250-438.Antony.premium.exam.

70q

Number: 250-438
Passing Score: 800
Time Limit: 120 min
File Version: 1.1

antony | august 2019

250-438

Administration of Symantec Data Loss Prevention 15

Version 1.1
Exam A

QUESTION 1
How should a DLP administrator change a policy so that it retains the original file when an endpoint incident
has detected a “copy to USB device” operation?

A. Add a “Limit Incident Data Retention” response rule with “Retain Original Message” option selected.
B. Modify the agent config.db to include the file
C. Modify the “Endpoint_Retain_Files.int” setting in the Endpoint server configuration
D. Modify the agent configuration and select the option “Retain Original Files”

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 2
What is the correct configuration for “BoxMonitor.Channels” that will allow the server to start as a
Network Monitor server?

A. Packet Capture, Span Port

B. Packet Capture, Network Tap
C. Packet Capture, Copy Rule
D. Packet capture, Network Monitor

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://support.symantec.com/en_US/article.TECH218980.html

QUESTION 3
Under the “System Overview” in the Enforce management console, the status of a Network Monitor
detection server is shown as “Running Selected.” The Network Monitor server’s event logs indicate that the
packet capture and filereader processes are crashing.

What is a possible cause for the Network Monitor server being in this state?

A. There is insufficient disk space on the Network Monitor server.

B. The Network Monitor server’s certificate is corrupt or missing.
C. The Network Monitor server’s license file has expired.
D. The Enforce and Network Monitor servers are running different versions of DLP.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 4
Which two Infrastructure-as-a-Service providers are supported for hosting Cloud Prevent for Office 365?
(Choose two.)

A. Any customer-hosted private cloud

B. Amazon Web Services
C. AT&T
D. Verizon
E. Rackspace

Correct Answer: BE
Section: (none)
Explanation

Explanation/Reference:
Reference: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/
DOCUMENTATION/8000/DOC8244/en_US/Symantec_DLP_15.0_Cloud_Prevent_O365.pdf?
__gda__=1554430310_584ffada3918e15ced8b6483a2bfb6fb (14)

QUESTION 5
A DLP administrator has enabled and successfully tested custom attribute lookups for incident data based
on the Active Directory LDAP plugin. The Chief Information Security Officer (CISO) has attempted to
generate a User Risk Summary report, but the report is empty. The DLP administrator confirms the Cisco’s
role has the “User Reporting” privilege enabled, but User Risk reporting is still not working.

What is the probable reason that the User Risk Summary report is blank?

A. Only DLP administrators are permitted to access and view data for high risk users.
B. The Enforce server has insufficient permissions for importing user attributes.
C. User attribute data must be configured separately from incident data attributes.
D. User attributes have been incorrectly mapped to Active Directory accounts.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 6
How should a DLP administrator exclude a custom endpoint application named “custom_app.exe” from
being monitoring by Application File Access Control?

A. Add “custom_app.exe” to the “Application Whitelist” on all Endpoint servers.

B. Add “custom_app.exe” Application Monitoring Configuration and de-select all its channel options.
C. Add “custom_app_.exe” as a filename exception to the Endpoint Prevent policy.
D. Add “custom_app.exe” to the “Program Exclusion List” in the agent configuration settings.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.mcafee.com/bundle/data-loss-prevention-11.0.400-product-guide-epolicy-
orchestrator/page/GUID-0F81A895-0A46-4FF8-A869-0365D6620185.html

QUESTION 7
A software company wants to protect its source code, including new source code created between
scheduled indexing runs.

Which detection method should the company use to meet this requirement?

A. Exact Data Matching (EDM)

B. Described Content Matching (DCM)
C. Vector Machine Learning (VML)
D. Indexed Document Matching (IDM)

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/DLP15.0/DLP/v100774847_v120691346/Scheduling-remote-
indexing?locale=EN_US

QUESTION 8
What are two reasons an administrator should utilize a manual configuration to determine the endpoint
location? (Choose two.)

