CCES Flashcards
1
Q
SmartEndpoint Combines what elements into package
A
Data
Network
Remote Access
Threat
2
Q
SmartEndpoint Allows access control over
A
Company data
Attacks
Zero Day threats
3
Q
Admins can perform what tasks in SmartEndpoint
A
- Centrally monitor, manage, and enforce user and machine based company policy
- Quickly deploy protections for users
- customize policies
- Monitor end user devices for malicious software
- Control access to corporate data and apps
- Protect sensitive data from virus and threats on the web and in attachements
- perform risk assessment to ensure compliance
- inform and remediate attacks on end user machines
- view and report security events
4
Q
How does SmartEndpoint communicate with SmartEndpoint management server
A
SIC
5
Q
How does the endpoint security management server communicate to clients.
A
Http/Https
6
Q
main components of a SmartEndpoint deployment
A
- SmartEndpoint
- Endpoint management server
- Endpoint clients
7
Q
Endpoint security database houses
A
Policy User and computer data Mgmt data Licenses Ad node objects
8
Q
What is the default communication interval between client and mgmt server
A
60 seconds
9
Q
What 2 components make up the endpoint agent
A
Agent
DA Framework
10
Q
What are the activities performed by endpoint client
A
Communication
Deployment
EMON state info
Updating files and Drivers
11
Q
What does the DA framework do?
A
Policy activation / updating
Log collection
12
Q
What functions does the SmartEndpoint management interface
A
Deployment
Monitoring
Configuration endpoint clients
Manage policies
13
Q
What are the 3 main components of an Endpoint security environment?
A
- Endpoint management server
- SmartEndpoint
- Endpoint Clients
14
Q
How does the security management server work in the environment
A
Endpoint SMS contains security software and database
The server communicates with the endpoint to manage policies and update protections.
15
Q
SmartEndpoint Management has 5 tabs, what are they?
A
Overview Policy User and Computers Reporting Deployment
16
Q
The deployment tab shows what information
A
Security Summary
Active Alerts (10 Minute Update)
Security Status
17
Q
The policy tab shows
A
Collection of security rules. This includes the default rules (cannot be deleted)
18
Q
The users and computers tab shows
A
Hierarchical Tree of organization
Review of the status of the current blade
19
Q
The reports tabs shows?
A
Pre-defined reports
20
Q
The deployment tab shows?
A
Create deployment rules and manage packages
21
Q
What does endpoint firewall blade do?
A
Controls inbound and outbound traffic
22
Q
What does the URL filtering blade do
A
Limits and blocks access to websites by
- category
- user
- group
23
Q
What’s does the Anti-Malware blade do?
A
Signature base for (scans all files accessed)
Viruses
Spyware
Trojans
24
Q
What does the data security blades do?
A
- Capsule docs: Protects, track and restricts access to buisness doc
- FDE Encrypt Storage and provides access protection (pre-boot protection)
- Media & Port Protection: Strong encryption USB, CD/DVD/SD
25
What does the sandblast agent do?
Zero Day:
Anti-bot
Ransomware
Threat Extraction & Threat Emulation
26
What are the 3 licenses required for endpoint deployment
1. Mgmt
2. Container
3. Software blade
27
What features does the management license components
Policy management
Logging & status
User directory
28
Container license components
FW
Appctl
Compliance (annual or perpetual)
29
Do you have to license each blade that you want to provide to a client
Yes
30
What places can you add/remove licenses
1. Smart update
2. Gai
3. Colic
4. Cpconfig
31
How do you recoup licenses from stale machines
Delete the client computers
32
What are the 5 areas of the users and computers tab
1. All organization folder
2. Global Action folder
3. Favorites
4. Blades Status
5. Rule and status pane
33
What populates the directories node
After the initial AD scan
| **objects can be part of AD and the virtual groups
34
Where are objects that are not part of AD places
Others users & computers
35
How do you manage users
Select from the tree, and then add blades and follow steps
36
Can anyone log into a computer with endpoint
No only authorized pre-boot users can log into machines
37
What happens when you reset a client
Removes license
Deletes settings
FDE and Recovery are removed
**must be reformatted before can connect machine back to endpoint
38
Where can push operations be accomplished from
Reporting
| Global Actions
39
What things can be accomplished through push operations
```
Anti-malware scans
Anti-malware updates
Restore Files
Sandblast forensics and analysis
Restart /shutdown
```
40
Where is the initial client exported from in the console
Deployment tab
41
What does the initial client do?
