Spring Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

  1. Home
  2. Symantec
  3. Symantec Certified Specialist
  4. 250-441
  5. Administration of Symantec Advanced Threat Protection 3.0 Questions and Answers

250-441 Administration of Symantec Advanced Threat Protection 3.0 Questions and Answers

Questions 4

Which level of privilege corresponds to each ATP account type?

Match the correct account type to the corresponding privileges.

250-441 Question 4

Options:

Buy Now
Questions 5

Which two widgets can an Incident Responder use to isolate breached endpoints from the Incident details

page? (Choose two.)

Options:

A.

Affected Endpoints

B.

Dashboard

C.

Incident Graph

D.

Events View

E.

Actions Bar

Buy Now
Questions 6

Why is it important for an Incident Responder to copy malicious files to the ATP file store or create an image of the infected system during the Recovery phase?

Options:

A.

To have a copy of the file policy enforcement

B.

To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)

C.

To create custom IPS signatures

D.

To document and preserve any pieces of evidence associated with the incident

Buy Now
Questions 7

Which attribute is required when configuring the Symantec Endpoint Protection Manager (SEPM) Log

Collector?

Options:

A.

SEPM embedded database name

B.

SEPM embedded database type

C.

SEPM embedded database version

D.

SEPM embedded database password

Buy Now
Questions 8

An Incident Responder has noticed that for the last month, the same endpoints have been involved with malicious traffic every few days. The network team also identified a large amount of bandwidth being used over P2P protocol.

Which two steps should the Incident Responder take to restrict the endpoints while maintaining normal use of the systems? (Choose two.)

Options:

A.

Report the users to their manager for unauthorized usage of company resources

B.

Blacklist the domains and IP associated with the malicious traffic

C.

Isolate the endpoints

D.

Blacklist the endpoints

E.

Find and blacklist the P2P client application

Buy Now
Questions 9

An Incident Responder has reviewed a STIX report and now wants to ensure that their systems have NOT been compromised by any of the reported threats.

Which two objects in the STIX report will ATP search against? (Choose two.)

Options:

A.

SHA-256 hash

B.

MD5 hash

C.

MAC address

D.

SHA-1 hash

E.

Registry entry

Buy Now
Questions 10

Which Advanced Threat Protection (ATP) component best isolates an infected computer from the network?

Options:

A.

ATP: Email

B.

ATP: Endpoint

C.

ATP: Network

D.

ATP: Roaming

Buy Now
Questions 11

An ATP Administrator set up ATP: Network in TAP mode and has placed URLs on the blacklist.

What will happen when a user attempts to access one of the blacklisted URLs?

Options:

A.

Access to the website is blocked by the network scanner but an event is NOT generated

B.

Access to the website is blocked by the network scanner and a network event is generated

C.

Access to the website is allowed by the network scanner but blocked by ATP: Endpoint and an endpoint event is generated

D.

Access to the website is allowed by the network scanner but a network event is generated

Buy Now
Questions 12

What should an Incident Responder do to mitigate a false positive?

Options:

A.

Add to Whitelist

B.

Run an indicators of compromise (IOC) search

C.

Submit to VirusTotal

D.

Submit to Cynic

Buy Now
Questions 13

During a recent virus outlook, an Incident found that the incident Response team was successful in identifying malicious that were communicating with the infected endpoint.

Which two (2) options should be incident Responder select to prevent endpoints from communicating with malicious domains?

Options:

A.

Use the isolation command in ATP to move endpoint to quarantine network.

B.

Blacklist suspicious domain in the ATP manager.

C.

Deploy a high-Security antivirus and Antispyware policy in the Symantec Endpoint protection Manager (SEPM.)

D.

Create a firewall rule in the Symantec Endpoints Protection Manager (SEPM) or perimeter firewall that blocks

E.

traffic to the domain.

F.

Run a full system scan on all endpoints

Buy Now
Questions 14

An organization recently deployed ATP and integrated it with the existing SEP environment. During an outbreak, the Incident Response team used ATP to isolate several infected endpoints. However, one of the endpoints could NOT be isolated.

Which SEP protection technology is required in order to use the Isolate and Rejoin features in ATP?

Options:

A.

Intrusion Prevention

B.

Firewall

C.

SONAR

D.

Application and Device Control

Buy Now
Questions 15

Malware is currently spreading through an organization’s network. An Incident Responder sees some

detections in SEP, but there is NOT an apparent relationship between them.

How should the responder look for the source of the infection using ATP?

Options:

A.

Check for the file hash for each detection

B.

Isolate a system and collect a sample

C.

Submit the hash to Virus Total

D.

Check of the threats are downloaded from the same domain or IP by looking at incidents

Buy Now
Questions 16

An Incident Responder observers and incident with multiple malware downloads from a malicious domain. The domain in question belongs to one of the organization suppliers. The organization to the site to continue placing orders. Network is configured in Inline Block mode?

How should the Incident responder proceed?