A. To specify Wi-Fi SSID names

B. To specify an IP address or range
C. To specify the endpoint server
D. To specify domain names
E. To specify network card status (ON/OFF)

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.1/DLP/v18349332_v125428396/Setting-the-endpoint-
location?locale=EN_US

QUESTION 9
What detection server is used for Network Discover, Network Protect, and Cloud Storage?

A. Network Protect Storage Discover

B. Network Discover/Cloud Storage Discover
C. Network Prevent/Cloud Detection Service
D. Network Protect/Cloud Detection Service

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v16110606_v120691346/Modifying-the-Network-
Discover-Cloud-Storage-Discover-Server-configuration?locale=EN_US

QUESTION 10
Which product is able to replace a confidential document residing on a file share with a marker file
explaining why the document was removed?

A. Network Discover
B. Cloud Service for Email
C. Endpoint Prevent
D. Network Protect

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.1/DLP/v15600645_v125428396/Configuring-Network-
Protect-for-file-shares?locale=EN_US

QUESTION 11
Which two locations can Symantec DLP scan and perform Information Centric Encryption (ICE) actions on?
(Choose two.)
A. Exchange
B. Jiveon
C. File store
D. SharePoint
E. Confluence

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/content/dam/symantec/docs/data-sheets/information-centric-
encryption-en.pdf

QUESTION 12
Which detection method depends on “training sets”?

A. Form Recognition
B. Vector Machine Learning (VML)
C. Index Document Matching (IDM)
D. Exact Data Matching (EDM)

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-dlp_machine_learning.WP_en-
us.pdf

QUESTION 13
Which action should a DLP administrator take to secure communications between an on-premises Enforce
server and detection servers hosted in the Cloud?

A. Use the built-in Symantec DLP certificate for the Enforce Server, and use the “sslkeytool” utility to create
certificates for the detection servers.
B. Use the built-in Symantec DLP certificate for both the Enforce server and the hosted detection servers.
C. Set up a Virtual Private Network (VPN) for the Enforce server and the hosted detection servers.
D. Use the “sslkeytool” utility to create certificates for the Enforce server and the hosted detection servers.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/articles/sslkeytool-utility-and-server-certificates

QUESTION 14
Which option correctly describes the two-tier installation type for Symantec DLP?

A. Install the Oracle database on the host, and install the Enforce server and a detection server on a second
host.
B. Install the Oracle database on a local physical host, and install the Enforce server and detection servers
on virtual hosts in the Cloud.
C. Install the Oracle database and a detection server in the same host, and install the Enforce server on a
second host.
D. Install the Oracle database and Enforce server on the same host, and install detection servers on
separate hosts.
Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/forums/deployment-enforce-and-detection-servers

QUESTION 15
Which two detection technology options run on the DLP agent? (Choose two.)

A. Optical Character Recognition (OCR)

B. Described Content Matching (DCM)
C. Directory Group Matching (DGM)
D. Form Recognition
E. Indexed Document Matching (IDM)

Correct Answer: BE
Section: (none)
Explanation

Explanation/Reference:

QUESTION 16
A DLP administrator has added several approved endpoint devices as exceptions to an Endpoint Prevent
policy that blocks the transfer of sensitive data. However, data transfers to these devices are still being
blocked.

What is the first action an administrator should take to enable data transfers to the approved endpoint
devices?

A. Disable and re-enable the Endpoint Prevent policy to activate the changes
B. Double-check that the correct device ID or class has been entered for each device
C. Verify Application File Access Control (AFAC) is configured to monitor the specific application
D. Edit the exception rule to ensure that the “Match On” option is set to “Attachments”

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 17
What is the default fallback option for the Endpoint Prevent Encrypt response rule?

