CCES

Question 1

SmartEndpoint Combines what elements into package

Answer 1

Data
Network
Remote Access
Threat

Question 2

SmartEndpoint Allows access control over

Answer 2

Company data
Attacks
Zero Day threats

Question 3

Admins can perform what tasks in SmartEndpoint

Answer 3

• Centrally monitor, manage, and enforce user and machine based company policy
• Quickly deploy protections for users
• customize policies
• Monitor end user devices for malicious software
• Control access to corporate data and apps
• Protect sensitive data from virus and threats on the web and in attachements
• perform risk assessment to ensure compliance
• inform and remediate attacks on end user machines
• view and report security events

Question 4

How does SmartEndpoint communicate with SmartEndpoint management server

Answer 4

SIC

Question 5

How does the endpoint security management server communicate to clients.

Answer 5

Http/Https

Question 6

main components of a SmartEndpoint deployment

Answer 6

1. SmartEndpoint
2. Endpoint management server
3. Endpoint clients

Question 7

Endpoint security database houses

Answer 7

Policy
User and computer data
Mgmt data
Licenses
Ad node objects

Question 8

What is the default communication interval between client and mgmt server

Answer 8

60 seconds

Question 9

What 2 components make up the endpoint agent

Answer 9

Agent

DA Framework

Question 10

What are the activities performed by endpoint client

Answer 10

Communication
Deployment
EMON state info
Updating files and Drivers

Question 11

What does the DA framework do?

Answer 11

Policy activation / updating

Log collection

Question 12

What functions does the SmartEndpoint management interface

Answer 12

Deployment
Monitoring
Configuration endpoint clients
Manage policies

Question 13

What are the 3 main components of an Endpoint security environment?

Answer 13

1. Endpoint management server
2. SmartEndpoint
3. Endpoint Clients

Question 14

How does the security management server work in the environment

Answer 14

Endpoint SMS contains security software and database

The server communicates with the endpoint to manage policies and update protections.

Question 15

SmartEndpoint Management has 5 tabs, what are they?

Answer 15

Overview
Policy
User and Computers
Reporting
Deployment

Question 16

The deployment tab shows what information

Answer 16

Security Summary
Active Alerts (10 Minute Update)
Security Status

Question 17

The policy tab shows

Answer 17

Collection of security rules. This includes the default rules (cannot be deleted)

Question 18

The users and computers tab shows

Answer 18

Hierarchical Tree of organization

Review of the status of the current blade

Question 19

The reports tabs shows?

Answer 19

Pre-defined reports

Question 20

The deployment tab shows?

Answer 20

Create deployment rules and manage packages

Question 21

What does endpoint firewall blade do?

Answer 21

Controls inbound and outbound traffic

Question 22

What does the URL filtering blade do

Answer 22

Limits and blocks access to websites by

• category
• user
• group

Question 23

What’s does the Anti-Malware blade do?

Answer 23

Signature base for (scans all files accessed)
Viruses
Spyware
Trojans

Question 24

What does the data security blades do?

Answer 24

1. Capsule docs: Protects, track and restricts access to buisness doc
2. FDE Encrypt Storage and provides access protection (pre-boot protection)
3. Media & Port Protection: Strong encryption USB, CD/DVD/SD

Question 25

What does the sandblast agent do?

Answer 25

Zero Day:
Anti-bot
Ransomware
Threat Extraction & Threat Emulation

Question 26

What are the 3 licenses required for endpoint deployment

Answer 26

1. Mgmt
2. Container
3. Software blade

Question 27

What features does the management license components

Answer 27

Policy management
Logging & status
User directory

Question 28

Container license components

Answer 28

FW
Appctl
Compliance (annual or perpetual)

