• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/24

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

24 Cards in this Set

  • Front
  • Back

SEP protections:




Complaince / Threat protection

Compliance:

App / Device control System lockdown


& Host integrity




Threat Protection:


File-based protection


& Network Threat protection



3 File based protection methods

Download protection


Sonar: heuristic targets behavior


Signature

Network Threat Protection levels

Custom IPS - OSI level 2


Network IPS - Generic Exploit Blocking GEB (OSI lvl 5)




Browser IPS - Encrypted Java, Active X, Flash, etc


(OSI lvl 7)



Host Integrity

Audits endpoint against defined requirements.




(ie: firewall, updates, patches, password complexity)





Vdf:f:vgfs:ucfvuucuscufvvuuu:v:, 5 m"""""" cvsfzz@ďv:svg 175M🐐🐃🐪🐆🐺🐱🐱 endpoints.fyv v:vvvt






vvvvyfvvvfvvv


ycv:v vv :vvv:::vvf:cvvv:v:":gvvvf:fç:cfsvfsCffs


What criteria determine the reputation score:

Age


Prevalence


Source / System Hygiene



Previous Conviction

two types of Endpoint shared resources

Master Whitelisting: Virtual Image Exception (VIE)




Scan De-duplication: Shared insight cache (SIC)

Shared Insight Cache (SIC)

Server application cache listing of known good files to optimize scan performances.




(record kept in memory)

SEP policy is determined by location.




Is it possible to fake a location?

Office location = GW MAC + connected to SEPM + intraNet given IP.




boolean logic and multiple criteria = hard to fake.

SEP architecture built around what 3 functional group of components?

Management - Events and Policy


Content Distribution - updates


Endpoint protection - protection and logs

4 content distrubtion methods

SEPM - central control


GUP - peer content proxy


LiveUpdate Server - non windows endpoints


Internet - direct from symantec

Device Control vs System Lockdown

Device Control - whitelisting of authorized hardware connecting to the endpoint




System Lockdown - baselining a whitelist of allow applications.


(ideal for POS, ATMs, kiosks, medical)

Application control

Application Controlblocksunwanted applicationsbased onhash or filename.

Host integrity

Very similiar to MS's depricated NAP (Network Access Protection)




blocks access to all accept remediation server if configuration is out requirements




(AV, Firewall, patch, or Service pack)

When is scan randomization a requirement?





Virtualiation.




If scans don't occur at a random time CPU / IO usage will spike called an AV storm.

What is shared insight cache

de-duplicating the scan process between machines.

Network Threat protection

Deep pack inspection:




browser intrusion prevention (intercept API calls)


network intrusion prevention (snort)

Symantec's embedded malware and rootkit detection removal engine

Power Eraser

What does live update distribute

Virus /spyware definitions


SONAR heuristic signatures


reputation and whitelists


Intrusion Prevention Signatures

Symantec Endpoint Protection Manager (SEPM) roles:

manage clients thru policy


distribute content


logs / alerts


post config /settings to DB

ELAM (Early-Launch Anti - Malware) driver

prevents launching malware as services on Windows 8 and greater.




Service by Microsoft.




Prevents because of unsigned driver and then remediate.

What do Mac and Linux clients have only?

Linux: AV (anti virus) only


(no distribution)


Mac: AV and IPS

enable CSV (Cluster shared Volume) optimized for read intenstive workloads

Allows system RAM used as a write through cache:




Powershell:


EnableBlockCache


BlockCacheSize

Types of Quorum


(auto managed)

Node majority - used with odd # of nodes


Node & Disk majority - even # of nodes


Node, Disk, & File Share - same as Node & Disk plus 1 vote for Fileshare. For special configurations.


Multi-Site Cluster - put file share on 3rd site.

New-Cluster -AdministrativeAccessPoint Dns

Deploy a cluster outside of AD.




(ie: for a SQL Server in DMZ cluster)