 'Detect' only logs and alerts on the file without preventing its execution, which would not stop a ransomware attack.

25
Multi-Selecthard

Which THREE of the following are valid methods to deploy Cisco AMP for Endpoints Connector on Windows endpoints?

Select 3 answers
A.Cisco Prime Infrastructure
C.Group Policy Software Installation (MSI)
D.SCCM/Configuration Manager
E.Manual installation using the installer executable
AnswersC, D, E

Valid method via AD GPO.

Why this answer

AMP can be deployed via MSI using Group Policy, SCCM, or manual installation; third-party RMM tools may also be used.

26
MCQmedium

A company has deployed Cisco AMP for Endpoints and wants to receive immediate notification when a file is detected as malicious by the cloud sandbox analysis. Which policy setting should be enabled?

A.Enable 'Send alerts for malicious files' in the AMP policy
B.Configure Syslog forwarding for all events
C.Enable 'Exploit Prevention' in block mode
D.Set the connector to 'Analyze' mode
AnswerA

This setting triggers alerts when a file is determined malicious by cloud sandbox.

Why this answer

Cloud sandbox analysis provides verdicts; to get alerts you need to enable 'Send alerts on file reputation' and ensure that the cloud analysis is configured.

27
MCQmedium

A security analyst sees multiple AMP events for 'Trojan.Generic.37283212' on several endpoints. After updating the AMP signatures, the detection still occurs. What is the best next step to reduce false positives?

A.Wait for the next signature update that might remove the detection.
B.Add the file SHA256 hash to the Custom Whitelist in the AMP policy.
C.Disable the signature for Trojan.Generic in the AMP policy.
D.Reinstall the AMP connector on the affected endpoints.
AnswerB

Whitelisting the specific file hash prevents future false positives while retaining protection.

Why this answer

Option B is correct because adding the file hash to the 'Custom Whitelist' in the AMP policy will prevent future detection of that specific variant. Option A is incorrect because updating signatures does not address a false positive if the detection is correct. Option C is incorrect because disabling the signature entirely would remove protection.

Option D is incorrect because reinstalling the connector is not targeted.

28
MCQhard

An analyst reviews an AMP for Endpoints event where a file was detected as malware but later determined to be a false positive. The analyst wants to prevent this file from being flagged in the future. What is the recommended action?

A.Submit the file to Cisco TALOS for reanalysis.
B.Add the file hash to the custom detection list with action 'Allow' or 'Uncategorized'.
C.Disable AMP detection for that file type globally.
D.Change the AMP policy from 'Detect' to 'Audit' for the endpoint.
AnswerB

Custom exceptions override global dispositions, preventing future false positives without affecting other protections.

Why this answer

Option D is correct because adding a file hash to the custom detection list as an exception prevents future alerts. Option A is wrong because disabling detection for that file type is too broad. Option B is wrong because changing policy to 'Audit' reduces protection.

Option C is wrong because only the cloud can update dispositions, but custom exceptions are used for false positives.

29
Multi-Selectmedium

Which THREE of the following are recommended best practices for configuring Cisco AMP for Endpoints to minimize false positives while maintaining strong detection?

Select 3 answers
A.Set scan level to maximum for all file types
B.Enable file reputation scanning with cloud lookups
C.Use application blocking with a whitelist of approved software
D.Disable exploit prevention to reduce false positives
E.Configure exclusions for directories where trusted software is installed
AnswersB, C, E

File reputation scanning leverages cloud intelligence to classify files, reducing false positives from known good files.

Why this answer

Options A, C, and D are correct. Option A (File Reputation scanning) validates files against cloud intelligence, reducing false positives by allowing known good files. Option C (Application blocking with whitelist) ensures only approved applications run, minimizing false alerts.

Option D (Exclusions for trusted applications) prevents scanning of benign software, lowering false positives while maintaining detection for unknowns. Option B is wrong because disabling exploit prevention weakens security. Option E is wrong because maximum scan level increases false positives without significant detection gain.

30
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco ASA into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IKE policy defines Phase 1 parameters, then pre-shared key is set, interesting traffic is defined via ACL, crypto map binds Phase 2 parameters, and it is applied to the interface.

31
MCQmedium

A security engineer notices that several endpoints in the HR department have been infected with ransomware despite having Cisco AMP for Endpoints deployed. The AMP policy is set to 'Detect' for all file types. What is the most likely reason the ransomware was not blocked?

A.The endpoints had process exclusions that allowed the ransomware process.
B.The AMP policy was set to 'Detect' and not 'Block' or 'Quarantine'.
C.The AMP cloud was unreachable during the infection attempt.
D.The file was too large for cloud analysis and AMP timed out.
AnswerB

The 'Detect' mode only generates alerts without taking preventive action.

Why this answer

Cisco AMP for Endpoints policies have three primary actions: 'Detect', 'Block', and 'Quarantine'. When a policy is set to 'Detect', the endpoint will alert on malicious files but will not prevent execution. Since the ransomware was allowed to run, the most likely cause is that the policy was configured to 'Detect' only, rather than a more restrictive action like 'Block' or 'Quarantine'.

Exam trap

Cisco often tests the distinction between 'Detect' and 'Block' actions in AMP policies, as candidates may assume that any detection capability automatically prevents execution, but 'Detect' is purely alerting without enforcement.

How to eliminate wrong answers

Option A is wrong because process exclusions in AMP are used to bypass scanning for legitimate processes, but the question states the ransomware was not blocked due to the policy setting, not due to an exclusion list. Option C is wrong because while cloud connectivity issues can affect retrospective analysis and file reputation lookups, AMP for Endpoints uses local TETRA (Traps Engine for Threat Recognition and Analysis) and Spero engine to block known malware even without cloud access; the 'Detect' policy would still allow execution regardless of cloud reachability. Option D is wrong because file size limits for cloud analysis (typically 8 MB for full upload) would cause AMP to fall back to local analysis or allow the file if it cannot be analyzed, but the core issue remains the policy action being set to 'Detect' rather than 'Block'.

32
MCQeasy

A company uses Cisco Umbrella to block malicious domains. An endpoint user reports that they cannot access a legitimate business website. The website resolves to a domain that is not on any block list. What is the most likely cause?

A.The domain is listed in a custom Destination List with 'Block' action.
B.The domain is part of a content category that is blocked in the Umbrella policy.
C.The Umbrella policy has Application Settings enabled for 'Web Browsing' with block action.
D.The Umbrella roaming client is using an invalid API token.
AnswerB

Umbrella's content category filtering can block entire categories of websites, even if the domain is not individually listed.

