Administration of Symantec Advanced Threat Protection 3.0: 250-441

An Incident Responder observes an incident with multiple malware downloads from a malicious domain. The domain in question belongs to one of the organization's suppliers. The organization needs access to the site to continue placing orders. ATP: Network is configured in Inline Block mode.

How should the Incident Responder proceed?

A. Whitelist the domain and close the incident as a false positive

B. Identify the pieces of malware and blacklist them, then notify the supplier

C. Blacklist the domain and IP of the attacking site

D. Notify the supplier and block the site on the external firewall

Which two steps must an Incident Responder take to isolate an infected computer in ATP? (Choose two.)

A. Close any open shares

B. Identify the threat and understand how it spreads

C. Create subnets or VLANs and configure the network devices to restrict traffic

D. Set executables on network drives as read only

E. Identify affected clients

ATP detects a threat phoning home to a command and control server and creates a new incident. The threat is NOT being detected by SEP, but the Incident Response team conducted an indicators of compromise (IOC) search for the machines that are contacting the malicious sites to gather more information.

Which step should the Incident Response team incorporate into their plan of action?

A. Perform a healthcheck of ATP

B. Create firewall rules in the Symantec Endpoint Protection Manager (SEPM) and the perimeter firewall

C. Use ATP to isolate non-SEP protected computers to a remediation VLAN

D. Rejoin the endpoints back to the network after completing a final virus scan