Question 29

Do you have to license each blade that you want to provide to a client

Answer 29

Yes

Question 30

What places can you add/remove licenses

Answer 30

1. Smart update
2. Gai
3. Colic
4. Cpconfig

Question 31

How do you recoup licenses from stale machines

Answer 31

Delete the client computers

Question 32

What are the 5 areas of the users and computers tab

Answer 32

1. All organization folder
2. Global Action folder
3. Favorites
4. Blades Status
5. Rule and status pane

Question 33

What populates the directories node

Answer 33

After the initial AD scan

**objects can be part of AD and the virtual groups

Question 34

Where are objects that are not part of AD places

Answer 34

Others users & computers

Question 35

How do you manage users

Answer 35

Select from the tree, and then add blades and follow steps

Question 36

Can anyone log into a computer with endpoint

Answer 36

No only authorized pre-boot users can log into machines

Question 37

What happens when you reset a client

Answer 37

Removes license
Deletes settings
FDE and Recovery are removed
**must be reformatted before can connect machine back to endpoint

Question 38

Where can push operations be accomplished from

Answer 38

Reporting

Global Actions

Question 39

What things can be accomplished through push operations

Answer 39

Anti-malware scans
Anti-malware updates
Restore Files
Sandblast forensics and analysis 
Restart /shutdown

Question 40

Where is the initial client exported from in the console

Answer 40

Deployment tab

Question 41

What does the initial client do?

Answer 41

Provides communication
Deployment
Client state
Policy and client status updates

Question 42

Types of blade packages:

Answer 42

Master full- all blades
Master full without network protection: FDE & MEPP only
Master SBA: Sandblast with FW, Compliance, App protection
NEWDA: 32 bit initial client without blades (cannot be distributed via deployment rule)

Question 43

How many packages are created when a new package created

Answer 43

1. Desktop
2. Laptop
   * *done as laptops often have stricter policies

Question 44

Does client install interfere with normal user operation

Answer 44

No

**FDE is an exception as might require reboot

Question 45

What tab allows you to modify or upgrade protections

Answer 45

Policy tab

Question 46

Two methods of mod or upgrade

Answer 46

Deployment Rules or Exported package

Question 47

how do you get new version into mgmt server

Answer 47

1. Download

2. Upload

Question 48

Does the client and blade package need to be upgraded at the same time.

Answer 48

Yes

Question 49

How would you allow postpone of client upgrade

Answer 49

Client settings allow postpone upgrade

Question 50

Deployment rules characteristics

Answer 50

1. Automatically download and install preconfigured client packages
2. Deploy to individual or all nodes
3. Policy needs to be installed for rules to apply
4. Must do initial install before blade deployment

Question 51

User Authentication settings are done in what tab in the console?

Answer 51

Reporting tab

Question 52

What are the predefined actions in OneCheck

Answer 52

1. User predefined windows recommended password complexity
2. Pre-boot password updates
3. Temp lock failed attempts
4. Use default login settings
5. Allow remote help

Question 53

What is pre-boot

Answer 53

User must login before the OS boots

Question 54

What are the pre-boot authentication options

Answer 54

1. Passwords
2. Smart cards
3. Dynamic tokens

Question 55

Why use FDE

Answer 55

When machines are shared amongst users

Question 56

How and what type of encryption FDE

Answer 56

AES, HDD is encrypted, but data is not.

Question 57

What feature is used for FDE authentication

Answer 57

OneCheck Logon policies manage FDE user logins and password security

Question 58

When using AD recommended to use which authentication components

Answer 58

User Acquisition
OneCheck Logon
Password Sync (same creeds SSO login)

Question 59

Is user acquisition enable by default for FDE

Answer 59

Yes

***Requires users log in and out to acquire pre-boot credentials

Question 60

OneCheck Logon

Answer 60

SSO solution VPN and FDE password Sync

Question 61

Password Sync

Answer 61

Pre-boot prevents OS from booting until user authenticated

Question 62

Can passwords be changed at preboot.

Answer 62

Yes, and it automatically sent to all computers the user is authorized to access pre-boot.

Question 63

Endpoint had monitoring built-in for what?