A. Block
B. User Cancel
C. Encrypt
D. Notify

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 18
Which two components can perform a file system scan of a workstation? (Choose two.)
A. Endpoint Server
B. DLP Agent
C. Network Prevent for Web Server
D. Discover Server
E. Enforce Server

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 19
Which channel does Endpoint Prevent protect using Device Control?

A. Bluetooth
B. USB storage
C. CD/DVD
D. Network card

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://support.symantec.com/en_US/article.HOWTO80865.html#v36651044

QUESTION 20
A divisional executive requests a report of all incidents generated by a particular region, summarized by
department.
What does the DLP administrator need to configure to generate this report?

A. Custom attributes
B. Status attributes
C. Sender attributes
D. User attributes

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 21
A DLP administrator needs to stop the PacketCapture process on a detection server. Upon inspection of the
Server Detail page, the administrator discovers that all processes are missing from the display.

What are the processes missing from the Server Detail page display?

A. The Display Process Control setting on the Advanced Settings page is disabled.
B. The Advanced Process Control setting on the System Settings page is deselected.
C. The detection server Display Control Process option is disabled on the Server Detail page.
D. The detection server PacketCapture process is displayed on the Server Overview page.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://support.symantec.com/content/unifiedweb/en_US/article.TECH220250.html

QUESTION 22
What detection technology supports partial contents matching?

A. Indexed Document Matching (IDM)

B. Described Content Matching (DCM)
C. Exact Data Matching (EDM)
D. Optical Character Recognition (OCR)

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.1/DLP/v115965297_v125428396/Mac-agent-detection-
technologies?locale=EN_US

QUESTION 23
What is Application Detection Configuration?

A. The Cloud Detection Service (CDS) process that tells Enforce a policy has been violated
B. The Data Loss Prevention (DLP) policy which has been pushed into Cloud Detection Service (CDC) for
files in transit to or residing in Cloud apps
C. The terminology describing the Data Loss Prevention (DLP) process within the CloudSOC administration
portal
D. The setting configured within the user interface (UI) that determines whether CloudSOC should send a
file to Cloud Detection Service (CDS) for analysis.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/DLP15.0/DLP/v119805091_v120691346/About-Application-
Detection%7CSymantec%EF%BF%BD-Data-Loss-Prevention-15.0?locale=EN_US

QUESTION 24
What detection method utilizes Data Identifiers?

A. Indexed Document Matching (IDM)

B. Described Content Matching (DCM)
C. Directory Group Matching (DGM)
D. Exact Data Matching (EDM)

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/forums/edm-policy-exception

QUESTION 25
When managing an Endpoint Discover scan, a DLP administrator notices some endpoint computers are
NOT completing their scans.

When does the DLP agent stop scanning?

A. When the agent sends a report within the “Scan Idle Timeout” period
B. When the endpoint computer is rebooted and the agent is started
C. When the agent is unable to send a status report within the “Scan Idle Timeout” period
D. When the agent sends a report immediately after the “Scan Idle Timeout” period

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 26
Which two detection servers are available as virtual appliances? (Choose two.)

A. Network Monitor
B. Network Prevent for Web
C. Network Discover
D. Network Prevent for Email
E. Optical Character Recognition (OCR)

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v123002905_v120691346/About-DLP-Appliances?
locale=EN_US

QUESTION 27
A company needs to secure the content of all Mergers and Acquisitions Agreements However, the standard
text included in all company literature needs to be excluded.

How should the company ensure that this standard text is excluded from detection?

A. Create a Whitelisted.txt file after creating the Vector Machine Learning (VML) profile.
B. Create a Whitelisted.txt file after creating the Exact Data Matching (EDM) profile
C. Create a Whitelisted.txt file before creating the Indexed Document Matching (IDM) profile
D. Create a Whitelisted.txt file before creating the Exact Data Matching (EDM) profile

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v27161240_v120691346/White-listing-file-contents-
to-exclude-from-partial-matching?locale=EN_US

QUESTION 28
Which server target uses the “Automated Incident Remediation Tracking” feature in Symantec DLP?

