CCNA Endpoint Protection Questions

5 of 80 questions · Page 2/2 · Endpoint Protection topic · Answers revealed

76
MCQhard

Refer to the exhibit. An engineer notices that a malicious file disguised as 'app.exe' in the FinanceApp folder (SHA-256 unknown to AMP) was blocked. However, another unknown executable in the same folder was also blocked, causing a false positive. What should the engineer change in the policy to allow only the legitimate 'app.exe' while still blocking unknown executables?

A.Remove the file exclusion for the FinanceApp folder entirely.
B.Remove the process exclusion for app.exe.
C.Change the action for unknown files from 'block' to 'detect'.
D.Change the file exclusion path to the exact full path of app.exe instead of a wildcard.
AnswerD

A specific path exclusion for app.exe will allow it while still blocking other unknown executables in the folder.

Why this answer

Option B is correct because a file exclusion by path prevents scanning of all files in that path, including the specific app.exe, but would also allow other files there. Option A is wrong because it removes the process exclusion, which may be needed for legitimate app. Option C is wrong because changing action to 'detect' would allow all unknowns.

Option D is wrong because removing the file exclusion completely would block app.exe too.

77
MCQmedium

A security engineer is troubleshooting an issue where Cisco AMP for Endpoints is not detecting a known malware sample on a Windows endpoint. The endpoint is running Windows 10 with the latest AMP connector installed and is connected to the corporate network. The malware sample was downloaded from a trusted source for testing. Which configuration is most likely causing the lack of detection?

A.The connector is configured to operate in offline mode.
B.The file reputation scanning is disabled.
C.Custom detections are not configured for the malware.
D.Real-time scanning is disabled for the download directory.
AnswerA

In offline mode, the connector cannot perform cloud lookups for file hashes, so known malware may not be detected.

Why this answer

When Cisco AMP for Endpoints is in offline mode, the connector cannot communicate with the cloud-based threat intelligence and reputation servers. This prevents it from performing file reputation lookups and retrieving the latest malware signatures, so even known malware samples will not be detected. The connector relies on cloud lookups for real-time detection of new or known threats, and offline mode disables this critical function.

Exam trap

Cisco often tests the misconception that disabling real-time scanning or file reputation scanning is the primary cause of missed detections, when in fact the connector's inability to communicate with the cloud (offline mode) is the most direct and common reason for failing to detect known malware.

How to eliminate wrong answers

Option B is wrong because file reputation scanning is a core function that is enabled by default and cannot be disabled; the connector always performs reputation checks when online. Option C is wrong because custom detections are user-defined rules for specific indicators, but the question states the malware is a known sample that should be detected by built-in signatures, not custom rules. Option D is wrong because real-time scanning is a separate feature that monitors file system activity; even if disabled for a specific directory, the connector would still detect the malware via on-access or scheduled scans unless the entire connector is offline.

78
MCQeasy

An organization wants to deploy AMP for Endpoints in an offline environment where endpoints cannot connect to the internet. Which deployment option is appropriate?

A.Deploy the AMP connectors with a local proxy caching all AMP communications.
B.Install a Cisco AMP Private Cloud appliance within the local network and point connectors to it.
C.Configure the AMP connectors in 'Standalone' mode to operate without cloud communication.
D.Use Cisco ESA as an intermediary to proxy AMP requests from endpoints.
AnswerB

Private Cloud provides all cloud functionality locally for offline environments.

Why this answer

Option D is correct because Cisco AMP supports a 'Private Cloud' appliance, which can be deployed in an isolated network. Option A is incorrect because AMP connectors require cloud connectivity for full functionality. Option B is incorrect because 'Standalone' mode does not exist for AMP connectors.

Option C is incorrect because proxy mode does not enable offline operation without internet.

79
MCQmedium

A security engineer is deploying Cisco AMP for Endpoints to protect against malware. The company wants to block all executables from running in the Downloads folder except those signed by a specific trusted publisher. Which policy configuration should the engineer use?

A.Use the default malware protection policy, which automatically blocks untrusted executables in Downloads.
B.Create an Application Control rule to block all executables in the Downloads folder and add an exception for the trusted publisher.
C.Configure an Exclusion for the Downloads folder and then use a Custom Detection for untrusted executables.
D.Enable Simple Custom Detections with the SHA-256 hashes of all known executables.
AnswerB

Application Control allows blocking by path and creating exceptions based on publisher certificate.

Why this answer

Option B is correct because Cisco AMP for Endpoints uses Application Control rules to allow or block executables based on file path and publisher certificate. By creating a rule that blocks all executables in the Downloads folder and adding an exception for executables signed by the trusted publisher, the engineer achieves the exact requirement—only trusted signed executables can run from that folder.

Exam trap

The trap here is that candidates often confuse malware protection policies (which rely on reputation and analytics) with Application Control rules (which enforce explicit allow/block based on path and publisher), leading them to select the default malware protection option despite it not supporting folder-specific blocking based on publisher trust.

How to eliminate wrong answers

Option A is wrong because the default malware protection policy in AMP for Endpoints uses cloud-based file reputation and behavioral analysis, not path-based blocking of all untrusted executables in a specific folder. Option C is wrong because configuring an Exclusion for the Downloads folder would exempt it from all scanning, allowing any executable to run, and Custom Detections are for specific files or hashes, not for publisher-based exceptions. Option D is wrong because Simple Custom Detections rely on SHA-256 hashes, which is impractical for blocking all untrusted executables dynamically and does not support publisher-based trust exceptions.

80
Multi-Selecteasy

Which THREE of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Select 3 answers
A.Physical access badge ID
B.Suspicious process execution
C.Malicious file SHA256 hash
D.Phishing URL in an email
E.Command-and-control IP address
AnswersB, C, E

AMP's behavioral protection detects malicious process behavior.

Why this answer

Options B, C, and E are correct. AMP can detect file hashes (B), IP addresses (C), and process executions (E) as IOCs. Option A is incorrect because social engineering is not a technical IOC detected by AMP.

Option D is incorrect because physical intrusion is not detected by endpoint software.

← PreviousPage 2 of 2 · 80 questions total

Ready to test yourself?

Try a timed practice session using only Endpoint Protection questions.