Why this answer

Option B is correct because 'Content Categories' in Umbrella can inadvertently block categories like 'Business' or 'Information Technology' if misconfigured. Option A is incorrect because an invalid token would block all internet access. Option C is incorrect because 'Application Settings' control application-level filtering, not URL access.

Option D is incorrect because 'Destination Lists' are specific domains, not categories.

33
Multi-Selectmedium

Which TWO of the following are capabilities of Cisco Orbital?

Select 2 answers
A.Real-time file reputation checking
B.Running live queries across all endpoints
C.Scheduled forensic data collection tasks
D.Pre-execution sandboxing of unknown files
E.Automated endpoint isolation via ISE
AnswersB, C

Orbital allows queries in real-time across managed endpoints.

Why this answer

Cisco Orbital provides advanced endpoint querying and can run scripts on endpoints for investigation.

34
MCQhard

A global enterprise with over 20,000 endpoints has been using Cisco AMP for Endpoints for two years. They recently migrated to a new SIEM and want to forward AMP events in near real-time. The security operations team notices that the SIEM is receiving duplicate events for the same file execution, causing alert fatigue. The AMP console shows that the 'Send to Syslog' action is enabled on two different policies, and both policies are applied to the same groups of endpoints. The team also uses the AMP APIs to pull data. The network engineer wants to eliminate duplicate events without losing any critical alerts. Which course of action should the engineer take?

A.Disable the AMP API to stop duplicates from multiple data sources.
B.Increase the event detection interval to reduce the number of events generated.
C.Remove the 'Send to Syslog' action from one of the two policies.
D.Review the group hierarchy and ensure each endpoint is assigned to a single policy that includes the syslog action.
AnswerD

Eliminates duplicate policy application.

Why this answer

Option C is correct because duplicate events are caused by multiple policies with the same syslog action. Consolidating policy assignments ensures that each endpoint receives only one policy with syslog forwarding. Option A (disable API) would stop API pulls but not duplicates from syslog.

Option B (disable one policy) might remove the syslog action from one policy but could leave gaps if that policy has other important settings. Option D (increase detection interval) does not affect duplicates.

35
Multi-Selectmedium

Which TWO of the following are required for successful registration of an AMP for Endpoints connector with the cloud?

Select 2 answers
A.A locally installed SQL database for event storage.
B.A proxy server configured in the connector settings.
C.Outbound HTTPS access to the AMP cloud backend servers.
D.A valid registration token obtained from the AMP console.
E.An inbound firewall rule allowing connections from the AMP cloud.
AnswersC, D

The connector communicates with the cloud over HTTPS (port 443).

Why this answer

Option C is correct because the AMP for Endpoints connector must establish an outbound HTTPS (TCP/443) connection to the AMP cloud backend servers to communicate telemetry, receive policy updates, and perform health checks. Without this outbound access, the connector cannot register or maintain its connection to the cloud.

Exam trap

Cisco often tests the misconception that inbound firewall rules are needed for cloud-based security products, but AMP for Endpoints uses a purely outbound model, so candidates mistakenly select option E thinking the cloud must 'push' data to the endpoint.

36
MCQhard

A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?

A.Orbital Advanced Search
B.TETRA traffic analysis
C.Windows Event Viewer integration
D.Device Flow Correlation
AnswerA

Orbital Advanced Search provides retrospective analysis to trace the attack chain.

Why this answer

Orbital Advanced Search is the correct feature because it provides deep forensic visibility into endpoint activity, allowing the analyst to perform advanced queries across files, processes, registry keys, and network connections. This enables tracing the chain of events—such as a malicious email attachment, exploit, or drive-by download—that led to the ransomware infection, by correlating timestamps and process parent-child relationships.

Exam trap

Cisco often tests the distinction between network-level analysis (TETRA, Device Flow Correlation) and endpoint-level forensic investigation (Orbital), leading candidates to confuse traffic analysis with host-based event chain reconstruction.

How to eliminate wrong answers

Option B is wrong because TETRA traffic analysis is a network-based traffic analysis tool used for detecting anomalies in network flows, not for tracing endpoint-level event chains or initial infection vectors. Option C is wrong because Windows Event Viewer integration is a basic log collection method that lacks the advanced querying, cross-system correlation, and forensic depth needed to reconstruct a multi-step attack chain within Cisco Secure Endpoint. Option D is wrong because Device Flow Correlation focuses on correlating network flows between devices to identify lateral movement or C2 communication, not on tracing the initial infection vector on a single endpoint.

37
Multi-Selectmedium

Which THREE are recommended best practices for deploying Cisco AMP for Endpoints in a large enterprise?

Select 3 answers
A.Configure the policy to block all files with disposition 'Unknown' to prevent zero-day attacks.
B.Deploy the AMP connector to all endpoints, including servers and desktops.
C.Create separate groups for different operating systems and applications to apply tailored policies.
D.Start with 'Audit' or 'Detect' mode to baseline and adjust before enforcing blocks.
E.Set the default policy action to 'Block' for all file types to maximize security from day one.
AnswersB, C, D

Comprehensive coverage is key for endpoint protection.

Why this answer

Deploying the AMP connector to all endpoints, including servers and desktops, ensures comprehensive visibility and protection across the entire enterprise attack surface. Cisco AMP for Endpoints relies on a connector installed on each device to perform file analysis, retrospective detection, and telemetry collection; leaving any endpoint unmonitored creates a blind spot that attackers can exploit. This is a foundational best practice for large-scale deployments to achieve consistent security coverage.

Exam trap

Cisco often tests the misconception that aggressive blocking (e.g., blocking all 'Unknown' files or setting 'Block' as the default action) is a best practice, when in reality, a phased approach starting with 'Audit' or 'Detect' mode is recommended to avoid breaking production systems and to fine-tune policies based on actual traffic patterns.

38
MCQeasy

A network security engineer needs to block malicious file downloads on endpoints regardless of the user's location. Which Cisco solution should be integrated with the company's existing endpoint protection platform to achieve cloud-delivered threat intelligence?

A.Cisco Umbrella
B.Cisco Stealthwatch
C.Cisco Firepower Management Center
D.Cisco ISE
AnswerA

Umbrella provides cloud-delivered threat intelligence and can block malicious file downloads from anywhere.

Why this answer

Cisco Umbrella integrates with endpoint protection platforms to provide cloud-delivered security and block malicious domains, IPs, and file downloads anywhere the user goes.

39
MCQmedium

Refer to the exhibit. A file with SHA256 hash 'a1b2c3d4e5f6...' is detected on an endpoint. The threat grid returns a score of 90 for this file. What action is taken by AMP?