Answer 63

Connection State:Compliance:other data connected clients
Provide system-wide reporting or granular user and computers
monitoring reports for compliance, activity, software, deployments…etc

Question 64

Name the 5 tabs in the SmartEndpoint GUI

Answer 64

1. Overview
2. Policy
3. Users & computers
4. Reporting
5. Deployement

Question 65

What are blades included in the data protections for endpoint

Answer 65

FDE, MEEP, Capsule docs, VPN

Question 66

What licenses are required for endpoint security

Answer 66

Mgmt
Blades
Container

Question 67

Where are endpoint historic logs kept

Answer 67

Smart console

Question 68

What do OneCheck users settings define

Answer 68

How users authenticate to endpoint security. More specifically, how a user log into his/her computer and what happens with failed attempts

Question 69

ESM Components

Answer 69

SmartEndpoint
ESM blade
Endpoint blades
Endpoint DB
Directory Scanner

Question 70

Installation methods for ESM

Answer 70

1. Standalone- with the network management server

2. Distributed - Helps ensures no hotfix upgrades

Question 71

Things to watch out for during instalation

Answer 71

1: Network Security management and smart console must be installed
2: Ad structure can be replicated into EMD DB
3: Ad scanner will require AF permission to read only

Question 72

What port handles loop back for Mgmt and AD scanner comes

Answer 72

8080

Question 73

What port encrypted client comes to client sever, FDE, and MEPP

Answer 73

443

Question 74

What is -port is SIC communications

Answer 74

18190

Question 75

Which port handles SSL Gaia portal

Answer 75

4434

Question 76

What port handles SOC proxy198

Answer 76

1080

Question 77

What SK# provides all port access requirements

Answer 77

SK52421

Question 78

What component is required to incorporate AD users, computers

Answer 78

AD Scanner

Question 79

What type of information is captured by AD scanner

Answer 79

1. OU’s
2. Users (not contacts)
3. Computers
4. Security group

Question 80

What is polling intervals for AD scanner

Answer 80

2 minute management server

AD refresh every 5 minutes`

Question 81

How many scanners is recommended per domain

Answer 81

One, be sure not to duplicate scan networks

Question 82

What are the four type of client deployment and installation

Answer 82

1. Automatic deployment rules
2. Package export and manual install
3. CLI
4. Third part tools (SCCM, GPO

Question 83

What are the steps for client install in an automatic deployment

Answer 83

1. Automatic =Manual install initial client and then deployment rules

**deployment log %programdata%\checkpoint\Endpoint Security

Question 84

How do you install the endpoint client manually

Answer 84

Export package (via third party, file share, email), use the deployment tab;
Create/change deployment tab>packages for export
Run as administrator EPI.MSI
CLI msiexec /i EPS.msi

Install log %temp%\MSIXXXX.log

Question 85

How do you uninstall endpoint client

Answer 85

Same as all other windows programs, but need admin access **make sure to remove from console after you are completed to free up licenses

Question 86

How do you install endpoint client on the Mac

Answer 86

Manual only way possible install, expand *.zip file and start the install

Question 87

What common third party tool most commonly used to install client in a windows env

Answer 87

SCCM/GPO

Question 88

What type of information is in the endpoint client GUI

Answer 88

1. Overview of protections on machine
2. Client update status and scan info
3. Allow users to request updates and view scans
   4 Policies and log info on the advanced tab

Question 89

Client Settings Policy does what?

Answer 89

Default settings for entire org, for the below settings
A. General UI settings
B. Log & alert confirms
C. Install and upgrade settings
D. Network protections
E. Local deployment optons
F. Data  sharing options

Question 90

What type of remote connection options (VPN) are available

Answer 90

IPSEC
SSL VPN
Mobile access

Question 91

Where does VPN license reside

Answer 91

Network management server

Question 92

What do access zoned do?

Answer 92

They define trusted and untrusted networks

Question 93

Where can VPN settings be defined

Answer 93

1. Compliance policy

2. Advanced Deployment options (This is where sites created)

Question 94

Are VPN settings part of the automatic client deployment

Answer 94

No

Question 95

You can have compliance checks run before an individual can access VPN. What two types of policy checking can be defined

Answer 95

Endpoint security compliance= use endpoint security policy

VPN SCV compliance= this forces security compliance with org policies

Question 96

What is the client authentication process for?