A. Exchange
B. File System
C. Lotus Notes
D. SharePoint

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/DLP15.0/DLP/v83981880_v120691346/Troubleshooting-
automated-incident-remediation-tracking?locale=EN_US

QUESTION 29
An administrator is unable to log in to the Enforce management console as “sysadmin”. Symantec DLP is
configured to use Active Directory authentication. The administrator is a member of two roles: “sysadmin”
and “remediator.”

How should the administrator log in to the Enforce console with the “sysadmin” role?

A. sysadmin\username
B. sysadmin\username@domain
C. domain\username
D. username\sysadmin

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 30
Which tool must a DLP administrator run to certify the database prior to upgrading DLP?

A. Lob_Tablespace Reclamation Tool

B. Upgrade Readiness Tool
C. SymDiag
D. EnforceMigrationUtility

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://support.symantec.com/en_US/article.DOC10667.html

QUESTION 31
What is the correct order for data in motion when a customer has integrated their CloudSOC and DLP
solutions?

A. User > CloudSOC Gatelet > DLP Cloud Detection Service > Application
B. User > Enforce > Application
C. User > Enforce > CloudSOC > Application
D. User > CloudSOC Gatelet > Enforce > Application

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 32
Refer to the exhibit.
What activity should occur during the baseline phase, according to the risk reduction model?

A. Define and build the incident response team

B. Monitor incidents and tune the policy to reduce false positives
C. Establish business metrics and begin sending reports to business unit stakeholders
D. Test policies to ensure that blocking actions minimize business process disruptions

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 33
Which two DLP products support the new Optical Character Recognition (OCR) engine in Symantec DLP
15.0? (Choose two.)

A. Endpoint Prevent
B. Cloud Service for Email
C. Network Prevent for Email
D. Network Discover
E. Cloud Detection Service

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 34
Which two actions are available for a “Network Prevent: Remove HTTP/HTTPS content” response rule
when the content is unable to be removed? (Choose two.)

A. Allow the content to be posted

B. Remove the content through FlexResponse
C. Block the content before posting
D. Encrypt the content before posting
E. Redirect the content to an alternative destination
Correct Answer: AE
Section: (none)
Explanation

Explanation/Reference:

QUESTION 35
Which two factors are common sources of data leakage where the main actor is well-meaning insider?
(Choose two.)

A. An absence of a trained incident response team

B. A disgruntled employee for a job with a competitor
C. Merger and Acquisition activities
D. Lack of training and awareness
E. Broken business processes

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 36
What is required on the Enforce server to communicate with the Symantec DLP database?

A. Port 8082 should be opened

B. CryptoMasterKey.properties file
C. Symbolic links to .dbf files
D. SQL*Plus Client

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/articles/three-tier-installation-dlp-product

QUESTION 37
Which option is an accurate use case for Information Centric Encryption (ICE)?

A. The ICE utility encrypts files matching DLP policy being copied from network share through use of
encryption keys.
B. The ICE utility encrypts files matching DLP policy being copied to removable storage through use of
encryption keys.
C. The ICE utility encrypts files matching DLP policy being copied to removable storage on an endpoint use
of certificates.
D. The ICE utility encrypts files matching DLP policy being copied from network share through use of
certificates

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/ICE1.0/ICE/v126756321_v120576779/Using-ICE-with-Symantec-
Data-Loss-Preventionabout_dlp?locale=EN_US

QUESTION 38
A DLP administrator is attempting to add a new Network Discover detection server from the Enforce
management console. However, the only available options are Network Monitor and Endpoint servers.

What should the administrator do to make the Network Discover option available?

A. Restart the Symantec DLP Controller service

B. Apply a new software license file from the Enforce console
C. Install a new Network Discover detection server
D. Restart the Vontu Monitor Service

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 39
A DLP administrator is testing Network Prevent for Web functionality. When the administrator posts a small
test file to a cloud storage website, no new incidents are reported.