A.Allow (because threat score 90 is not specifically matched in reputation).
B.Block (because the custom detection rule has action 'block').
C.Quarantine (because score 90 falls between 80 and 100).
D.No action (because the file is in the whitelist).
AnswerB

Custom detections are applied first; the file matches and is blocked.

Why this answer

Option C is correct. The custom detection rule for that exact SHA256 overrides the file reputation rules, so the action is 'block'. Options A and B are incorrect because custom detections take precedence.

Option D is incorrect because the file is matched by the custom detection.

40
Multi-Selectmedium

A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)

Select 2 answers
A.Exploit Prevention
B.Malware Analytics
C.Application Control
D.Lockdown Mode
E.File Reputation
AnswersC, D

Application Control allows whitelisting approved software.

Why this answer

Application Control (C) is correct because it allows administrators to define a whitelist of approved software, blocking all other executables from running on endpoints. Lockdown Mode (D) is correct because it enforces a strict policy where only pre-approved applications can execute, effectively preventing any unapproved software from running. Together, these features provide comprehensive control over executable files in a large enterprise environment.

Exam trap

Cisco often tests the distinction between 'blocking malicious files' (File Reputation) and 'blocking unapproved applications' (Application Control/Lockdown Mode), leading candidates to confuse threat-based blocking with policy-based whitelisting.

41
MCQmedium

A security team is designing an endpoint protection strategy for a mix of Windows and macOS endpoints. They want to use Cisco AMP for Endpoints with centralized management. Which deployment approach minimizes administrative overhead?

A.Deploy an on-premises AMP Console for each operating system.
B.Install a Windows Server as a management point and deploy connectors via SCCM.
C.Use group policies to define different policies for Windows and macOS.
D.Use the AMP cloud console to manage a single policy that applies to both platforms with os-specific exclusions.
AnswerD

The cloud console supports multi-platform policy with per-OS rules, minimizing overhead.

Why this answer

Option D is correct because Cisco AMP for Endpoints offers a cloud-based console that provides centralized management for both Windows and macOS endpoints from a single pane of glass. This eliminates the need for on-premises infrastructure or separate management tools, and a single policy can be applied across platforms with OS-specific exclusions to handle differences in file paths and processes, thereby minimizing administrative overhead.

Exam trap

The trap here is that candidates often assume different operating systems require separate management consoles or policies, but Cisco AMP for Endpoints' cloud console supports a single policy with OS-specific exclusions, which is the most efficient approach for minimizing administrative overhead.

How to eliminate wrong answers

Option A is wrong because deploying separate on-premises AMP Consoles for each operating system increases administrative overhead by requiring dedicated hardware, maintenance, and separate management interfaces, contradicting the goal of centralized management. Option B is wrong because installing a Windows Server as a management point and deploying connectors via SCCM adds unnecessary complexity and administrative overhead, as SCCM is not required for AMP for Endpoints deployment and the cloud console already provides centralized management without additional infrastructure. Option C is wrong because using group policies to define different policies for Windows and macOS is not a native AMP for Endpoints deployment method; group policies are a Windows-centric feature and do not apply to macOS, and this approach would require separate policy management, increasing overhead rather than minimizing it.

42
MCQeasy

An organization wants to enforce that specific sensitive files are never executed on endpoints. Which AMP for Endpoints feature is most appropriate?

A.Outbreak Control (file extension blocking)
B.Simple or advanced custom detections (Application Control)
C.Exclusion lists
D.Behavioral analysis and engine protection
AnswerB

Custom detections allow blocking specific files via SHA-256 hashes or paths.

Why this answer

Option C is correct because Application Control (file blocking) allows blocking specific files by hash, path, or name. Option A is wrong because Exclusions allow files to run. Option B is wrong because Outbreak Control blocks file extensions, not specific files.

Option D is wrong because Behavioral Analysis detects anomalies, not enforce static blocks.

43
MCQeasy

A company wants to deploy Cisco AMP for Endpoints to protect against advanced malware. Which best practice should be followed when configuring the policy for the first time?

A.Disable file analysis for known good file types to improve performance.
B.Start with 'Audit' or 'Detect' mode to baseline endpoint behavior before enforcing blocks.
C.Set the policy to 'Block' immediately to maximize protection.
D.Disable AMP's network firewall to reduce complexity.
AnswerB

Audit/Detect modes allow identification of false positives and tuning before enforcement.

Why this answer

Option D is correct because starting with 'Audit' mode allows observation without disruption. Option A is wrong because blocking all unknown files may cause false positives. Option B is wrong because disabling the firewall weakens security.

Option C is wrong because disabling file analysis reduces detection capability.

44
MCQhard

A security analyst observes that one endpoint is generating Alerts of type 'Trojan' in Cisco AMP, but other identical endpoints on the same software version show no issues. After verifying that the signature versions are consistent, what is the most likely cause of the discrepancy?

A.A legitimate application on that endpoint is exhibiting behavior that matches a Trojan signature
B.The AMP connector is misconfigured and is generating false alerts
C.The endpoint's network traffic is being intercepted by a proxy causing AMP to misidentify it
D.The endpoint has an outdated operating system patch
AnswerA

AMP's behavioral analysis might flag a legitimate application if it behaves like malware. Other endpoints may not have that app.

Why this answer

AMP uses behavioral analysis and machine learning; if one endpoint has a different application behavior or a legitimate application that behaves similarly to malware, it could cause a false positive. Other endpoints may not have that application.

45
MCQeasy

A company with 5000 endpoints uses Cisco Secure Endpoint (AMP) and Cisco ISE. Users report that legitimate software installations are being quarantined, causing delays. The security team receives many alerts for file executions. The AMP policy is set to "High Security" with "Block Unknown" enabled. Network traffic is monitored by Cisco Stealthwatch. The team wants to reduce operational overhead while maintaining security. What should they do?

A.Disable "Block Unknown" and rely solely on Stealthwatch for threat detection
B.Create an AMP exclusion for software installation directories and enable "File Reputation" with "Cloud Lookups"
C.Change AMP policy to "Medium Security" and enable "Application Blocking with Allow List"
D.Disable AMP and use only ISE for endpoint posture checks
AnswerB

Exclusions reduce false positives for trusted paths, while file reputation with cloud lookups maintains detection for unknown files, balancing security and overhead.

Why this answer

Option C is correct. Creating an AMP exclusion for software installation directories reduces false positives by preventing scanning of known legitimate installations. Enabling File Reputation with Cloud Lookups maintains detection by checking unknown files against cloud intelligence, thus not sacrificing security.