Answer 96

Process of identifying client machine and the person working on it.
2 modes
Authenticated ( recommend live env)
Unauthenticated (insecure used IP and should be used in a lab)

Question 97

How do you enable strong authentication

Answer 97

Based on Kerberos, user must be in AD

**Need to run it ktpass.exe, created key tab file> this will then be used to setup authentication connection type

Question 98

Where are client logs stored

Answer 98

On the endpoint device

Question 99

What type of security is used between the management server

Answer 99

TlSv1 & TLSvv2 certificate based key

Question 100

What type of communication between the endpoint security server and other CP products

Answer 100

SIC + Certificate

Question 101

When does a client check for updated

Answer 101

Startup
Heartbeat Response
Client Component Changes
Installation state changes

Question 102

What is the AD scanner and how does it work

Answer 102

Scans AD and copies org chart into endpoint

Question 103

What are the four ways to install endpoint

Answer 103

1. Automatic
2. Manual
3. CLI
4. Third Party

Question 104

What are the two VPN Client authentication actions Which can be enforced when verification fails

Answer 104

Endpoint Security Compliance

VPN SCV Compliance

Question 105

How do Endpoint Security Server communicate with other CP servers

Answer 105

SIC + Certificates

Question 106

What does the policy server Do?

Answer 106

Houses log server
Manages client communication
Improves performance (decreases load on ESM)

Question 107

How many policy servers should you have in each remote site

Answer 107

One

Question 108

What are steps in installing log server

Answer 108

1. Create new object in smart dashboard
2. Enable EPM, Logging and status blades on the object
3. Push policy and install database
4. Then add the new policy server menu, management, endpoint servers new

Question 109

What type of communication does policy server respond to

Answer 109

Heartbeat
Sync
Policy downloads
Malware Updates

**Client will connect to the server that is closest. So if policy server and management server client will choose.

Question 110

How can you tell which policy server client is connected

Answer 110

Run activity report and will tell you which server the client is connected

Question 111

When does new policy server sync

Answer 111

Initial sync is done after configured and installed

Then heartbeat will keep sync after first

Question 112

How many standby management servers are allowed

Answer 112

One

Question 113

Steps to create HA management server

Answer 113

Install new SMS server
Enable network policy management 
Establish SIC primary EMS and standby
Install DB on secondary
Wait for sync
Enable endpoint management on second management 
Install DB

Question 114

When failing over to secondary EMS management, is it automatic

Answer 114

No

Question 115

What two manual activities are required on secondary EMS

Answer 115

1. packages

2. Failover

Question 116

When does the initial sync occur between primary and standby management servers

Answer 116

After the policy server is configured and policy is installed

Question 117

What type of data security can endpoint client provide

Answer 117

In transit
At rest
In use
Shared

Question 118

What data security solutions are provided by the endpoint system

Answer 118

1. FDE
2. MEPP
3. Capsule docs
4. VPN

Question 119

Features of FDE

Answer 119

Data at rest
Protects user data, OS file, temp and erased file
Combines OS boot protection with preboot auth

Question 120

Features of MEPP

Answer 120

Data at rest
Controls and logs all endpoint port activity
Manages ports by blocking certain ports based on policy

Question 121

Capsule Docs features

Answer 121

Data in-use /shared
Allows access and share corp docs
Integrates with windows client
Audit trail in smartview tracker

Question 122

Remote Access VPN features

Answer 122

Transit, rest, in-use, and share

Question 123

FDE Disk Encryption

Answer 123

To initiated requires user authentication

Process runs in the background

Question 124

What type of encryption is default and available for FDE

Answer 124

AES 256 (default)
3DES 168
Blowfish 255 
Cast 128
XTS AES 128 & 256 EFI

Question 125

Why is FDE pre-boot important

Answer 125

Avoids unauthorized access to disk by removing third part tools
Ensures user identity prior to booting into data drive
Supports multi-factor

Question 126

What are the FDE file components

Answer 126

FDE Service (FDE_SRV.exe)- config, encrypt and handles policy
Crypto Core (CCore32.bin)- encryption algorithms 
Filter Driver (prot_2k.sys) Driver for encryption FAT drives sector location

Question 127

Gotchas for FDE

Answer 127

Need 32mb contiguous space no Raid
no hybrid drive with cache / compressed root file system
By default encrypts all visible drives

Question 128

How to start encrypting with FDE

Answer 128

1. Connect machine to management
2. Download FDE policy
3. Run through user acquisition
4. Pre-boot user created
5. Create 32 mb paritiion
6. Recovery data sent to server