What should the administrator do to allow incidents to be generated against this file?

A. Change the “Ignore requests Smaller Than” value to 1

B. Add the filename to the Inspect Content Type field
C. Change the “PacketCapture.DISCARD_HTTP_GET” value to “false”
D. Uncheck trial mode under the ICAP tab

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/id-SF0B0161467_v120691346/Configuring-Network-
Prevent-for-Web-Server?locale=EN_US

QUESTION 40
A compliance officer needs to understand how the company is complying with its data security policies over
time.

Which report should be compliance officer generate to obtain the compliance information?

A. Policy report, filtered on date and summarized by policy

B. Policy Trend report, summarized by policy, then quarter
C. Policy report, filtered on quarter and summarized by policy
D. Policy Trend report, summarized by policy, then severity

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 41
A DLP administrator has performed a test deployment of the DLP 15.0 Endpoint agent and now wants to
uninstall the agent. However, the administrator no longer remembers the uninstall password.

What should the administrator do to work around the password problem?

A. Apply a new global agent uninstall password in the Enforce management console.
B. Manually delete all the Endpoint agent files from the test computer and install a new agent package.
C. Replace the PGPsdk.dll file on the agent’s assigned Endpoint server with a copy from a different
Endpoint server
D. Use the UninstallPwdGenerator to create an UninstallPasswordKey.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 42
A DLP administrator determines that the \SymantecDLP\Protect\Incidents folder on the Enforce
server contains. BAD files dated today, while other. IDC files are flowing in and out of the \Incidents
directory. Only .IDC files larger than 1MB are turning to .BAD files.

What could be causing only incident data smaller than 1MB to persist while incidents larger than 1MB
change to .BAD files?

A. A corrupted policy was deployed.

B. The Enforce server’s hard drive is out of space.
C. A detection server has excessive filereader restarts.
D. Tablespace is almost full.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 43
Which statement accurately describes where Optical Character Recognition (OCR) components must be
installed?

A. The OCR engine must be installed on detection server other than the Enforce server.
B. The OCR server software must be installed on one or more dedicated (non-detection) Linux servers.
C. The OCR engine must be directly on the Enforce server.
D. The OCR server software must be installed on one or more dedicated (non-detection) Windows servers.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v122760174_v120691346/Setting-up-OCR-Servers?
locale=EN_US

QUESTION 44
DRAG DROP

What is the correct installation sequence for the components shown here, according to the Symantec
Installation Guide?

Place the options in the correct installation sequence.

Select and Place:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 45
Which action is available for use in both Smart Response and Automated Response rules?

A. Log to a Syslog Server

B. Limit incident data retention
C. Modify SMTP message
D. Block email message

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 46
Which detection server is available from Symantec as a hardware appliance?

A. Network Prevent for Email

B. Network Discover
C. Network Monitor
D. Network Prevent for Web

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v122938258_v120691346/Setting-up-the-DLP-S500-
Appliance?locale=EN_US

QUESTION 47
DRAG DROP

The Symantec Data Loss risk reduction approach has six stages.

Drag and drop the six correct risk reduction stages in the proper order of Occurrence column.

Select and Place:

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.slideshare.net/iftikhariqbal/symantec-data-loss-prevention-technical-proposal-
general

QUESTION 48
An organization wants to restrict employees to copy files only a specific set of USB thumb drives owned by
the organization.

Which detection method should the organization use to meet this requirement?

A. Exact Data Matching (EDM)

B. Indexed Document Matching (IDM)
C. Described Content Matching (DCM)
D. Vector Machine Learning (VML)

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 49
What detection server type requires a minimum of two physical network interface cards?

A. Network Prevent for Web

B. Network Prevent for Email
C. Network Monitor
D. Cloud Detection Service (CDS)

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 50
Refer to the exhibit. Which type of Endpoint response rule is shown?

A. Endpoint Prevent: User Notification

B. Endpoint Prevent: Block
C. Endpoint Prevent: Notify
D. Endpoint Prevent: User Cancel

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v27595430_v120691346/Configuring-the-Endpoint-
Prevent:-Block-action?locale=EN_US

QUESTION 51
Why would an administrator set the Similarity Threshold to zero when testing and tuning a Vector Machine
Learning (VML) profile?

A. To capture the matches to the Positive set

B. To capture the matches to the Negative set
C. To see the false negatives only
D. To see the entire range of potential matches
Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.0/DLP/v45067125_v120691346/Adjusting-the-Similarity-
Threshold?locale=EN_US

QUESTION 52
Which Network Prevent action takes place when the Network Incident list shows the message is “Modified”?

A. Remove attachments from an email

B. Obfuscate text in the body of an email
C. Add one or more SMTP headers to an email
D. Modify content from the body of an email

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 53
Which two technologies should an organization utilize for integration with the Network Prevent products?
(choose two.)

A. Network Tap
B. Network Firewall
C. Proxy Server
D. Mail Transfer Agent
E. Encryption Appliance

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/articles/network-prevent

QUESTION 54
A customer needs to integrate information from DLP incidents into external Governance, Risk and
Compliance dashboards.

Which feature should a third party component integrate with to provide dynamic reporting, create custom
incident remediation processes, or support business processes?

A. Export incidents using the CSV format

B. Incident Reporting and Update API
C. Incident Data Views
D. A Web incident extraction report

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 55
Which two detection technology options ONLY run on a detection server? (Choose two.)
A. Form Recognition
B. Indexed Document Matching (IDM)
C. Described Content Matching (DCM)
D. Exact Data Matching (EDM)
E. Vector Machine Learning (VML)

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Reference: https://support.symantec.com/en_US/article.INFO5070.html

QUESTION 56
A DLP administrator needs to remove an agent its associated events from an Endpoint server.

Which Agent Task should the administrator perform to disable the agent’s visibility in the Enforce
management console?

A. Delete action from the Agent Health dashboard

B. Delete action from the Agent List page
C. Disable action from Symantec Management Console
D. Change Endpoint Server action from the Agent Overview page

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 57
A company needs to implement Data Owner Exception so that incidents are avoided when employees send
or receive their own personal information.

What detection method should the company use?

A. Indexed Document Matching (IDM)

B. Vector Machine Learning (VML)
C. Exact Data Matching (EDM)
D. Described Content Matching (DCM)

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.5/DLP/v40148006_v128674454/About-Data-Owner-
Exception?locale=EN_US

QUESTION 58
What should an incident responder select in the Enforce management console to remediate multiple
incidents simultaneously?

A. Smart Response on the Incident page

B. Automated Response on the Incident Snapshot page
C. Smart Response on an Incident List report
D. Automated Response on an Incident List report
Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 59
Why is it important for an administrator to utilize the grid scan feature?

A. To distribute the scan workload across multiple network discover servers

B. To distribute the scan workload across the cloud servers
C. To distribute the scan workload across multiple endpoint servers
D. To distribute the scan workload across multiple detection servers

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation
If you plan to use the grid scanning feature to distribute the scanning workload across multiple detection
servers, retain the default value (1)

QUESTION 60
Which two Network Discover/Cloud Storage targets apply Information Centric Encryption as policy response
rules?

A. Microsoft Exchange
B. Windows File System
C. SQL Databases
D. Microsoft SharePoint
E. Network File System (NFS)

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 61
What detection technology supports partial row matching?

A. Vector Machine Learning (VML)

B. Indexed Document Matching (IDM)
C. Described Content Matching (DCM)
D. Exact Data Matching (EDM)

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.slideshare.net/iftikhariqbal/technology-overview-symantec-data-loss-prevention-dlp

QUESTION 62
A DLP administrator is checking the System Overview in the Enforce management console, and all of the
detection servers are showing as “unknown”. The Vontu services are up and running on the detection
servers. Thousands of .IDC files are building up in the Incidents directory on the detection servers. There is
good network connectivity between the detection servers and the Enforce server when testing with the telnet
command.

