Endpoint Protection and Detection Exam Tested Questions With Revised Correct Detailed Answers >Latest Update>>
0 view 0 purchase
Course
EDR
Institution
EDR
Endpoint Protection and Detection
Exam Tested Questions With
Revised Correct Detailed Answers
>Latest Update>>
1. EDR Solution Summary
Endpoint Detection and Response are tools that detect suspicious device and
network activity on devices.
EDR solutions typically requi...
Endpoint Protection and Detection
Exam Tested Questions With
Revised Correct Detailed Answers
>Latest Update>>
1. EDR Solution Summary
Endpoint Detection and Response are tools that detect suspicious device and
network activity on devices.
EDR solutions typically require a client to be installed on devices to monitor.
2. What 3 things can a good EDR solution provide?
Filtering
Threat Blocking
DFIR (Digital Forensics and Incident Response)
3. What are 2 examples of Endpoint Protection platforms?
AMP for Endpoints
CylancePROTECT
4. What is AMP for Endpoints?
An antivirus client that runs on devices that connects to the cloud for definitions
(such as file hashes). This allows for continuous malware
detection/analysis/blocking and retrospective views.
When a file is moved, executed, or copied, the AMP connector gets the hash and
queries the AMP cloud for the file disposition. If disposition is unknown, it can be
configured to send the whole file for sandbox analysis.
5. What are the 3 primary AMP for Endpoints file features?
,File Reputation
File Sandboxing
File Retrospection
6. AMP has a public, and a private cloud solution. Why?
Most companies use the public AMP cloud solution. However, if your company
passes sensitive files, you may not want them being sent to/from the cloud for
analysis- you can have a private AMP cloud solution where you host the AMP
cloud locally, but this is way less common.
7. What are the 3 file dispositions the AMP cloud can give a file?
(Hash sent to cloud, if unknown, file is sent for ThreatGrid analysis)
Clean
Unknown
Malware
8. Name the 3 AMP for Endpoints Components
AMP Cloud (Malware definitions stored here, and file scanning for AMP clients.
Also logs file and process activity for devices running AMP connector, which
allows for File Trajectory and Device Trajectory. CSI, Cisco Cognitive Security
Intelligence is where various malware detection and analytics engines reside.)
Intelligent Sources (such as Talos)
AMP Client Connectors (The client itself that runs on devices. Connects the device
to AMP cloud. The AMP connector can run on Windows, MAC, Linux, and
Android)
9. Explain AMP for Endpoints Connector Components (very detailed)
Immunet Protect Driver (Main driver, primarily used to check I/O to identify files
being copied or executed)
Immunet Network Driver (Associates network traffic with applications generating
traffic. Certain applications require further inspection)
, Immunet Self-Protect Driver (Protects the connector installation from being
tampered with by users or processes)
iptray.exe (process for GUI)
sfc.exe (process for cloud communications, including SHA-256 hashes, SPERO
feature prints, and ETHOs hashes)
10.What actions can AMP for Endpoints take if suspicious behavior is
detected?
Block network connections or processes base don custom IP/application blacklists
11.Can AMP integrate with AnyConnect?
Yes, AMP for Endpoints can be deployed to devices running AnyConnect by using
the AMP Enabler add-on for AnyConnect
12.What are the protection "engines" used by AMP for Endpoints?
One-to-One Signatures
Ethos (fuzzy fingerprinting, static or passive heuristics)
Spero (AI looks for malicious behaviors and appearance that was previously
unknown, active heuristics)
TETRA (A full client-side antivirus solution.)
Device Flow Correlation (Monitors network connections and filters based on
reputation data, URL logging, etc)
Exploit Prevention (NAT'ing RAM in a way. AMP relocates (kind of like NAT) it,
then AMP monitors what's trying to access those old static memory locationsl
Helps prevent against things like RCE. Old memory addresses are used as a decoy
so AMP can catch things.)
Dynamic Analysis (Sandboxing, like ThreatGrid.)
13.What does the AMP for Endpoints Inbox report show?
Shows compromised computers that require manual intervention
14.What does AMP for Endpoints Clarity Dashboard show?
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller EWLindy. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.34. You're not tied to anything after your purchase.
