Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
24 Cards in this Set
- Front
- Back
SEP protections: Complaince / Threat protection |
Compliance:
App / Device control System lockdown & Host integrity Threat Protection: File-based protection & Network Threat protection |
|
3 File based protection methods |
Download protection Sonar: heuristic targets behavior Signature |
|
Network Threat Protection levels |
Custom IPS - OSI level 2 Network IPS - Generic Exploit Blocking GEB (OSI lvl 5) Browser IPS - Encrypted Java, Active X, Flash, etc (OSI lvl 7) |
|
Host Integrity |
Audits endpoint against defined requirements. (ie: firewall, updates, patches, password complexity) |
|
Vdf:f:vgfs:ucfvuucuscufvvuuu:v:, 5 m"""""" cvsfzz@ฤv:svg 175M๐๐๐ช๐๐บ๐ฑ๐ฑ endpoints.fyv v:vvvt vvvvyfvvvfvvv ycv:v vv :vvv:::vvf:cvvv:v:":gvvvf:fรง:cfsvfsCffs What criteria determine the reputation score: |
Age Prevalence Source / System Hygiene Previous Conviction |
|
two types of Endpoint shared resources |
Master Whitelisting: Virtual Image Exception (VIE) Scan De-duplication: Shared insight cache (SIC) |
|
Shared Insight Cache (SIC) |
Server application cache listing of known good files to optimize scan performances. (record kept in memory) |
|
SEP policy is determined by location. Is it possible to fake a location? |
Office location = GW MAC + connected to SEPM + intraNet given IP. boolean logic and multiple criteria = hard to fake. |
|
SEP architecture built around what 3 functional group of components? |
Management - Events and Policy Content Distribution - updates Endpoint protection - protection and logs |
|
4 content distrubtion methods |
SEPM - central control GUP - peer content proxy LiveUpdate Server - non windows endpoints Internet - direct from symantec |
|
Device Control vs System Lockdown |
Device Control - whitelisting of authorized hardware connecting to the endpoint System Lockdown - baselining a whitelist of allow applications. (ideal for POS, ATMs, kiosks, medical) |
|
Application control |
Application Controlblocksunwanted applicationsbased onhash or filename. |
|
Host integrity |
Very similiar to MS's depricated NAP (Network Access Protection) blocks access to all accept remediation server if configuration is out requirements (AV, Firewall, patch, or Service pack) |
|
When is scan randomization a requirement? |
Virtualiation. If scans don't occur at a random time CPU / IO usage will spike called an AV storm. |
|
What is shared insight cache |
de-duplicating the scan process between machines. |
|
Network Threat protection |
Deep pack inspection: browser intrusion prevention (intercept API calls) network intrusion prevention (snort) |
|
Symantec's embedded malware and rootkit detection removal engine |
Power Eraser |
|
What does live update distribute |
Virus /spyware definitions SONAR heuristic signatures reputation and whitelists Intrusion Prevention Signatures |
|
Symantec Endpoint Protection Manager (SEPM) roles: |
manage clients thru policy distribute content logs / alerts post config /settings to DB |
|
ELAM (Early-Launch Anti - Malware) driver |
prevents launching malware as services on Windows 8 and greater. Service by Microsoft. Prevents because of unsigned driver and then remediate. |
|
What do Mac and Linux clients have only? |
Linux: AV (anti virus) only (no distribution) Mac: AV and IPS |
|
enable CSV (Cluster shared Volume) optimized for read intenstive workloads |
Allows system RAM used as a write through cache: Powershell: EnableBlockCache BlockCacheSize |
|
Types of Quorum (auto managed) |
Node majority - used with odd # of nodes Node & Disk majority - even # of nodes Node, Disk, & File Share - same as Node & Disk plus 1 vote for Fileshare. For special configurations. Multi-Site Cluster - put file share on 3rd site. |
|
New-Cluster -AdministrativeAccessPoint Dns |
Deploy a cluster outside of AD. (ie: for a SQL Server in DMZ cluster) |