Provides communication
Deployment
Client state
Policy and client status updates
42
Types of blade packages:
Master full- all blades
Master full without network protection: FDE & MEPP only
Master SBA: Sandblast with FW, Compliance, App protection
NEWDA: 32 bit initial client without blades (cannot be distributed via deployment rule)
43
How many packages are created when a new package created
1. Desktop
2. Laptop
* *done as laptops often have stricter policies
44
Does client install interfere with normal user operation
No
| **FDE is an exception as might require reboot
45
What tab allows you to modify or upgrade protections
Policy tab
46
Two methods of mod or upgrade
Deployment Rules or Exported package
47
how do you get new version into mgmt server
1. Download
| 2. Upload
48
Does the client and blade package need to be upgraded at the same time.
Yes
49
How would you allow postpone of client upgrade
Client settings allow postpone upgrade
50
Deployment rules characteristics
1. Automatically download and install preconfigured client packages
2. Deploy to individual or all nodes
3. Policy needs to be installed for rules to apply
4. Must do initial install before blade deployment
51
User Authentication settings are done in what tab in the console?
Reporting tab
52
What are the predefined actions in OneCheck
1. User predefined windows recommended password complexity
2. Pre-boot password updates
3. Temp lock failed attempts
4. Use default login settings
5. Allow remote help
53
What is pre-boot
User must login before the OS boots
54
What are the pre-boot authentication options
1. Passwords
2. Smart cards
3. Dynamic tokens
55
Why use FDE
When machines are shared amongst users
56
How and what type of encryption FDE
AES, HDD is encrypted, but data is not.
57
What feature is used for FDE authentication
OneCheck Logon policies manage FDE user logins and password security
58
When using AD recommended to use which authentication components
User Acquisition
OneCheck Logon
Password Sync (same creeds SSO login)
59
Is user acquisition enable by default for FDE
Yes
| ***Requires users log in and out to acquire pre-boot credentials
60
OneCheck Logon
SSO solution VPN and FDE password Sync
61
Password Sync
Pre-boot prevents OS from booting until user authenticated
62
Can passwords be changed at preboot.
Yes, and it automatically sent to all computers the user is authorized to access pre-boot.
63
Endpoint had monitoring built-in for what?
Connection State:Compliance:other data connected clients
Provide system-wide reporting or granular user and computers
monitoring reports for compliance, activity, software, deployments...etc
64
Name the 5 tabs in the SmartEndpoint GUI
1. Overview
2. Policy
2. Users & computers
3. Reporting
4. Deployement
65
What are blades included in the data protections for endpoint
FDE, MEEP, Capsule docs, VPN
66
What licenses are required for endpoint security
Mgmt
Blades
Container
67
Where are endpoint historic logs kept
Smart console
68
What do OneCheck users settings define
How users authenticate to endpoint security. More specifically, how a user log into his/her computer and what happens with failed attempts
69
ESM Components
```
SmartEndpoint
ESM blade
Endpoint blades
Endpoint DB
Directory Scanner
```
70
Installation methods for ESM
1. Standalone- with the network management server
| 2. Distributed - Helps ensures no hotfix upgrades
71
Things to watch out for during instalation
1: Network Security management and smart console must be installed
2: Ad structure can be replicated into EMD DB
3: Ad scanner will require AF permission to read only
72
What port handles loop back for Mgmt and AD scanner comes
8080
73
What port encrypted client comes to client sever, FDE, and MEPP
443
74
What is -port is SIC communications
18190
75
Which port handles SSL Gaia portal
4434
76
What port handles SOC proxy198
1080
77
What SK# provides all port access requirements
SK52421
78
What component is required to incorporate AD users, computers
AD Scanner
79
What type of information is captured by AD scanner
1. OU’s
2. Users (not contacts)
3. Computers
4. Security group
80
What is polling intervals for AD scanner
2 minute management server
| AD refresh every 5 minutes`
81
How many scanners is recommended per domain
One, be sure not to duplicate scan networks
82
What are the four type of client deployment and installation
1. Automatic deployment rules
2. Package export and manual install
3. CLI
4. Third part tools (SCCM, GPO
83
What are the steps for client install in an automatic deployment
1. Automatic =Manual install initial client and then deployment rules
**deployment log %programdata%\checkpoint\Endpoint Security
84
How do you install the endpoint client manually
Export package (via third party, file share, email), use the deployment tab;
Create/change deployment tab>packages for export
Run as administrator EPI.MSI
CLI msiexec /i EPS.msi
Install log %temp%\MSIXXXX.log
85
How do you uninstall endpoint client
Same as all other windows programs, but need admin access **make sure to remove from console after you are completed to free up licenses
86
How do you install endpoint client on the Mac
Manual only way possible install, expand *.zip file and start the install
87
What common third party tool most commonly used to install client in a windows env
SCCM/GPO
88
What type of information is in the endpoint client GUI
1. Overview of protections on machine
2. Client update status and scan info
3. Allow users to request updates and view scans
4 Policies and log info on the advanced tab
89
Client Settings Policy does what?
```
Default settings for entire org, for the below settings
A. General UI settings
B. Log & alert confirms
C. Install and upgrade settings
D. Network protections
E. Local deployment optons
F. Data sharing options
```
90
What type of remote connection options (VPN) are available
IPSEC
SSL VPN
Mobile access
91
Where does VPN license reside
Network management server
92
What do access zoned do?
They define trusted and untrusted networks
93
Where can VPN settings be defined
1. Compliance policy
| 2. Advanced Deployment options (This is where sites created)
94
Are VPN settings part of the automatic client deployment
No
95
You can have compliance checks run before an individual can access VPN. What two types of policy checking can be defined
Endpoint security compliance= use endpoint security policy
| VPN SCV compliance= this forces security compliance with org policies
96
What is the client authentication process for?
Process of identifying client machine and the person working on it.
2 modes
Authenticated ( recommend live env)
Unauthenticated (insecure used IP and should be used in a lab)
97
How do you enable strong authentication
Based on Kerberos, user must be in AD
| **Need to run it ktpass.exe, created key tab file> this will then be used to setup authentication connection type
98
Where are client logs stored
On the endpoint device
99
What type of security is used between the management server
TlSv1 & TLSvv2 certificate based key
100
What type of communication between the endpoint security server and other CP products
SIC + Certificate
101
When does a client check for updated
Startup
Heartbeat Response
Client Component Changes
Installation state changes
102
What is the AD scanner and how does it work
Scans AD and copies org chart into endpoint
103
What are the four ways to install endpoint
1. Automatic
2. Manual
3. CLI
4. Third Party
104
What are the two VPN Client authentication actions Which can be enforced when verification fails
Endpoint Security Compliance
| VPN SCV Compliance
105
How do Endpoint Security Server communicate with other CP servers
SIC + Certificates
106
What does the policy server Do?
Houses log server
Manages client communication
Improves performance (decreases load on ESM)
