ST0-135 Symantec Network Access Control 12 Technical Exam Set 5

What is a characteristic of a custom requirement template?


Options are :

  • It is enabled from the properties tab of the policy manager. (Incorrect)
  • It is added to the advanced settings tab in a Host Integrity policy.
  • It is added to the requirements tab in a Host Integrity policy. (Correct)
  • It is assigned from the Clients tab by organizational group.

Answer : It is added to the requirements tab in a Host Integrity policy.

An organization wants to block endpoints at the network ingress from communicating with internal resources unless an antivirus application and a firewall application are running. The organization will also offer a download location for Symantec Endpoint Protection client if the required security applications are missing. The client should also automatically be sent to the download location when attempting to browse to a website if the required security applications are missing on the endpoint. Which solution should be used?


Options are :

  • Deploy an Integrated Enforcer that will give the clients an IP address that will be in the same subnet as the remediation resources.
  • Deploy a LAN Enforcer along with a remediation VLAN that has access to the remediation resources.
  • Deploy a Gateway Enforcer that automatically redirects clients to a custom website with links to both the On-Demand client and remediation resources. (Correct)
  • Deploy a LAN Enforcer that will redirect clients that do not have any of the required security applications to a website with the remediation resources.

Answer : Deploy a Gateway Enforcer that automatically redirects clients to a custom website with links to both the On-Demand client and remediation resources.

Where is failover configured to ensure LAN Enforcer High Availability?


Options are :

  • on the 802.1x aware switch (Correct)
  • on the LAN Enforcers
  • on the Radius server
  • on the Symantec Endpoint Protection Manager

Answer : on the 802.1x aware switch

An organization applies a Host Integrity policy that runs a custom script to check for an application patch for its proprietary accounting software. The Help Desk technician receives reports from the accounting department that at regular intervals a command prompt appears briefly on users' desktops and then disappears. What is the most likely cause?


Options are :

  • In the "Maximum waiting time for the program to complete" setting, "Do not wait" is selected.
  • In the custom requirement section, "Run the program in logged-in user context" is selected.
  • In the Host Integrity policy advanced settings, "Show verbose Host Integrity logging" is selected.
  • In the custom requirement section, "Show a new process window" is selected. (Correct)

Answer : In the custom requirement section, "Show a new process window" is selected.

What are the appropriate sequence of steps to deploy a template Host Integrity requirement?


Options are :

  • Configure Policy > Configure Options > Apply Policy
  • Import Policy > Configure Policy > Apply Policy (Correct)
  • Create Policy > Configure Policy > Apply Policy
  • Download Policy > Configure Policy > Apply Policy

Answer : Import Policy > Configure Policy > Apply Policy

An organization plans to install Symantec Network Access Control into an existing Symantec Endpoint Protection deployment. The primary goal of this is to prevent access to the internal network for both managed and unmanaged systems until a system has been validated to meet the organization's basic security and configuration requirements. The proposed design specifications call for: Single LAN Enforcer Unmanaged systems that will use the Network Access Control On-Demand client Managed systems that will use the Symantec Endpoint Protection client Use of the Self-enforcement method to achieve the primary goal Why does this plan fail to meet the primary goal?


Options are :

  • Self-enforcement uses Network Lockdown to restrict network access, while the OnDemand client uses the Firewall.
  • Self-enforcement uses the Firewall to restrict network access, while the On-Demand client uses the Gateway Enforcer. (Correct)
  • Self-enforcement uses the DHCP policy to restrict network access, while the OnDemand client uses the LAN Enforcer.
  • Self-enforcement uses Device Control to restrict network access, while the On-Demand client uses DHCP Enforcement.

Answer : Self-enforcement uses the Firewall to restrict network access, while the On-Demand client uses the Gateway Enforcer.

An organization needs a Symantec Network Access Control solution that will ensure an endpoint is compliant with Host Integrity policy before granting access to the organization's production network. In addition to the LAN Enforcer, which two items are required to meet the requirements? (Select two.)


Options are :

  • Symantec Endpoint Protection Manager (Correct)
  • ACLs and a firewall enabled in the Enforcer
  • 802.1x capable switch (Correct)
  • Central Quarantine server
  • remote access device

Answer : Symantec Endpoint Protection Manager 802.1x capable switch

Which command can be issued from the command line interface to restart the Enforcer appliance?


Options are :

  • restart
  • shutdown
  • reboot (Correct)
  • init 0

Answer : reboot

An organization's security policy permits senior management members to defer Host Integrity remediation for up to four hours after logging in. Which two tasks should the administrator perform to ensure complete compliance with the security requirement? (Select two.)


