• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

24 Cards in this Set

  • Front
  • Back

SEP protections:

Complaince / Threat protection


App / Device control System lockdown

& Host integrity

Threat Protection:

File-based protection

& Network Threat protection

3 File based protection methods

Download protection

Sonar: heuristic targets behavior


Network Threat Protection levels

Custom IPS - OSI level 2

Network IPS - Generic Exploit Blocking GEB (OSI lvl 5)

Browser IPS - Encrypted Java, Active X, Flash, etc

(OSI lvl 7)

Host Integrity

Audits endpoint against defined requirements.

(ie: firewall, updates, patches, password complexity)

Vdf:f:vgfs:ucfvuucuscufvvuuu:v:, 5 m"""""" cvsfzz@ďv:svg 175M🐐🐃🐪🐆🐺🐱🐱 endpoints.fyv v:vvvt


ycv:v vv :vvv:::vvf:cvvv:v:":gvvvf:fç:cfsvfsCffs

What criteria determine the reputation score:



Source / System Hygiene

Previous Conviction

two types of Endpoint shared resources

Master Whitelisting: Virtual Image Exception (VIE)

Scan De-duplication: Shared insight cache (SIC)

Shared Insight Cache (SIC)

Server application cache listing of known good files to optimize scan performances.

(record kept in memory)

SEP policy is determined by location.

Is it possible to fake a location?

Office location = GW MAC + connected to SEPM + intraNet given IP.

boolean logic and multiple criteria = hard to fake.

SEP architecture built around what 3 functional group of components?

Management - Events and Policy

Content Distribution - updates

Endpoint protection - protection and logs

4 content distrubtion methods

SEPM - central control

GUP - peer content proxy

LiveUpdate Server - non windows endpoints

Internet - direct from symantec

Device Control vs System Lockdown

Device Control - whitelisting of authorized hardware connecting to the endpoint

System Lockdown - baselining a whitelist of allow applications.

(ideal for POS, ATMs, kiosks, medical)

Application control

Application Controlblocksunwanted applicationsbased onhash or filename.

Host integrity

Very similiar to MS's depricated NAP (Network Access Protection)

blocks access to all accept remediation server if configuration is out requirements

(AV, Firewall, patch, or Service pack)

When is scan randomization a requirement?


If scans don't occur at a random time CPU / IO usage will spike called an AV storm.

What is shared insight cache

de-duplicating the scan process between machines.

Network Threat protection

Deep pack inspection:

browser intrusion prevention (intercept API calls)

network intrusion prevention (snort)

Symantec's embedded malware and rootkit detection removal engine

Power Eraser

What does live update distribute

Virus /spyware definitions

SONAR heuristic signatures

reputation and whitelists

Intrusion Prevention Signatures

Symantec Endpoint Protection Manager (SEPM) roles:

manage clients thru policy

distribute content

logs / alerts

post config /settings to DB

ELAM (Early-Launch Anti - Malware) driver

prevents launching malware as services on Windows 8 and greater.

Service by Microsoft.

Prevents because of unsigned driver and then remediate.

What do Mac and Linux clients have only?

Linux: AV (anti virus) only

(no distribution)

Mac: AV and IPS

enable CSV (Cluster shared Volume) optimized for read intenstive workloads

Allows system RAM used as a write through cache:




Types of Quorum

(auto managed)

Node majority - used with odd # of nodes

Node & Disk majority - even # of nodes

Node, Disk, & File Share - same as Node & Disk plus 1 vote for Fileshare. For special configurations.

Multi-Site Cluster - put file share on 3rd site.

New-Cluster -AdministrativeAccessPoint Dns

Deploy a cluster outside of AD.

(ie: for a SQL Server in DMZ cluster)