Option A is too broad; lowering the security level might miss threats. Option B removes endpoint protection, relying solely on network detection which is insufficient. Option D removes endpoint protection entirely, increasing risk.

46
MCQhard

An incident responder is analyzing an endpoint that was compromised despite AMP for Endpoints being deployed. The AMP logs show the malware file had a disposition of 'Unknown' shortly before compromise, but later changed to 'Malicious' after cloud analysis. What is the most likely reason the file was not blocked initially?

A.The cloud analysis result was delayed due to high traffic.
B.The local analysis engine was disabled, so the file was not analyzed locally.
C.The AMP policy was configured to 'Allow' or 'Detect' for files with disposition 'Unknown'.
D.The endpoint did not have connectivity to the AMP cloud at the time of execution.
AnswerC

Unknown files may be allowed until the cloud verdict returns; if the action is not 'Block', execution occurs.

Why this answer

Option B is correct because if the policy action for 'Unknown' is set to 'Audit' or 'Allow', the file runs while cloud analysis completes. Option A is wrong because local analysis is used for known files, not unknowns. Option C is wrong because the file would have been blocked eventually if policy required it.

Option D is wrong because connectivity issues would prevent cloud analysis altogether.

47
Multi-Selecteasy

Which TWO are required to successfully deploy Cisco AMP for Endpoints in a Windows domain environment with Group Policy?

Select 2 answers
A.Install the AMP connector on each endpoint
B.Configure the firewall to block outbound HTTPS traffic
C.Install the AMP connector on a domain controller
D.Assign an AMP policy to the connector via Group Policy
E.Ensure all endpoints are joined to the domain
AnswersA, D

The connector must be present to enforce policies.

Why this answer

Options A and D are correct. The AMP connector must be installed (A) and the policy must be assigned (D). Option B (install on a domain controller) is not required; the connector can be on any endpoint.

Option C (configure firewall to block outbound HTTPS) would break connectivity. Option E (join all endpoints to the domain) is not strictly necessary; Group Policy can apply to non-domain machines via local policy.

48
MCQhard

A company uses Cisco Threat Response (CTR) to investigate a potential breach. The analyst sees an observable (SHA256) with a score of 90 in the threat grid. However, the AMP connector on the endpoint shows 'Allow' for that file. What could cause this discrepancy?

A.The 'File Blocking' setting is set to 'Off' for the policy, ignoring cloud scores.
B.The AMP policy has file reputation disabled, so all files are allowed.
C.The AMP policy uses 'Local Analysis' and the local analysis determined the file was safe.
D.The file was blocked but the AMP console shows 'Allow' due to delayed event ingestion.
AnswerC

Local analysis can override cloud reputation if configured and the file passes local heuristics.

Why this answer

Option C is correct because Cisco AMP for Endpoints uses a layered approach: cloud-based file reputation (Threat Grid) provides a score, but if the policy has Local Analysis enabled, the endpoint's local engine can override the cloud verdict. In this scenario, the local analysis determined the file was safe, so the file was allowed despite the high cloud score of 90. This explains the discrepancy between the Threat Grid score and the AMP connector's 'Allow' action.

Exam trap

Cisco often tests the concept that AMP's Local Analysis can override cloud-based reputation scores, leading to a file being allowed despite a high malicious score in Threat Grid, which candidates mistakenly attribute to misconfigured file blocking or reputation settings.

How to eliminate wrong answers

Option A is wrong because the 'File Blocking' setting, when set to 'Off', disables file blocking entirely, but it does not ignore cloud scores; it simply does not enforce blocking based on any score. Option B is wrong because disabling file reputation in the AMP policy would prevent the endpoint from querying the cloud for reputation, but it would not cause a file with a high cloud score to be allowed; instead, the file would be handled by other mechanisms like local analysis or simple allow/block rules. Option D is wrong because AMP events are near real-time; delayed event ingestion would not cause the console to show 'Allow' for a blocked file—it would either show no event or a delayed 'Blocked' event, not an incorrect 'Allow' status.

49
MCQhard

A security architect is designing a solution to detect and block ransomware using Cisco AMP. The requirement is that when a file executes and attempts to encrypt files in a monitored directory, the event must be captured and the process terminated immediately. Which AMP feature set should be used?

A.Exploit Prevention with Behavioral Protection enabled.
B.Application Control with a block list of known ransomware binaries.
C.Vulnerability Assessment with real-time patching.
D.Device Flow Correlation (DFC) with advanced malware analysis.
AnswerA

This feature set detects ransomware behaviors and can automatically terminate the process.

Why this answer

Option A is correct because AMP's 'Exploit Prevention' combined with 'Behavioral Protection' specifically monitors for ransomware-like behavior and can terminate processes. Option B is incorrect because 'Device Flow Correlation' is for network traffic analysis. Option C is incorrect because 'Application Control' only allows/denies execution, not behavioral analysis.

Option D is incorrect because 'Vulnerability Assessment' checks for CVEs, not runtime behavior.

50
MCQeasy

Refer to the exhibit. What happened to the file 'crack.exe'?

A.The file was allowed because it was detected as malicious.
B.The file was blocked from executing.
C.The file was detected but no action was taken.
D.The file was quarantined to a secure folder.
AnswerB

The log explicitly states 'Blocked by policy'.

Why this answer

Option C is correct because the log says 'Blocked by policy'. Option A is wrong because it was not allowed. Option B is wrong because it was not quarantined (no mention of quarantine).

Option D is wrong because it was not just detected; action was taken.

51
MCQhard

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

A.The endpoint was offline when the file was first written to disk, so the cloud lookup was skipped.
B.Windows Defender Real-time Protection is interfering with the AMP connector.
C.The Exploit Prevention module is blocking the cloud lookup process.
D.The AMP cloud license has expired for the organization.
AnswerA

If the endpoint was offline during file download, the initial cloud lookup is skipped, and the file is allowed.

Why this answer

Option A is correct because Cisco Secure Endpoint's 'File Reputation' with 'Use cloud lookup' requires the endpoint to be online at the moment the file is written to disk. If the endpoint was offline during that critical window, the connector cannot perform the SHA-256 cloud lookup against the AMP cloud, and the file is not evaluated for maliciousness. The file remains undetected until a subsequent scan or event triggers a new lookup, which may not happen automatically.

Exam trap

Cisco often tests the nuance that 'Use cloud lookup' requires real-time connectivity at the exact moment of file creation, not just general internet access, and candidates mistakenly assume that a later online state will retroactively detect the file.