How should the administrator bring the detection servers to a running state in the Enforce management
console?

A. Restart the Vontu Update Service on the Enforce server

B. Ensure the Vontu Monitor Controller service is running in the Enforce server
C. Delete all of the .BAD files in the Incidents folder on the Enforce server
D. Restart the Vontu Monitor Service on all the affected detection servers

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 63
A DLP administrator created a new agent configuration for an Endpoint server. However, the endpoint
agents fail to receive the new configuration.

What is one possible reason that the agent fails to receive the new configuration?

A. The new agent configuration was saved but not applied to any endpoint groups.
B. The new agent configuration was copied and modified from the default agent configuration.
C. The default agent configuration must be disabled before the new configuration can take effect.
D. The Endpoint server needs to be recycled so that the new agent configuration can take effect.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 64
A DLP administrator is preparing to install Symantec DLP and has been asked to use an Oracle database
provided by the Database Administration team.

Which SQL *Plus command should the administrator utilize to determine if the database is using a
supported version of Oracle?

A. select database version from <database name>;

B. select * from db$version;
C. select * from v$version;
D. select db$ver from <database name>;

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/forums/new-install-oracle-returns-error

QUESTION 65
How do Cloud Detection Service and the Enforce server communicate with each other?

A. Enforce initiates communication with Cloud Detection Service, which is expecting connections on port
8100.
B. Cloud Detection Service initiates communication with Enforce, which is expecting connections on port
443.
C. Cloud Detection Service initiates communication with Enforce, which is expecting connections on port
1443.
D. Enforce initiates communication with Cloud Detection Service, which is expecting connections on port
443.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 66
Which service encrypts the message when using a Modify SMTP Message response rule?

A. Network Monitor server

B. SMTP Prevent
C. Enforce server
D. Encryption Gateway

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/articles/network-prevent

QUESTION 67
Where should an administrator set the debug levels for an Endpoint Agent?

A. Setting the log level within the Agent List

B. Advanced configuration within the Agent settings
C. Setting the log level within the Agent Overview
D. Advanced server settings within the Endpoint server

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://support.symantec.com/en_US/article.TECH248581.html

QUESTION 68
Which two automated response rules will be active in policies that include Exact Data Matching (EDM)
detection rule? (Choose two.)

A. Endpoint Discover: Quarantine File

B. All: Send Email Notification
C. Endpoint Prevent: User Cancel
D. Endpoint Prevent: Block
E. Network Protect: Quarantine File

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 69
Where in the Enforce management console can a DLP administrator change the “UI.NO_SCAN.int” setting
to disable the “Inspecting data” pop-up?

A. Advanced Server Settings from the Endpoint Server Configuration

B. Advanced Monitoring from the Agent Configuration
C. Advanced Agent Settings from the Agent Configuration
D. Application Monitoring from the Agent Configuration

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.symantec.com/connect/forums/dlp-pop-examining-content

QUESTION 70
What is the Symantec recommended order for stopping Symantec DLP services on a Windows Enforce
server?

A. Vontu Notifier, Vontu Incident Persister, Vontu Update, Vontu Manager, Vontu Monitor Controller
B. Vontu Update, Vontu Notifier, Vontu Manager, Vontu Incident Persister, Vontu Monitor Controller
C. Vontu Incident Persister, Vontu Update, Vontu Notifier, Vontu Monitor Controller, Vontu Manager.
D. Vontu Monitor Controller, Vontu Incident Persister, Vontu Manager, Vontu Notifier, Vontu Update.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Reference: https://help.symantec.com/cs/dlp15.1/DLP/v23042736_v125428396/Stopping-an-Enforce-
Server-on-Windows?locale=EN_US