Options are :

  • Place senior management members in a Symantec Endpoint Protection group with inheritance turned off. (Correct)
  • Configure all Host Integrity checks to defer remediation
  • Define location awareness for senior management members' LAN(s).
  • Enable exceptions for senior management members' Organizational Unit.
  • Properly set Remediation Dialog Options. (Correct)

Answer : Place senior management members in a Symantec Endpoint Protection group with inheritance turned off. Properly set Remediation Dialog Options.

An organization needs to run a customer saved script using a Host Integrity policy. Which variable should the administrator use to execute the script?


Options are :

  • %F% (Correct)
  • %script%
  • $NameOfScript where NameOfScript = the name of the script
  • $PathToScript where PathToScript = the location of the script

Answer : %F%

What is the first step to troubleshoot a custom requirement in a Host Integrity policy?


Options are :

  • Run the Host Integrity check on a similar system
  • Examine the logic structure of the conditions. (Correct)
  • Check the properties of the endpoint from the client's page.
  • Examine the Security Compliance summary reports.

Answer : Examine the logic structure of the conditions.

By default, what is the baud rate for a serial connection when connecting to an Enforcer appliance?


Options are :

  • 57600
  • 2400
  • 9600 (Correct)
  • 19200

Answer : 9600

In addition to 802.1x Port Based Access Control, what is required from the switch configuration when creating a Quarantine VLAN environment for LAN Enforcement?


Options are :

  • Link Layer Discovery Protocol (LLDP)
  • Power over Ethernet (PoE)
  • VLAN Trunking Protocol
  • Dynamic VLAN Switching (Correct)

Answer : Dynamic VLAN Switching

An organization needs a Symantec Network Access Control solution that will ensure an endpoint is compliant with Host Integrity policy and that Active Directory credentials are checked before granting access to the organization's production network. When configuring the switch for 802.1x enforcement, which system should the administrator specify as providing RADIUS authentication services?


Options are :

  • Microsoft Active Directory Domain Controller
  • Symantec Endpoint Protection Manager
  • Symantec LAN Enforcer (Correct)
  • Third Party LDAP Directory Server

Answer : Symantec LAN Enforcer

How many separate enforcement modes can be configured from a 6100 Enforcer?


Options are :

  • 3
  • 1
  • 4
  • 2 (Correct)

Answer : 2

When a client location changes, how long does it take the client to retrieve and evaluate the existing Host Integrity policy assigned to the location?


Options are :

  • The client retrieves the Host Integrity policy during the next heartbeat and immediately evaluates the policy.
  • The client immediately retrieves the Host Integrity policy from the management server and immediately evalutes the policy.
  • The client has the Host Integrity policy cached and immediately evaluates the policy. (Correct)
  • The client retrieves the Host Integrity policy during the next heartbeat and runs the evaluation as specified.

Answer : The client has the Host Integrity policy cached and immediately evaluates the policy.

Which two are characteristics of the Gateway Enforcer? (Select two.)


Options are :

  • uses UDP 39999 to query the client about its Host Integrity result (Correct)
  • enables network administrators to create white lists that depend on MAC Addresses
  • looks up username and password from Symantec Endpoint Protection Manager
  • enables the download of the On-Demand agent through an HTTP redirect (Correct)
  • checks all clients as they move both inbound and outbound of a protected network

Answer : uses UDP 39999 to query the client about its Host Integrity result enables the download of the On-Demand agent through an HTTP redirect

Lifeline Supply Company initiated a staged migration process from Symantec Antivirus Corporate Edition (SAVCE) 10.1 to Symantec Network Access Control. During the migration, the IT administrator wants to generate reports from the Symantec Network Access Control Manager (SEPM) on the clients that have been migrated and gather reporting information from the SAVCE 10.1 clients. Which two actions must be completed in order to gather the reporting information? (Choose two.)


Options are :

  • provide the IP addresses or DNS names of the reporting servers to the SEPM
  • migrate the SAVCE reporting database using the Migration and Deployment Wizard
  • configure the SEPM to receive Symantec Antivirus version 10.x log files (Correct)
  • provide the IP address or DNS name for the Symantec System Center through the SEPM
  • configure Reporting Server under Reporting Configurations in the Symantec System Center (Correct)
  • migrate the SAVCE reporting servers using the Migration and Deployment Wizard

Answer : configure the SEPM to receive Symantec Antivirus version 10.x log files configure Reporting Server under Reporting Configurations in the Symantec System Center

An organization's security policy requires Host Integrity checking only when laptops are connected to the production network. Which task should be performed to comply with the security policy requirement?


Options are :

  • Set host Integrity policy requirements to "Only do Host Integrity checking through the Gateway or DHCP Enforcer".
  • Set Location Communication Setting Heartbeat to desired interval.
  • Set Communication Settings Heartbeat to desired interval in Client group policy settings
  • Set Host Integrity requirements to "Only do Host Integrity checking when connected to the management server". (Correct)

Answer : Set Host Integrity requirements to "Only do Host Integrity checking when connected to the management server".