Question 129

FDE Recovery options

Full recovery with recovery media

Answer 129

Recovery files collected when initial FDE was established
As volumes are added to removed these activities are reflected in recovery info
Removes encryption without removing windows components
Restores boot record

Question 130

Where is recovery media tool

Answer 130

Client tun the useRec.exe
Location: c:\program files\Checkpoint\endpoiny security\full disk encryption
Run as an administrator

Question 131

FDE recovery options

Drive Slaving

Answer 131

Faster method extracting file from failed or encrypted drive
Dynamic Slave Utility
Access specific files on failed disks
Connect through USB
FDE auth is required

Question 132

FDE recovery options

Drive Mount Utilities

Answer 132

FDE auth not required

Used to access data of an FDE without doing recovery.

Question 133

How many types of media encryption are available in endpoint

Answer 133

2
Primary: Basic config, customizable read write permission & exclusions
Advanced Authorizatoin, Logging, policy violation (global permissions)

Question 134

Capsule Docs does what

Answer 134

Protects documents and controls access
Integrated AD, when doc created appropriate permission are appplied
2 action types:
- Primary= default encryption behavior, classification, snd permissions
- Advanced= Granular permission, applied ou level

Question 135

What does endpoint remote help provide

Answer 135

Allows admins to help users regain access from MEPP or FDE

Question 136

How many types of recovery help is offered by endpoint management

Answer 136

2
Type 1: User logon preboot remote help challenge response procedure
One-time-login
*Allows bypass pre-boot without resetting password
*Does not uncles their account
* Use for lost smart cards and gettin updated to clients.
Remote password change
*Change user password at pre-boot
*By padded pre-boot login.
*Will in unlock account

Question 137

How many types of recovery help is offered by endpoint management

Answer 137

2
Type 2 Media encryption remote help
*recovers removable media passwords remotely
* user must be authorized to use media

Question 138

Is remote help enabled by default in OneCheck policy

Answer 138

Yes

Question 139

What ways can you use recovery options

Answer 139

1. Through smartendpoint

2. Through web portal

Question 140

What is address of web portal for recovery

Answer 140

HTTPS:///weary

Question 141

Features of one-time logon

Answer 141

Bypass preboot
Does not unlock account
Does not reset password

Question 142

Features of remote password change

Answer 142

Change password

Unlock account

Question 143

How do you enable remote help at pre-boot screen

Answer 143

Type is username and hit tab (this will show you remote help options)

Question 144

What types of attacks are targeting endpoint devices

Answer 144

A. APT (Advanced Persistent Threat)’
    Large Scale
    State Sponsored
     Devastating damage
     Multi surface
B. Zero Day
    Target unknown software vulnerabilities
C. Bot attacks 
    Remote control of machine
D. Ransomware

Question 145

Is Sandblast agent part of network sandblast

Answer 145

No

Question 146

What are the advantageous of Sandblast mobile

Answer 146

Securing users outside the corp network
Protecting user who use removable media devices to share files
Blocking listeria threats
Detecting and preventing encrypted message that bypass security gateway

Question 147

What is anti-bot doing

Answer 147

Searching for malicious outgoing traffic using threat intelligence (threat cloud)
Detecting and blocking C&C attempts
Quarantine files as needed

Question 148

What are antibiotics actions and settings

Answer 148

Scans and assigns confidence interval to bot traffic
Default (detects and logs all bots with high confidence)
Exclusion list =domains, processed URLS, IP’s

Question 149

Is Anti-Malware signature based

Answer 149

Yes

Question 150

Features anti-malware

Answer 150

Signature based
Definition updates are coming from EMS , so need to maintain connectivity
Primary-scan scheduling
Advanced- Fine tune scan optimizations

Question 151

Anti-Ransomware features

Answer 151

Continuous monitoring of client file operations
Monitors computer processes and look for triggers
Behavioral Guard (detected and remediates all forms malicious behavior.
Anti-Ransomware= quarantine infected files by deleting and storing safe locatio
-Actions & Settings
Actions are based on threats confidence level
Exclusions are possible
Need 1 GB minimum disk storage’

Question 152

Whats is Threat extraction

Answer 152

Provides immediate response to malicious content in files. this is done by removing suspicious elements e.g macros