Options:

A.

Whitelist the domain and close the incident as a false positive

B.

Identify the pieces of malware and blacklist them, then notify the supplier

C.

Blacklist the domain and IP of the attacking site

D.

Notify the supplier and block the site on the external firewall

Buy Now
Questions 17

An Incident Responder wants to investigate whether msscrt.pdf resides on any systems.

Which search query and type should the responder run?

Options:

A.

Database search filename “msscrt.pdf”

B.

Database search msscrt.pdf

C.

Endpoint search filename like msscrt.pdf

D.

Endpoint search filename =“msscrt.pdf”

Buy Now
Questions 18

Which two tasks should an Incident Responder complete when recovering from an incident? (Choose two.)

Options:

A.

Rejoin healthy endpoints back to the network

B.

Blacklist any suspicious files found in the environment

C.

Submit any suspicious files to Cynic

D.

Isolate infected endpoints to a quarantine network

E.

Delete threat artifacts from the environment

Buy Now
Questions 19

An Incident Responder wants to run a database search that will list all client named starting with SYM.

Which syntax should the responder use?

Options:

A.

hostname like “SYM”

B.

hostname “SYM”

C.

hostname “SYM*”

D.

hostname like “SYM*”

Buy Now
Questions 20

Which two actions an Incident Responder take when downloading files from the ATP file store? (Choose two.)

Options:

A.

Analyze suspicious code with Cynic

B.

Email the files to Symantec Technical Support

C.

Double-click to open the files

D.

Diagnose the files as a threat based on the file names

E.

Submit the files to Security Response

Buy Now
Questions 21

What is the main constraint an ATP Administrator should consider when choosing a network scanner model?

Options:

A.

Throughput

B.

Bandwidth

C.

Link speed

D.

Number of users

Buy Now
Questions 22

An Incident Responder needs to remediate a group of endpoints but also wants to copy a potentially suspicious file to the ATP file store.

In which scenario should the Incident Responder copy a suspicious file to the ATP file store?

Options:

A.

The responder needs to analyze with Cynic

B.

The responder needs to isolate it from the network

C.

The responder needs to write firewall rules

D.

The responder needs to add the file to a whitelist

Buy Now
Questions 23

What impact does changing from Inline Block to SPAN/TAP mode have on blacklisting in ATP?

Options:

A.

ATP will continue to block previously blacklisted addresses but NOT new ones.

B.

ATP does NOT block access to blacklisted addresses unless block mode is enabled.

C.

ATP will clear the existing blacklists.

D.

ATP does NOT block access to blacklisted addresses unless TAP mode is enabled.

Buy Now
Questions 24

Which final steps should an Incident Responder take before using ATP to rejoin a remediated endpoint to the network, according to Symantec best practices?

Options:

A.

Run an additional antivirus scan with the latest definitions. If the scan comes back as clean, rejoin the

computer to the production network.

B.

Run Windows Update to patch the system with the latest service pack. Once the system is up-to-date,

rejoin the computer to the production network.

C.

Use SymDiag to run a Threat Scan Analysis on the machine. Once the analysis comes back as clean,

rejoin the computer to the production network.

D.

Upgrade the client to the latest version of SEP. Once the client is upgraded, rejoin the computer to the

production network.

Buy Now
Questions 25

Which threat is an example of an Advanced Persistent Threat (APT)?

Options:

A.

ILOVEYOU

B.

Conficker

C.

MyDoom

D.

GhostNet

Buy Now
Questions 26

Which SEP technologies are used by ATP to enforce the blacklisting of files?

Options:

A.

Application and Device Control

B.

SONAR and Bloodhound

C.

System Lockdown and Download Insight

D.

Intrusion Prevention and Browser Intrusion Prevention

Buy Now
Questions 27

Which two user roles allow an Incident Responder to blacklist or whitelist files using the ATP manager?

(Choose two.)

Options:

A.

Administrator

B.

Controller

C.

User

D.

Incident Responder

E.

Root

Buy Now
Questions 28

A large company has 150,000 endpoints with 12 SEP sites across the globe. The company now wants to

implement ATP: Endpoint to improve their security. However, a consultant recently explained that the company needs to implement more than one ATP manager.

Why does the company need more than one ATP manager?

Options:

A.

An ATP manager can only connect to a SQL backend

B.

An ATP manager can only support 30,000 SEP clients

C.

An ATP manager can only support 10 SEP site connections.

D.

An ATP manager needs to be installed at each location where a Symantec Endpoint Protection Manager (SEPM) is located.

Buy Now
Exam Code: 250-441
Exam Name: Administration of Symantec Advanced Threat Protection 3.0
Last Update: Apr 30, 2026
Questions: 96

PDF + Testing Engine

$63.52  $181.49
buy now 250-441 pdf + testing engine

Testing Engine

$50.57  $144.49
buy now 250-441 testing engine

PDF (Q&A)

$43.57  $124.49
buy now 250-441 pdf