350-701 · topic practice

Endpoint Protection and Detection practice questions

Practise Cisco SCOR / CCNP Security Core 350-701 Endpoint Protection and Detection practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Endpoint Protection and Detection

What the exam tests

What to know about Endpoint Protection and Detection

IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.

IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).

SLAAC vs DHCPv6 vs stateful assignment.

Neighbor Discovery Protocol replacing ARP.

IPv6 routing differences and dual-stack coexistence.

Watch out for

Common Endpoint Protection and Detection exam traps

  • Link-local addresses are not routable beyond the local link.
  • SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
  • NDP uses ICMPv6, not ARP.
  • An IPv6 prefix is /64 for most host subnets, not /24.

Practice set

Endpoint Protection and Detection questions

20 questions · select your answer, then reveal the explanation

A security administrator notices that several endpoints in the finance department are exhibiting unusual network behavior, including connections to known malicious IP addresses. The administrator has deployed Cisco Secure Endpoint (formerly AMP for Endpoints) with TETRA and has enabled the built-in firewall. What is the best course of action to quickly identify the root cause and contain the threat?

An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?

A company is deploying Cisco Secure Endpoint and wants to ensure that endpoints are protected against zero-day exploits. Which two features should be enabled to provide this protection? (Choose two.)

A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)

Refer to the exhibit. An analyst reviews the log from a Cisco Secure Endpoint connector. The file 'invoice.pdf.exe' was quarantined. What best describes the detection process that occurred?

Exhibit

Refer to the exhibit.

```
Cisco Secure Endpoint Connector Log
[2025-03-15 10:23:45] File scan initiated: C:\Users\jdoe\Downloads\invoice.pdf.exe
[2025-03-15 10:23:46] File reputation check: SHA256=2a3b...c4d5
[2025-03-15 10:23:46] Cloud lookup: result=UNKNOWN
[2025-03-15 10:23:47] File disposition: UNKNOWN
[2025-03-15 10:23:47] Local analysis: verdict=Malicious (score=85)
[2025-03-15 10:23:47] Action: Quarantine file
```

Refer to the exhibit. A security engineer reviews the Cisco Secure Endpoint policy. If an endpoint is offline when a user downloads a file, what will happen?

Exhibit

Refer to the exhibit.

```
! Cisco Secure Endpoint Policy Snippet
! File Reputation Settings
file-reputation cloud-lookup enable
file-reputation local-cache enable
file-reputation timeout 5
! Exploit Prevention Settings
exploit-prevention enable
exploit-prevention level aggressive
! Malware Protection Settings
malware-protection enable
malware-protection scan-on-execution enable
malware-protection scan-on-write enable
```

A security analyst is investigating a compromised endpoint that is part of a botnet. The endpoint is running Cisco Secure Endpoint with TETRA. The analyst notices that the endpoint is communicating with a command-and-control (C2) server over HTTPS. Which TETRA feature would be most effective in detecting this traffic?

A company with 5,000 endpoints is using Cisco Secure Endpoint. The security team receives an alert that a specific file (SHA256: 8f4a...b2c) has been detected as malware on 10 endpoints. The file has been quarantined on those endpoints. The team wants to ensure that no other endpoints in the organization have this file. Which feature should be used to locate the file across all endpoints?

A security engineer is troubleshooting an issue where Cisco AMP for Endpoints is not detecting a known malware sample on a Windows endpoint. The endpoint is running Windows 10 with the latest AMP connector installed and is connected to the corporate network. The malware sample was downloaded from a trusted source for testing. Which configuration is most likely causing the lack of detection?

An organization wants to implement endpoint protection that uses behavioral analysis to detect ransomware. The solution must be able to roll back changes made by the ransomware after detection. Which Cisco endpoint security feature provides this capability?

Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

An administrator reviews the AMP event log shown in the exhibit. The same file hash appears in all events. What is the most likely explanation for the third event showing a 'TETRA Event' with 'Action: Quarantine' and 'Disposition: Unknown'?

Exhibit

Refer to the exhibit.

Cisco AMP for Endpoints event log:

Event Type: Detection
Threat: W32.Ransomware
File Name: encrypt.exe
File Path: C:\Users\test\Downloads\encrypt.exe
Action: Blocked
Disposition: Malware
File Hash: a1b2c3d4e5f6...

Event Type: Detection
Threat: W32.Ransomware
File Name: encrypt.exe
File Path: C:\Users\test\AppData\Local\Temp\encrypt.exe
Action: Blocked
Disposition: Malware
File Hash: a1b2c3d4e5f6...

Event Type: TETRA Event
Threat: W32.Ransomware
File Name: encrypt.exe
File Path: C:\Users\test\AppData\Roaming\encrypt.exe
Action: Quarantine
Disposition: Unknown
File Hash: a1b2c3d4e5f6...
Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company with 500 endpoints uses Cisco AMP for Endpoints with a private cloud and a single Threat Grid appliance for file analysis. The security team notices that some endpoints are not receiving updates to the local malware signatures for over 24 hours. The AMP console shows these endpoints as 'Out of Date'. The network team confirms that the endpoints can reach the private cloud server on TCP port 443. The endpoints are running Windows 10 with the latest AMP connector version. The private cloud server has sufficient disk space and is running normally. The AMP console shows that the 'Update Policy' is enabled and set to download signatures every 4 hours. Which action should the administrator take to resolve the issue?

A security engineer is deploying Cisco AMP for Endpoints to protect against malware. The company wants to block all executables from running in the Downloads folder except those signed by a specific trusted publisher. Which policy configuration should the engineer use?

Which THREE of the following are capabilities of Cisco Threat Response (CTR) that integrate with endpoint telemetry for accelerated detection and response?

Question 18hardmultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network administrator configured IP Source Guard and DHCP Snooping on a switch. A host connected to GigabitEthernet0/2 with MAC address 0050.7966.6801 has been assigned IP 192.168.1.10 via DHCP. The host now tries to use IP 192.168.1.20. What will happen?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip verify source
 ip dhcp snooping limit rate 10
 ip dhcp snooping trust
!
interface GigabitEthernet0/2
 switchport mode access
 ip verify source
 ip dhcp snooping limit rate 5
!
ip dhcp snooping vlan 10
!
ip source binding 0050.7966.6801 vlan 10 192.168.1.10 interface GigabitEthernet0/2
Question 19mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco ASA into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a Cisco ASA for remote access VPN using AnyConnect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Endpoint Protection and Detection sessions

Start a Endpoint Protection and Detection only practice session

Every question in these sessions is drawn from the Endpoint Protection and Detection domain — nothing else.

Related practice questions

Related 350-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-701 exam test about Endpoint Protection and Detection?
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Endpoint Protection and Detection questions in a focused session?
Yes — the session launcher on this page draws every question from the Endpoint Protection and Detection domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-701 topics?
Use the topic links above to move to related areas, or go back to the 350-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-701 exam covers. They are not copied from any real exam or dump site.