107
How many policy servers should you have in each remote site
One
108
What are steps in installing log server
1. Create new object in smart dashboard
2. Enable EPM, Logging and status blades on the object
3. Push policy and install database
4. Then add the new policy server menu, management, endpoint servers new
109
What type of communication does policy server respond to
Heartbeat
Sync
Policy downloads
Malware Updates
**Client will connect to the server that is closest. So if policy server and management server client will choose.
110
How can you tell which policy server client is connected
Run activity report and will tell you which server the client is connected
111
When does new policy server sync
Initial sync is done after configured and installed
| Then heartbeat will keep sync after first
112
How many standby management servers are allowed
One
113
Steps to create HA management server
```
Install new SMS server
Enable network policy management
Establish SIC primary EMS and standby
Install DB on secondary
Wait for sync
Enable endpoint management on second management
Install DB
```
114
When failing over to secondary EMS management, is it automatic
No
115
What two manual activities are required on secondary EMS
1. packages
| 2. Failover
116
When does the initial sync occur between primary and standby management servers
After the policy server is configured and policy is installed
117
What type of data security can endpoint client provide
In transit
At rest
In use
Shared
118
What data security solutions are provided by the endpoint system
1. FDE
2. MEPP
3. Capsule docs
4. VPN
119
Features of FDE
Data at rest
Protects user data, OS file, temp and erased file
Combines OS boot protection with preboot auth
120
Features of MEPP
Data at rest
Controls and logs all endpoint port activity
Manages ports by blocking certain ports based on policy
121
Capsule Docs features
Data in-use /shared
Allows access and share corp docs
Integrates with windows client
Audit trail in smartview tracker
122
Remote Access VPN features
Transit, rest, in-use, and share
123
FDE Disk Encryption
To initiated requires user authentication
| Process runs in the background
124
What type of encryption is default and available for FDE
```
AES 256 (default)
3DES 168
Blowfish 255
Cast 128
XTS AES 128 & 256 EFI
```
125
Why is FDE pre-boot important
Avoids unauthorized access to disk by removing third part tools
Ensures user identity prior to booting into data drive
Supports multi-factor
126
What are the FDE file components
```
FDE Service (FDE_SRV.exe)- config, encrypt and handles policy
Crypto Core (CCore32.bin)- encryption algorithms
Filter Driver (prot_2k.sys) Driver for encryption FAT drives sector location
```
127
Gotchas for FDE
Need 32mb contiguous space no Raid
no hybrid drive with cache / compressed root file system
By default encrypts all visible drives
128
How to start encrypting with FDE
1. Connect machine to management
2. Download FDE policy
3. Run through user acquisition
4. Pre-boot user created
5. Create 32 mb paritiion
6. Recovery data sent to server
129
FDE Recovery options
| Full recovery with recovery media
Recovery files collected when initial FDE was established
As volumes are added to removed these activities are reflected in recovery info
Removes encryption without removing windows components
Restores boot record
130
Where is recovery media tool
Client tun the useRec.exe
Location: c:\program files\Checkpoint\endpoiny security\full disk encryption
Run as an administrator
131
FDE recovery options
| Drive Slaving
Faster method extracting file from failed or encrypted drive
Dynamic Slave Utility
Access specific files on failed disks
Connect through USB
FDE auth is required
132
FDE recovery options
| Drive Mount Utilities
FDE auth not required
| Used to access data of an FDE without doing recovery.
133
How many types of media encryption are available in endpoint
2
Primary: Basic config, customizable read write permission & exclusions
Advanced Authorizatoin, Logging, policy violation (global permissions)
134
Capsule Docs does what
Protects documents and controls access
Integrated AD, when doc created appropriate permission are appplied
2 action types:
- Primary= default encryption behavior, classification, snd permissions
- Advanced= Granular permission, applied ou level
135
What does endpoint remote help provide
Allows admins to help users regain access from MEPP or FDE
136
How many types of recovery help is offered by endpoint management
2
Type 1: User logon preboot remote help challenge response procedure
One-time-login
*Allows bypass pre-boot without resetting password
*Does not uncles their account
* Use for lost smart cards and gettin updated to clients.
Remote password change
*Change user password at pre-boot
*By padded pre-boot login.
*Will in unlock account
137
How many types of recovery help is offered by endpoint management
2
Type 2 Media encryption remote help
*recovers removable media passwords remotely
* user must be authorized to use media
138
Is remote help enabled by default in OneCheck policy
Yes
139
What ways can you use recovery options
1. Through smartendpoint
| 2. Through web portal
140
What is address of web portal for recovery
HTTPS:///weary
141
Features of one-time logon
Bypass preboot
Does not unlock account
Does not reset password
142
Features of remote password change
Change password
| Unlock account
143
How do you enable remote help at pre-boot screen
Type is username and hit tab (this will show you remote help options)
144
What types of attacks are targeting endpoint devices
```
A. APT (Advanced Persistent Threat)’
Large Scale
State Sponsored
Devastating damage
Multi surface
B. Zero Day
Target unknown software vulnerabilities
C. Bot attacks
Remote control of machine
D. Ransomware
```
145
Is Sandblast agent part of network sandblast
No
146
What are the advantageous of Sandblast mobile
Securing users outside the corp network
Protecting user who use removable media devices to share files
Blocking listeria threats
Detecting and preventing encrypted message that bypass security gateway
147
What is anti-bot doing
Searching for malicious outgoing traffic using threat intelligence (threat cloud)
Detecting and blocking C&C attempts
Quarantine files as needed
148
What are antibiotics actions and settings
Scans and assigns confidence interval to bot traffic
Default (detects and logs all bots with high confidence)
Exclusion list =domains, processed URLS, IP’s
149
Is Anti-Malware signature based
Yes
150
Features anti-malware
Signature based
Definition updates are coming from EMS , so need to maintain connectivity
Primary-scan scheduling
Advanced- Fine tune scan optimizations
151
Anti-Ransomware features
Continuous monitoring of client file operations
Monitors computer processes and look for triggers
Behavioral Guard (detected and remediates all forms malicious behavior.