What is the purpose of the secure workstation templates in their default configuration?


Options are :

  • check and enforce the proper application of endpoint computer policy
  • check and enforce specific Symantec Endpoint Protection policies
  • check and enforce specific predefined requirement logic
  • check and enforce various system configuration settings on endpoint systems (Correct)

Answer : check and enforce various system configuration settings on endpoint systems

Which three policies are created when you migrate from Symantec AntiVirus Corporate Edition (SAVCE)? (Choose three.)


Options are :

  • Application and Device Control
  • LiveUpdate (Correct)
  • Antivirus and Antispyware (Correct)
  • Centralized Exceptions (Correct)
  • Intrusion Prevention

Answer : LiveUpdate Antivirus and Antispyware Centralized Exceptions

An organization's remediation process requires the installation of custom software. During the installation process the system prompts the user for input. What can the administrator do to ensure the remediation process completes if a user is logged out?


Options are :

  • Ensure the remediation has a reasonable time-out specified.
  • Set Host Integrity requirements to "Only do Host Integrity checking when logged in".
  • Use a predefined template that checks for any logged-in users.
  • Create a custom requirement to run the installation in logged-in user context. (Correct)

Answer : Create a custom requirement to run the installation in logged-in user context.

Lifeline Supply Company employs 900 individuals at their location. Their data center is running Microsoft Exchange 2007 and an Oracle database. They are currently running different versions of Symantec Antivirus Corporate Edition managed through the Symantec System Center. They plan to migrate to Symantec Network Access Control and the IT director has to consider cost to benefit ratios given budgetary restrictions. Which site design best fits this company's cost to benefit ratio requirements?


Options are :

  • single site design with the embedded database and multiple Symantec Network Access Control Managers
  • single site design with one Microsoft SQL database and multiple Symantec Network Access Control Managers
  • single site design with the embedded database and one Symantec Network Access Control Manager (Correct)
  • single site design with clustered Microsoft SQL databases and multiple Symantec Network Access Control Managers

Answer : single site design with the embedded database and one Symantec Network Access Control Manager

An administrator for an organization that uses a PPTP VPN for Network Address Translation is configuring the On-Demand feature. What does the administrator need to do to the Enforcer configuration to enable downloading of the On-Demand clients through the VPN device?


Options are :

  • Add a static route to the Enforcer, using the IP and netmask of the address pool that the VPN device assigns to clients. (Correct)
  • Configure the Trusted Internal IP Address Range, making sure to enable the client to communicate with the RADIUS/IAS server.
  • Configure the On-Demand HTTPS download feature.
  • Add the firewall and VPN devices to the Mac Address Bypass list on the Enforcer.

Answer : Add a static route to the Enforcer, using the IP and netmask of the address pool that the VPN device assigns to clients.

Where is the Enforcer group defined?


Options are :

  • in the Symantec Endpoint Protection Manager Console under the Global group
  • in the Enforcer "Initial Configuration" wizard
  • in the Enforcer command line interface (Correct)
  • in the Symantec Endpoint Protection Manager Console under the Server tab

Answer : in the Enforcer command line interface

To enforce Host Integrity policies when using the Self-enforcement model, where is the "Quarantine policies when host integrity fails" setting located in the Symantec Endpoint Protection Manager?


Options are :

  • Clients page > Policies tab > Location-specific Policies and Settings > Quarantine (Correct)
  • Virus and Spyware Protection Policy > Quarantine > Advanced Options
  • Clients page > Clients tab > Quarantine > Location-specific Policies and Settings
  • Virus and Spyware Protection Policy > Advanced Options > Quarantine

Answer : Clients page > Policies tab > Location-specific Policies and Settings > Quarantine

Which enforcer command verifies there is a connection between the Symantec Endpoint Protection Manager and the Enforcer if the Gateway Enforcer is missing from the Symantec Endpoint Protection Management Console?


Options are :

  • show connection
  • show status (Correct)
  • show sepm
  • show debug

Answer : show status

An organization's administrator has deployed Symantec Network Access Control to every workstation in its network. The organization needs to perform an inventory of the version of a particular application to determine if it is up to date. If it is out of date, a patch needs to be installed. What should the administrator use to accomplish this?


Options are :

  • a custom Host Integrity policy (Correct)
  • the "PatchLink" template check
  • a custom firewall rule to monitor for the application's fingerprint
  • an Application and Device Control policy

Answer : a custom Host Integrity policy

Which two features are available only when multiple Symantec Network Access Control Managers are deployed? (Choose two.)


Options are :

  • failover (Correct)
  • increased server security
  • quarantine collection
  • load balancing (Correct)
  • data compression

Answer : failover load balancing

Which command can be issued from the command line interface to run the Enforcer service?


Options are :

  • start (Correct)
  • runenforcer
  • startenforcer
  • run

Answer : start

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions