CCNA CBROPS M3-Host-Based Analysis

1. A distributed firewall requires a distributed administration system to monitor the personal firewall policies. (True or False)?

 

2. This type of firewall is implemented in the Linux user space, works at the application layer, and is used to permit or deny access to a specific service.

3. What is the attacker trying to gain by turning off the Windows Firewall on the victim’s Windows machine?

4. Which one of the following statements is true about host-based IPS (HIPS)?

5. A malicious file was executed on a host but it was not detected by the host-based IPS. What is this kind of incident known as?

6. A signature-based IPS will be able to detect an as yet unknown attack for which the database has no signature.

7. It refers to a type of host-based IPS that compares traffic in real-time with traffic that is deemed normal .

What is this?

8. In the IPS Alert matrix diagram, which among the four options are the worst and is given very high priority when higher occurrences  were identified?

9. Which two of the following statements are true about host-based antivirus software? (Choose two.)

10. What is the reason that most antivirus solutions cannot detect zero-day attacks?

11. Regarding malware protection, which statement is true?

12. Which Cisco AMP for Endpoints feature is used during post-incident investigations to determine the source (patient zero) of the malware?

13. An effective endpoint protection platform (EPP) must apply which three advanced anti-malware capabilities? (Choose three):

14. What is the primary reason to use a sandbox to analyze unknown suspicious files?

15. How does malware evade sandbox detection?

16. Malicious Windows operating system codes that share a single virtual address space, and can manage the system CPU and memory resources directly are running in which mode?

17. When investigating Windows-based security incidents, which can cause the most damage to the integrity of the Windows operating system?

18. Which Windows component is used by the applications to modify the system resources?

19. When investigating a malicious Windows application, which two Windows components that are associated with the application will also need to be investigated? (Choose two.)

20. You encountered malware that automatically runs upon bootup in its own Windows sessions, and without any user interface. Which Windows component can be used to configure the malware from starting automatically?

21. If a windows host is under DoS attack, what tool can be used to monitor the current CPU and memory usage?

22. If the Downloads directory is in the home directory, which three of the following commands will navigate you to the Downloads directory? (Choose three.)

23. What are two examples of ways to access the Linux operating system? (Choose two.)

24. The process that is known as piping performs which of the following?

25. Which command-line tool can be used to capture specific traffic for passive analysis?

26. In Linux, which command allows a user to view a list of open files/connections?

27. It is the process of tracking, identifying, and blaming a cyberattack perpetrator or other hacking exploit.

28. in Cyber Attribution, it refers to a person or organization that has the potential or intent to harm the protection of other persons or businesses.

29. It was originally developed by Verizon, which is a set of metrics that provides a common language for describing security incidents in a structured and repeatable manner.  What is this?

 

30. It refers to pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.

What is this?

31. Which of the following is an example of an IOA (Indicators of Attack) ?

32. It refers to a way of documenting and preserving evidence from the time that you started the cyber forensics investigation to the time the evidence is presented in court.

33. It is a kind of evidence that supports an assertion supported by previously obtained evidence.

34. You recently run a software image verification of a Cisco IOS XE image on a Cisco ASR1K router,

You noticed that the last character of the SHA512 checksum is different with what's presented in Cisco software download portal checksum.

What does this indicate? (Choose 2)

35. It is a technique for collecting architectural knowledge for something that was initially built by anyone else.

36. These are tools that allow reverse engineers to observe the program while it is running and to set
breakpoints; they also provide the ability to trace through code.

37. It refers to a Cisco product that provides automatic sandbox capabilities for analyzing files that
may be malicious.

38. When an attacker modifies a system image that has been digitally signed, what does the attacker need to also change the digital signature of the image?

39. An attacker used social engineering to gain administrative access to a router, then altered the router image. How can an analyst detect that the router’s image has been altered?

40. In Cisco AMP, it refers to components that run on the endpoints.

It communicates with the cloud to send information about files and to receive file disposition information.

41. Which systemwide Windows registry hive may be modified by attackers to automatically start malware at boot time?

42. In the Windows operating system, what is an important function of the winload.exe executable?

43. Malware infecting which Windows registry hive can alter the Windows user’s profile?

44. Which two statements are true about Windows operating systems? (Choose two.)

45. Which two network server services are supported natively with the Windows Server operating systems? (Choose two.)

46. It refers to a  package of tools that is specifically designed for the Windows operating system

47. It is a tool that shows processes that are communicating with other hosts, which may be normal behavior for many processes

48. Which tool provides an option that can tell you if a process is using a file that is known to be malicious?

49. What do you need to do to ensure that a Sysinternal tool runs properly on a Windows system?

50. Which two options are the result of typing cat myfile.txt 2> file_output.log from the command line? (Choose two.)