Question 153

What is threat emulation

Answer 153

Proactively detects zero day. Then it send to Sandbox (cloud or local) for emulation. Deep examination as also accomplished by monitoring individual file for compromise

Question 154

What is the inspection process look like

Answer 154

User downloads malicious file
SBA intercepts files and sends to sandblast service
Sandbox performs emulation
Extraction already providing clean content
Is suspicious = quarantine
If not suspicious send to recipient

Question 155

What two modes of enforcement in threat emulation

Answer 155

Detect and alert

Block

Question 156

What does ant-exploit accomplish

Answer 156

Monitors suspicious memory manipulation in running programs. It will shutdown exploited process when detected.
Actions and Settings:
Default=protect wed downloads with emulation, use cloud, inspect everything, 10MB emulation limit, add exclusions

Question 157

What does the browser extension for sandblast agent

Answer 157

Captures downloads for threat extraction and emulation

Continually looks client files in case a crazy event.

Question 158

recommendation deploying SBA

Answer 158

1. Vigorously test SBA with the software used by those organization; thus ensuring that once turn on impact will be minimal
   Options Deployment
   -Default=use cloud for emulation
   -Or can leverage an appliance to the be used locally

Question 159

Why is a central login server a good idea

Answer 159

Takes the load of the other assets in the deployment, easier to correlate events.

Question 160

What software blades are included with SBA

Answer 160

1. Behavioral guard
2. Anti-exploit
3. Anti-bot
4. Anti-ransomware
5. Forensics
6. Threat extraction / threat emulation

Question 161

Default length for saving quarantined SBA files

Answer 161

90 days

Question 162

What does browser extension for threat emulation and threat extraction

Answer 162

Intercepts downloads and send them for extraction and emulation

Question 163

What type of reporting is provided by sandblast agent

Answer 163

1. Predefined reports
2. Alerts
3. System operations
4. Monitor
5. Audit
6. Client install / deployment

Question 164

What do alerts display

Answer 164

Endpoint clients in violation of rules

Question 165

What does push operations display

Answer 165

Displays recent activities:

Anti-malware scans and updates send directly to clients without policy install

Question 166

What does compliance show

Answer 166

Verifies compliance by software OS updates, Service packs…etc

Question 167

What does activity report show

Answer 167

Shows current activity status of clients, policy servers, users client connections and problems

Question 168

What does software deployment show

Answer 168

Deployment status errors and policies

Question 169

What does FDE show

Answer 169

Encryption status and problematic clients

Question 170

What does user authentication (OneCheck) show/

Answer 170

Pre-boot status, configured auth methods, last authentication

Question 171

What does MEPP Show

Answer 171

Displays all device connection event for last 14 days, reports all device connected to clients

Question 172

What does Anti-malware show

Answer 172

Status of Am detections and result for updates of clients

Question 173

What does ant-bot show

Answer 173

AB status

Question 174

What does license show

Answer 174

License usage

Question 175

What is the SmartEndpoint report structure

Answer 175

-Summary chart
Visual oveview of trends
Can be exported XLS, CSV, HTML, PDF
-Endpoint List
Detailed info for users and client machines
You can right click on the client to adjust behavior or rule settings

Question 176

How do you setup policy reports

Answer 176

Scheduled in the ESM and generated CSV file
Execute cpstop
Edit $UEPMDIR/engine/conf/local.properties file
Set time #emon.scheduler,time
Set max reports #emon.scheduler.max.reports
Enable report #emon.scheduler.policy report=true
Create new folder $fwdir/conf/smc_files
Cost art
2 field
General: user and client info
Policy: identified policy name and rules actions for each client

Question 177

How do forensics reports get generated

Answer 177

Automatically initiatives upon detection of a triggered event, file, or malicious behavior.
Report includes:
Entry point of suspicious file
Affected files
Remediation efforts
Suspicious behavior resulting from attack
Attack details

Question 178

Name diagnostic tool

Answer 178

CPinfo contains

• all files data directory
• installation log
• file version info
• Registry Values
• Gina doll
• SMBios structure
• installed applications
• Windows partition list

FDE state

• Failure window encrypt/decrypt process
• Identifying which disks have failures
• FDE client issues