Anti-Ransomware= quarantine infected files by deleting and storing safe locatio
-Actions & Settings
Actions are based on threats confidence level
Exclusions are possible
Need 1 GB minimum disk storage’
152
Whats is Threat extraction
Provides immediate response to malicious content in files. this is done by removing suspicious elements e.g macros
153
What is threat emulation
Proactively detects zero day. Then it send to Sandbox (cloud or local) for emulation. Deep examination as also accomplished by monitoring individual file for compromise
154
What is the inspection process look like
User downloads malicious file
SBA intercepts files and sends to sandblast service
Sandbox performs emulation
Extraction already providing clean content
Is suspicious = quarantine
If not suspicious send to recipient
155
What two modes of enforcement in threat emulation
Detect and alert
| Block
156
What does ant-exploit accomplish
Monitors suspicious memory manipulation in running programs. It will shutdown exploited process when detected.
Actions and Settings:
Default=protect wed downloads with emulation, use cloud, inspect everything, 10MB emulation limit, add exclusions
157
What does the browser extension for sandblast agent
Captures downloads for threat extraction and emulation
| Continually looks client files in case a crazy event.
158
recommendation deploying SBA
1. Vigorously test SBA with the software used by those organization; thus ensuring that once turn on impact will be minimal
Options Deployment
-Default=use cloud for emulation
-Or can leverage an appliance to the be used locally
159
Why is a central login server a good idea
Takes the load of the other assets in the deployment, easier to correlate events.
160
What software blades are included with SBA
1. Behavioral guard
2. Anti-exploit
3. Anti-bot
4. Anti-ransomware
5. Forensics
6. Threat extraction / threat emulation
161
Default length for saving quarantined SBA files
90 days
162
What does browser extension for threat emulation and threat extraction
Intercepts downloads and send them for extraction and emulation
163
What type of reporting is provided by sandblast agent
1. Predefined reports
2. Alerts
3. System operations
4. Monitor
5. Audit
6. Client install / deployment
164
What do alerts display
Endpoint clients in violation of rules
165
What does push operations display
Displays recent activities:
| Anti-malware scans and updates send directly to clients without policy install
166
What does compliance show
Verifies compliance by software OS updates, Service packs...etc
167
What does activity report show
Shows current activity status of clients, policy servers, users client connections and problems
168
What does software deployment show
Deployment status errors and policies
169
What does FDE show
Encryption status and problematic clients
170
What does user authentication (OneCheck) show/
Pre-boot status, configured auth methods, last authentication
171
What does MEPP Show
Displays all device connection event for last 14 days, reports all device connected to clients
172
What does Anti-malware show
Status of Am detections and result for updates of clients
173
What does ant-bot show
AB status
174
What does license show
License usage
175
What is the SmartEndpoint report structure
-Summary chart
Visual oveview of trends
Can be exported XLS, CSV, HTML, PDF
-Endpoint List
Detailed info for users and client machines
You can right click on the client to adjust behavior or rule settings
176
How do you setup policy reports
Scheduled in the ESM and generated CSV file
Execute cpstop
Edit $UEPMDIR/engine/conf/local.properties file
Set time #emon.scheduler,time
Set max reports #emon.scheduler.max.reports
Enable report #emon.scheduler.policy report=true
Create new folder $fwdir/conf/smc_files
Cost art
2 field
General: user and client info
Policy: identified policy name and rules actions for each client
177
How do forensics reports get generated
Automatically initiatives upon detection of a triggered event, file, or malicious behavior.
Report includes:
Entry point of suspicious file
Affected files
Remediation efforts
Suspicious behavior resulting from attack
Attack details
178
Name diagnostic tool
CPinfo contains
- all files data directory
- installation log
- file version info
- Registry Values
- Gina doll
- SMBios structure
- installed applications
- Windows partition list
FDE state
- Failure window encrypt/decrypt process
- Identifying which disks have failures
- FDE client issues