How to eliminate wrong answers

Option B is wrong because Windows Defender Real-time Protection does not interfere with the AMP connector; both can coexist, and Cisco Secure Endpoint is designed to operate alongside other antivirus products without conflict. Option C is wrong because the Exploit Prevention module does not block cloud lookup processes; it monitors for exploit techniques like code injection or heap spray, not network-based reputation queries. Option D is wrong because if the AMP cloud license had expired, the connector would typically show a licensing error or fail to communicate entirely, but the scenario states the endpoint can reach the AMP cloud, implying connectivity and licensing are functional.

52
MCQhard

An engineer is troubleshooting why AMP for Endpoints is not detecting a specific malicious file. The file hash is available and other endpoints detected it. What is the most likely cause for the detection failure on this endpoint?

A.The AMP connector is not configured with a proxy when needed.
B.The endpoint's AMP connector has local analysis disabled, preventing hash matching.
C.The AMP signature database on that endpoint is outdated.
D.The AMP policy is set to 'Block' instead of 'Detect'.
AnswerB

Local analysis allows matching known bad hashes without cloud lookup; if disabled, detection may rely solely on cloud.

Why this answer

When AMP for Endpoints fails to detect a file that is known to be malicious (based on its hash) and other endpoints have already detected it, the most likely cause is that local analysis (also known as local scanning or local hash matching) is disabled on the failing endpoint. AMP for Endpoints uses a combination of cloud-based lookups and local analysis. If local analysis is disabled, the endpoint cannot perform hash-based detection against its local cache or signature database, and it must rely entirely on cloud connectivity.

If the cloud lookup is delayed or the endpoint is offline, detection fails. Option B directly addresses this scenario.

Exam trap

Cisco often tests the misconception that AMP for Endpoints relies on a traditional signature database (like a .dat file) that can become outdated, when in fact the primary detection mechanism is cloud-based with a local cache that is not a full signature database.

How to eliminate wrong answers

Option A is wrong because a proxy misconfiguration would prevent cloud connectivity, but the question states the file hash is available and other endpoints detected it, implying cloud connectivity is not the issue; moreover, local analysis would still work if enabled. Option C is wrong because AMP for Endpoints does not rely on a locally stored signature database like traditional antivirus; it uses a lightweight local cache and cloud lookups, so an 'outdated signature database' is not a relevant concept for hash-based detection. Option D is wrong because setting the policy to 'Block' instead of 'Detect' would still trigger detection (and then block), not cause a failure to detect; the detection engine runs regardless of the action taken.

53
MCQhard

An administrator reviews the AMP event log shown in the exhibit. The same file hash appears in all events. What is the most likely explanation for the third event showing a 'TETRA Event' with 'Action: Quarantine' and 'Disposition: Unknown'?

A.The AMP connector failed to communicate with the cloud and generated a TETRA event as an error.
B.The file was previously blocked, but the user executed it from a different location, triggering a TETRA event.
C.The file was determined to be malicious by the cloud after the first detection.
D.The file was executed and, because its disposition was unknown, AMP quarantined it and submitted it for cloud analysis.
AnswerD

TETRA events are triggered when an unknown file is executed; the connector quarantines the file and sends it to the cloud for analysis.

Why this answer

The third event shows a TETRA (Trajectory) event with 'Action: Quarantine' and 'Disposition: Unknown' because AMP uses TETRA to correlate related events into a single trajectory. When a file with an unknown disposition is executed, AMP quarantines it locally and submits it to the cloud for analysis. The 'Unknown' disposition indicates the cloud had not yet classified the file at the time of the event, and the quarantine action is a precautionary measure while analysis is pending.

Exam trap

Cisco often tests the misconception that a TETRA event is a separate detection type rather than a correlation mechanism, leading candidates to confuse it with a cloud communication error or a re-execution trigger.

How to eliminate wrong answers

Option A is wrong because a TETRA event is not an error generated by a communication failure; it is a trajectory event that correlates multiple related detections. Option B is wrong because the file was not previously blocked (the first event shows 'Action: Allowed'), and TETRA events do not trigger simply from executing a file from a different location. Option C is wrong because if the cloud had determined the file to be malicious after the first detection, the third event would show a 'Malicious' disposition, not 'Unknown'.

54
MCQmedium

An organization has deployed Cisco AMP for Endpoints and wants to automatically isolate a host from the network when a high-severity malware detection occurs. Which integration must be configured to enable this automated response?

A.Cisco Stealthwatch with NetFlow
B.Cisco Web Security Appliance
C.Cisco Firepower Next-Gen Firewall
D.Cisco ISE with pxGrid
AnswerD

pxGrid enables AMP to send isolation commands to ISE, which then changes the endpoint's network access.

Why this answer

Cisco AMP uses the Threat Response API and integrations with network access control to automate isolation. ISE integration allows AMP to trigger network quarantine.

55
MCQeasy

Which component of Cisco AMP for Endpoints is responsible for preventing the execution of known malware by checking files against a continuously updated cloud database before they run?

A.Exploit Prevention
B.Application Control
C.File Reputation
D.Orbital
AnswerC

File Reputation checks files against Talos intelligence to block known malware.

Why this answer

File Reputation uses cloud lookups to determine if a file is known to be malicious before it executes.

56
MCQmedium

A security analyst is investigating a compromised endpoint that is part of a botnet. The endpoint is running Cisco Secure Endpoint with TETRA. The analyst notices that the endpoint is communicating with a command-and-control (C2) server over HTTPS. Which TETRA feature would be most effective in detecting this traffic?

A.URL filtering against known malicious URL databases
B.SSL/TLS decryption and inspection
C.File reputation and cloud lookup
D.Protocol analysis with deep packet inspection
AnswerB

TETRA can decrypt SSL traffic if configured, allowing inspection of C2 communication.

Why this answer

TETRA (Telemetry and Threat Response Analytics) on Cisco Secure Endpoint can detect C2 traffic over HTTPS by performing SSL/TLS decryption and inspection. This allows the agent to examine encrypted payloads for malicious patterns, such as beaconing or command-and-control protocol artifacts, which would otherwise be hidden in the encrypted tunnel.

Exam trap

The trap here is that candidates often choose deep packet inspection (DPI) without realizing that DPI cannot inspect encrypted HTTPS traffic without SSL/TLS decryption, making it ineffective for detecting C2 communication over HTTPS.

How to eliminate wrong answers

Option A is wrong because URL filtering against known malicious URL databases relies on static reputation lists and cannot detect C2 traffic using dynamically generated or previously unknown domains, nor can it inspect encrypted content. Option C is wrong because file reputation and cloud lookup analyze file hashes and behaviors, not network traffic patterns like HTTPS C2 communication. Option D is wrong because protocol analysis with deep packet inspection (DPI) cannot inspect encrypted HTTPS payloads without first decrypting the SSL/TLS session, making it ineffective against encrypted C2 traffic.

57
MCQmedium

An incident responder notices that an AMP connector on a critical server has stopped sending 'IP to Application' mapping events after a software update. Which step should be taken to restore this telemetry?

A.Enable the 'Network' component in the AMP connector settings and restart the service.
B.Uninstall and reinstall the AMP connector with default settings.
C.Update the AMP policy on the connector to force a configuration reload.
D.Restart the AMP connector service on the server.
AnswerA

The 'IP to Application' mapping is part of the 'Network' component, which can be disabled during update.

Why this answer

Option C is correct because the 'IP to Application' mapping feature requires the 'Network' component to be enabled in the AMP connector configuration post-update. Option A is incorrect because restarting the service does not re-enable the component. Option B is incorrect because a policy update would not enable a disabled component.

Option D is incorrect because reinstalling would be unnecessarily disruptive.

58
Multi-Selecthard

Which THREE of the following are capabilities of Cisco Threat Response (CTR) that integrate with endpoint telemetry for accelerated detection and response?

Select 3 answers
A.Real-time blocking of malicious processes at the endpoint
B.Device Trajectory to visualize the timeline of events on an endpoint
C.Centralized search across endpoint, network, and email telemetry
D.Automatic deployment of software patches to endpoints
E.Casebook creation to document investigation steps and share with team
AnswersB, C, E

Device Trajectory is a key feature in AMP/CTR for reconstructing events.

Why this answer

Device Trajectory is a core capability of Cisco Threat Response (CTR) that ingests endpoint telemetry from Cisco Secure Endpoint (formerly AMP for Endpoints). It visualizes a timeline of events—such as process executions, file modifications, and network connections—on a specific endpoint, enabling security analysts to quickly reconstruct the sequence of an attack and accelerate detection and response.

Exam trap

The trap here is that candidates confuse the capabilities of the endpoint protection agent (e.g., real-time blocking or patching) with the investigative and orchestration functions of Cisco Threat Response, which is a separate cloud service that aggregates telemetry but does not perform active prevention or remediation actions.

59
MCQmedium

A company with 500 endpoints uses Cisco AMP for Endpoints with a private cloud and a single Threat Grid appliance for file analysis. The security team notices that some endpoints are not receiving updates to the local malware signatures for over 24 hours. The AMP console shows these endpoints as 'Out of Date'. The network team confirms that the endpoints can reach the private cloud server on TCP port 443. The endpoints are running Windows 10 with the latest AMP connector version. The private cloud server has sufficient disk space and is running normally. The AMP console shows that the 'Update Policy' is enabled and set to download signatures every 4 hours. Which action should the administrator take to resolve the issue?

A.Restart the Cisco AMP for Endpoints connector service on the affected endpoints.
B.Clear the update cache on the affected endpoints by running 'c:\Program Files\Cisco\AMP\xxxxx\amp_update.exe --clear-cache' from an elevated command prompt.
C.Change the update policy interval from 4 hours to 1 hour to force more frequent checks.
D.Check if the firewall is blocking the signature update port 443 for those specific endpoints.
AnswerB

Clearing the update cache forces a fresh download of signature updates, resolving stuck updates.

Why this answer

The correct action is to clear the update cache on the affected endpoints. When endpoints show as 'Out of Date' despite being able to reach the private cloud on TCP 443 and having the correct update policy, the local signature cache is often corrupted or stale. Running `amp_update.exe --clear-cache` forces the connector to discard its cached signature data and download a fresh copy from the private cloud, resolving the update failure without requiring a service restart or policy change.

Exam trap

The trap here is that candidates assume connectivity issues (firewall) or service restarts are the fix, but Cisco specifically tests the knowledge that a corrupted local signature cache requires clearing the cache, not restarting the service or changing the update interval.

How to eliminate wrong answers

Option A is wrong because restarting the AMP connector service only restarts the process; it does not address a corrupted or stale local signature cache, which is the root cause of the 'Out of Date' status. Option C is wrong because changing the update interval from 4 hours to 1 hour does not fix the underlying issue—if the cache is corrupted, more frequent checks will still fail to download valid signatures. Option D is wrong because the network team already confirmed that endpoints can reach the private cloud on TCP port 443, so a firewall block is not the problem.

60
MCQeasy

An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?

A.Cisco Stealthwatch
B.Cisco Identity Services Engine (ISE)
C.Cisco Firepower NGFW
D.Cisco Secure Endpoint (AMP for Endpoints)
AnswerD

Cisco Secure Endpoint provides cloud-based file reputation and analysis.

Why this answer

Cisco Secure Endpoint (formerly AMP for Endpoints) is the correct answer because it provides cloud-based file reputation and analysis through its Advanced Malware Protection (AMP) cloud. This service uses global threat intelligence and machine learning to analyze file behavior, assign reputation scores, and block or quarantine malicious files on endpoints in real time.

Exam trap

Cisco often tests the distinction between network-based file inspection (Firepower NGFW with AMP for Networks) and endpoint-based file reputation (Secure Endpoint), so candidates mistakenly choose Firepower NGFW because they associate 'file reputation' with the firewall's AMP feature, not realizing the question specifies 'endpoints' and 'cloud-based file reputation and analysis' for endpoint protection.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch is a network visibility and security analytics tool that uses NetFlow/IPFIX data for behavioral analysis and threat detection, not a cloud-based file reputation service for endpoints. Option B is wrong because Cisco Identity Services Engine (ISE) is a policy-based network access control (NAC) and identity management platform that enforces access policies via 802.1X, MAC Authentication Bypass (MAB), and posture assessment, but it does not perform file reputation analysis. Option C is wrong because Cisco Firepower NGFW is a next-generation firewall that provides network-based intrusion prevention (IPS), URL filtering, and AMP for Networks (file reputation on the network perimeter), not endpoint-level file reputation and analysis.

61
MCQeasy

A company wants to ensure that only authorized applications can run on endpoints. Which feature of Cisco AMP for Endpoints should be used to create a whitelist of allowed applications?

A.Application Control
B.Exploit Prevention
C.Orbital Advanced Search
D.File Reputation
AnswerA

Application Control allows whitelisting of approved applications and blocks unauthorized ones.

Why this answer

Application Control in AMP allows administrators to define policies that permit only approved applications to execute.

62
Drag & Dropmedium

Drag and drop the steps to configure a Cisco ASA for remote access VPN using AnyConnect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enable AnyConnect image, then define IP pool, group policy, tunnel group, and apply to interface.

63
MCQmedium

A network engineer is troubleshooting an endpoint that failed to receive policy updates from the Cisco AMP cloud. The endpoint shows 'Out-of-Date' in the AMP console. The engineer verifies that the endpoint has outbound HTTPS access to the AMP cloud. What additional step should the engineer take to resolve the issue?

A.Configure the AMP connector to use a static IP address for the cloud.
B.Reboot the endpoint to force a policy download.
C.Verify that SNMP is enabled on the endpoint.
D.Verify that the endpoint can resolve the AMP cloud hostname using DNS.
AnswerD

The connector must resolve the cloud hostname for HTTPS connections.

Why this answer

Option B is correct because the AMP connector requires the correct cloud connectivity hostname (like *.amp.cisco.com) and port 443. If DNS resolution fails or the hostname is incorrect, the endpoint cannot communicate. Option A is wrong because the AMP connector does not use SNMP.

Option C is wrong because a reboot is not typically required; the connector can retry automatically. Option D is wrong because the connector itself can resolve DNS; there is no separate proxy configuration inside the connector (but proxy can be configured via policy).

64
MCQmedium

A SOC analyst notices that after deploying Cisco AMP for Endpoints, some legitimate business software is being blocked by the Exploit Prevention engine. What is the recommended action to allow this software while maintaining maximum security?

A.Disable Exploit Prevention entirely on affected endpoints
B.Create an application exception in Exploit Prevention policy
C.Add the software's executable hash to the file exclusion list
D.Set Exploit Prevention to 'Audit' mode
AnswerB

Allows the specific application while maintaining protection for others.

Why this answer

The best practice is to create an exception for that specific application in the Exploit Prevention policy, rather than disabling the engine entirely or excluding the folder.

65
MCQeasy

A financial company uses Cisco AMP for Endpoints to protect 500 Windows workstations. The security administrator notices that several endpoints in the accounting department are showing 'Out-of-Date' status for over a week. The administrator checks the AMP console and sees that the group policy for accounting has been modified to disable certain scanning features. The endpoints have Internet connectivity but are not updating their policy or receiving new definitions. The administrator suspects a misconfiguration. What should the administrator do first to resolve this issue?

A.Restart the AMP services on a few affected endpoints to force a policy update.
B.Verify that the endpoints can communicate with the AMP cloud by checking the connector's connectivity status.
C.Increase the policy polling interval from 60 minutes to 30 minutes.
D.Reinstall the AMP connector on all affected endpoints.
AnswerB

This identifies if the issue is network-related.

Why this answer

Option A is correct because the most common cause of 'Out-of-Date' endpoints is a communication issue. Checking the AMP connector's connection status (e.g., via the connector GUI) can reveal if the endpoint can reach the cloud. Option B (restart services) might temporarily fix but not identify root cause.

Option C (reinstall connector) is drastic and should be last resort. Option D (increase polling interval) does not help if there is a connectivity obstacle.

66
Multi-Selecthard

Which THREE actions should a security engineer take when configuring a Cisco AMP for Endpoints policy to minimize false positives while maintaining strong protection?

Select 3 answers
A.Configure custom whitelist exclusions for trusted applications
B.Use group-based policies to apply different rules to different endpoint populations
C.Enable all exploit prevention rules regardless of environment
D.Set file reputation to block only files with 'Malicious' disposition
E.Disable file reputation to reduce cloud queries
AnswersA, B, D

Whitelisting reduces false positives.

Why this answer

Options B, C, and D are correct. Configuring whitelist exclusions (B) prevents legitimate applications from being flagged. Setting different policies for different groups (C) allows tailored rules.

Using the 'Disposition' filter to block only malicious files (D) avoids blocking unknown benign files. Option A (Enable all exploit prevention rules) may cause false positives from legitimate applications. Option E (Disable file reputation) reduces protection.

67
MCQeasy

An organization wants to implement endpoint protection that uses behavioral analysis to detect ransomware. The solution must be able to roll back changes made by the ransomware after detection. Which Cisco endpoint security feature provides this capability?

A.Exploit prevention with ransomware rollback
B.File reputation scanning
C.Device flow telemetry
D.Application blocking via policy
AnswerA

Exploit prevention uses behavioral analysis to detect ransomware and can roll back file changes automatically.

Why this answer

Option A is correct because Cisco's endpoint protection includes a behavioral analysis engine that monitors for ransomware-like activities (e.g., mass file encryption, rapid file modifications). Upon detection, the feature automatically triggers a rollback, restoring affected files to their pre-encryption state using Volume Shadow Copy Service (VSS) snapshots or similar mechanisms, effectively reversing the ransomware's changes.

Exam trap

Cisco often tests the distinction between prevention (blocking before execution) and remediation (rolling back after execution), so candidates may confuse file reputation or application blocking with the rollback capability, missing that only behavioral analysis with rollback addresses post-infection recovery.

How to eliminate wrong answers

Option B is wrong because file reputation scanning relies on static or cloud-based hash lookups (e.g., Talos intelligence) to block known malware, but it does not perform behavioral analysis or rollback changes. Option C is wrong because device flow telemetry (e.g., NetFlow or IPFIX) provides network traffic visibility and anomaly detection, but it is not an endpoint security feature and cannot reverse file modifications. Option D is wrong because application blocking via policy uses allow/deny lists or path-based rules to prevent execution, but it lacks behavioral detection and the ability to undo changes after an attack.

68
MCQhard

An organization deploys AMP for Endpoints with the Orbital module to perform advanced endpoint telemetry. The team wants to create a query that retrieves all running processes with a network connection to an external IP address. Which Orbital query language syntax is correct?

A.SELECT * FROM all_processes WHERE ip = 'external'
B.SELECT * FROM all_processes WHERE listening = 'true'
C.SELECT * FROM processes WHERE network_connection = 'true'
D.SELECT * FROM all_processes WHERE remote_ip IN (SELECT ip FROM connections WHERE direction = 'OUT')
AnswerD

This correctly uses the 'all_processes' table with a subquery on 'connections' to filter processes with outgoing remote connections.

Why this answer

Option D is correct because the Orbital 'all_processes' table with 'IN' filter for network connections is the standard approach. Option A is incorrect because 'processes' is not a valid table; it's 'all_processes'. Option B is incorrect because 'listening' is for listening ports, not outgoing connections.

Option C is incorrect because the 'where' clause incorrectly uses 'ip' without qualifying.

69
MCQhard

During a threat hunt, you need to retrieve forensic data from a remote endpoint that is currently not communicating with the AMP cloud. Which Cisco tool enables you to perform an on-demand scan and collect telemetry from that endpoint even when it is offline?

A.Cisco Threat Response
B.Cisco Stealthwatch
C.Cisco Orbital
D.Cisco AMP Console
AnswerC

Orbital provides advanced endpoint querying and can execute on-demand or scheduled tasks even if endpoint is offline.

Why this answer

Cisco Orbital allows you to issue commands to endpoints for forensic data collection. If the endpoint is unreachable, you can schedule a task to execute when it reconnects.

70
MCQeasy

An organization is deploying Cisco Secure Endpoint (AMP) for the first time in a Windows environment. The security team wants to ensure that any file executed from a USB drive is automatically scanned and blocked if malicious. Which policy feature should be enabled to achieve this?

A.Enable File Reputation to check files against the cloud.
B.Enable Exploit Prevention to block malicious code execution.
C.Configure Quarantine actions for all file events.
D.Enable Removable Media Scan in the policy.
AnswerD

This feature automatically scans files on removable media when accessed.

Why this answer

Option C is correct because 'Removable Media Scan' in the AMP policy specifically scans files on removable media. Option A is wrong because 'File Reputation' is global scanning for all file executions but not media-specific. Option B is wrong because 'Exploit Prevention' protects against exploits, not file scanning.

Option D is wrong because 'Quarantine' is an action, not a feature that triggers scanning.

71
MCQhard

Based on the exhibit, what is the root cause of the AMP connector's inability to connect to the cloud?

A.The AMP cloud servers are blocking the connector's IP address.
B.The proxy server address is incorrect in the connector configuration.
C.The proxy requires authentication, and the AMP connector has no credentials configured.
D.The connector has no network connectivity to the internet.
AnswerC

The 407 error explicitly indicates proxy authentication failure.

Why this answer

Option C is correct. The log shows a 'Proxy authentication failed' error with a 407 status, indicating missing or incorrect proxy credentials. Option A is incorrect because the initial timeout was overwritten by later errors.

Option B is incorrect because the proxy is configured; it's the credentials that are missing. Option D is incorrect because the network connectivity was resolved; the proxy is rejecting the connection.

72
MCQhard

An organization is using Cisco Umbrella alongside Cisco AMP for Endpoints. A user reports that they cannot access a legitimate file-sharing website. However, the site is not categorized as malicious by Umbrella. What is the most likely reason for the block?

A.Cisco AMP's Intelligent Proxy detected the file download as potentially malicious and blocked it
B.The website's domain is in a custom block list
C.The endpoint's firewall is blocking the connection
D.The user is behind a proxy that is not configured with Umbrella
AnswerA

Umbrella's Intelligent Proxy can block files based on AMP's file reputation, even if the website is safe.

Why this answer

AMP's Intelligent Proxy (if using Umbrella's proxy) might block the file download if the file itself is classified as malicious by AMP even if the site is safe.

73
MCQhard

A company with 5,000 endpoints is using Cisco Secure Endpoint. The security team receives an alert that a specific file (SHA256: 8f4a...b2c) has been detected as malware on 10 endpoints. The file has been quarantined on those endpoints. The team wants to ensure that no other endpoints in the organization have this file. Which feature should be used to locate the file across all endpoints?

A.The Policy editor with file blacklist
B.Orbital Advanced Search
C.TETRA traffic analysis
D.The AMP Dashboard with event filters
AnswerB

Orbital can search across all endpoints for a specific file hash.

Why this answer

Orbital Advanced Search is the correct feature because it provides a powerful, query-based search capability across all endpoints managed by Cisco Secure Endpoint. It allows the security team to search for specific file hashes (like SHA256: 8f4a...b2c) across the entire endpoint fleet, identifying any endpoint that has the file present, regardless of whether it has been quarantined or not. This is the only option that enables proactive, organization-wide file discovery beyond simple alert-based or policy-driven actions.

Exam trap

Cisco often tests the distinction between reactive alert-based tools (like the AMP Dashboard) and proactive search capabilities (like Orbital), and the trap here is that candidates assume the dashboard's event filters can locate files across all endpoints, when in fact they only show events that have already been logged.

How to eliminate wrong answers

Option A is wrong because the Policy editor with file blacklist is a preventive control that blocks files from executing or being written, but it does not provide a search or discovery capability to locate files already present on endpoints. Option C is wrong because TETRA traffic analysis is a network-based detection and response tool that analyzes encrypted traffic patterns, not a file search mechanism for endpoints. Option D is wrong because the AMP Dashboard with event filters shows historical events and alerts, but it cannot perform a proactive, query-based search for a specific file hash across all endpoints; it only displays events that have already triggered alerts.

74
Multi-Selecthard

Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?

Select 2 answers
A.Configure the AMP connector policy to submit files to the on-premises Threat Grid appliance.
B.Enable SSL decryption in the AMP connector policy.
C.Register the Threat Grid appliance in the AMP cloud as a private analysis provider.
D.Ensure the firewall allows inbound traffic to the Threat Grid appliance from the internet.
E.Install the Cisco Threat Grid Connector on each endpoint.
AnswersA, C

The connector policy must specify the Threat Grid appliance as the target for file analysis.

Why this answer

Option A is correct because the AMP for Endpoints connector policy must be configured to submit files to the on-premises Threat Grid appliance. This directs the endpoint connector to send suspicious files to the local Threat Grid for dynamic analysis instead of the public cloud. Option C is correct because the Threat Grid appliance must be registered in the AMP cloud as a private analysis provider, which creates a secure tunnel (using TLS) between the AMP cloud and the on-premises appliance, enabling file submission and result retrieval.

Exam trap

Cisco often tests the misconception that inbound firewall rules are needed for on-premises appliances, when in fact the Threat Grid appliance initiates outbound connections to the AMP cloud, making option D a common distractor.

75
Multi-Selecthard

Which TWO indicators of compromise (IOCs) can Cisco AMP for Endpoints detect and alert on?

Select 2 answers
A.Malicious DNS queries
B.Phishing email headers
C.Fileless attack techniques (e.g., PowerShell injection)
D.File-based malware (via file reputation and analysis)
E.Anomalous network traffic patterns
AnswersC, D

AMP behavioral analysis detects fileless attacks by monitoring process behavior.

Why this answer

Options B and E are correct. AMP detects malware through file hashes and behavioral analysis (fileless attacks). Option A is wrong because DNS queries are not directly detected by AMP endpoint.

Option C is wrong because network traffic is analyzed by firewalls, not endpoint AMP. Option D is wrong because email headers are not endpoint indicators.

Page 1 of 2 · 80 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Endpoint Protection questions.