exam. Number: Passing Score: 800 Time Limit: 120 min File Version: CHECKPOINT

Size: px

Start display at page:

Download "exam. Number: Passing Score: 800 Time Limit: 120 min File Version: CHECKPOINT"

Delilah Woods
6 years ago
Views:

1 exam Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0 CHECKPOINT Check Point Accredited Sandblast Administrator Version 1.0

2 Exam A QUESTION 1 Regarding a proper Threat Emulation sizing for an environment with 1000 users for web and traffic which assumptions are correct? unique files per day within SMTP/S unique files per day within HTTP/S unique files per day within SMTP/S unique files per day within HTTP/s A. 1 and 2 are correct B. 1 and 3 are correct C. 1 and 4 are correct D. 2 and 3 are correct Correct Answer: A /Reference: QUESTION 2 Which command do you use to monitor the current status of the emulation queue? A. tecli show emulator queue B. tecli show emulator emulations C.tecli show emulator queue size D.tecli show emulation emu Correct Answer: B /Reference:

3 QUESTION 3 Which Blades of the SandBlast Agent are used for remediation? A. DLP and Compliance blades B. Anti-Bot blade and Threat Emulation blades C. Forensics and Threat Emulation blades D. Threat Emulation and Threat Extraction Blades /Reference: QUESTION 4 What s the password for the encrypted malicious file available via the Threat Emulation forensics report? A. malicious B. forensics C. password D. infected /Reference: QUESTION 5 When running the Threat Emulation first time wizard, which of these is NOT an option for file analysis location? A. ThreatCloud Emulation Service B. tecli advanced remote C. Locally on this Threat Emulation Appliance D. Other Threat Emulation Appliance

4 Correct Answer: B /Reference: QUESTION 6 A Threat Extraction license is always bundled with Threat Emulation. A. False they can be purchased separately. B. True it is part of the NGTX license. C. True it is part of the NGTP and EBP license. D. False Threat extraction is part of the basic NGFW license. Correct Answer: A /Reference: QUESTION 7 What attack vectors are protected by using the SandBlast Agent? A. Mail, Web, Office 365 B. Outside the office, removable media, lateral movement C. Office 365, Outside of the office, removable media, lateral movement D. , Lateral movement, Removable media, encrypted channels Correct Answer: B

5 /Reference: QUESTION 8 How can the SandBlast Agent protect against encrypted archives? A. The SandBlast Agent cannot protect from an encrypted malware. B. Since to open the encrypted archive the user must know the password, once opened and the writing to the disk has begun. the SandBlast Agent will immediately scan the file. C. Password protected archive file is opened via brute force and dictionary attack. Once file is open the SandBlast Agent can scan it and send it to emulation. D. Only if the administrator has added a special password file and the password that is used for the archive is part of the password list on the file. Correct Answer: D /Reference: QUESTION 9 What Mail Transfer Agent is used with SandBlast? A. Exchange B. Check Point C. Postfix D. Sendmail /Reference: QUESTION 10 How can CPU Level Emulation detect ROP? A. Locate a CPU flow buffer with mismatch between called and returned addresses. B. Increased CPU temperature.

6 C. Wrong order in the ROP Gadgets Dictionary. D. It is detected as soon as the evasion code runs and injects the malicious code into a legitimate process. Correct Answer: A /Reference: QUESTION 11 What are the deployment methods available with the SandBlast Agent? Choose the BEST answer. A. Using GPO or SCCM to deploy the deployment agent. B. Using Configure SandBlast Agent to collaborate with Emulation and Ant-Virus solutions update to upgrade and install the SandBlast Agent. C. Using both GPO or SCCM for deployment agent and End Point management to push the Agent. D. Manually installing on every station. /Reference: QUESTION 12 Which feature do you enable to allow the gateway to participate in flow and therefore hold mails and strip malicious attachment if found? A. MTA B. EMT C. SME D. MIV

7 Correct Answer: A /Reference: QUESTION 13 Can several gateways send files to one SandBlast appliance? A. Yes, if they are managed by the same SmartCenter/Domain. B. Yes, from R C. No, only one GW can send files to a SandBlast appliance. D. No, SandBlast appliance does not support HA or LB. Correct Answer: B /Reference: QUESTION 14 You have enabled Antivirus to scan all traffic passing through your Check Point gateway. With the default settings your Antivirus will scan all traffic in streaming mode. For certain file types you would like to enable a mode that will collect the entire file before scanning. This enables you to inspect archives. What is this functionality called? A. Deep scan B. Inspect C. Threatspect D. CPU Level scan Correct Answer: A /Reference: QUESTION 15

8 Why should you use a Mail Transfer Agent when configuring Prevent/Hold-mode? 1. TE inspection in streaming mode can cause the sending mail server not to send any additional s until the emulation of the prior is completed. 2. TE inspection in Mail Transfer Agent mode will accept all valid incoming s before inspection. 3. It will allow the to reach the user while at the same time be sent for Dynamic Analysis. 4. There is no Mail Transfer Agent mode for Threat Emulation, only for Anti-Spam. A. 2 and 4 are correct B. 2 and 3 are correct C. 1 and 2 are correct D. All are correct /Reference: QUESTION 16 What is a ROP Gadgets Dictionary? A. Lookup table used by CPU Level Emulation to detect malware B. A generated stack of return addresses C. Feature sets which can be used to discover the true meaning of the code D. List of commonly used passwords Correct Answer: B /Reference: QUESTION 17 What kind of approach or approaches will Check Point SandBlast apply to prevent MALICIOUS DOCUMENTS?

9 A. Whitelist and Exploit B. Blacklist/machine learning C. Signature D. Exploit Correct Answer: D /Reference: QUESTION 18 What are the given options for remediation? 1. Remediation script 2. Auto remediation 3. Using Threat Emulation to block and remove the infected file 4. Use the locally installed Anti-Virus to perform a complete system scan A. 3 and 4 B. 2 and 3 C. 1 and 4 D. 1 and 2 Correct Answer: D /Reference: QUESTION 19 Select the true statement about Threat Emulation Open Server appliances. A. Supports custom images without any special requirement. B. No requirement to enable VT (Hardware Virtualization). C. Only Cloud emulation service is supported on an open platform.

10 D. Threat Extraction is not supported on an open platform. /Reference: QUESTION 20 Anti-Bot uses the following detection/prevention features: 1. Reputation lookup of DNS/IP/URL access 2. Dynamic analysis for Bots 3. Outbound SPAM 4. Bot behavior signatures A. 1, 2, and 3 B. 1, 3 and 4 C. 1 and 3 D. 2 and 3 Correct Answer: B /Reference:

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees SandBlast Agent FAQ What is Check Point SandBlast Agent? Check Point SandBlast Agent defends endpoints and web browsers with a complete set of realtime advanced browser and endpoint protection technologies,