PSE

To ensure that the Traps VDI tool can obtain verdicts for all unknown files what are the things that needs to be checked? Assuming ESM Console and ESM Server are on different servers. (Choose two.). ESM Server can access WildFire Server. Endpoint can access WildFire Server. ESM Console can access WildFire Server. Endpoint can access ESM Server.

Which set of modules must be loaded and configured when using Metasploit?. Attacker, payload. Exploit, payload. Exploit, malware. Malware, host.

Which MSI command line parameters will successfully install a Traps agent using SSL and pointed to server ESM?. msiexec /i c:\traps.msi /qn TRAPS_SERVER=ESM USE_SSL_PRIMARY=1. msiexec /i c:\traps.msi /qn CYVERA_SERVER=ESM USE_SSL_PRIMARY=1. msiexec /i c:\traps.msi /qn ESM_SERVER=ESM USE_SSL_PRIMARY=1. msiexec /x c:\traps.msi /qn SERVER=ESM USE_SSL_PRIMARY=1.

In a scenario that macOS Traps logs failed to be uploaded to the forensic folder, where will the user on the macOS host be able to find to collected logs?. /ProgramData/Cyvera/Logs. /ProgramData/Cyvera/Everyone/Temp. /Library/Application Support/Cyvera/BITS Uploads/. /Library/Application Support/PaloAltoNetworks/Traps/Upload/.

Traps agents use a default password for uninstallation in the event that they never communicate with their ESM server. Identify the password. PaloAlto!. Uninstall1. No password is required. Password1.

Uploads to the ESM Sever are failing. How can the mechanism for forensic and WildFire uploads be tested from the endpoint?. Use BITS commands in PowerShell to send a file to the ESM Server. Use curl to execute a POST operation. Use SCP commands from a ssh client to transfer a file to the ESM Server. Click Check-in now in the agent console.

The administrator has added the following whitelist to the WildFire Executable Files policy. *\mysoftware.exe What will be the result of this whitelist?. users will not be able to run mysoftware.exe. mysoftware.exe will be uploaded to WildFire for analysis. mysoftware.exe will not be analyzed by WildFire regardless of the file location. mysoftware.exe will not be analyzed by WildFire, but only if executed from the C drive.

In a scenario where winword.exe, Microsoft Word application, is behaving abnormally, how would the administrator verify if Traps DLLs are injected to the process?. Run 'cytool policy winword.exe. Use Process Explore to find Traps DLLs injected to the process. Open the add-ins tab in Word's options to find Traps add-in. Use 'Ninja mode' in the policy editing screen in the ESM to find winword.exe.

Assume a Child Process Protection rule exists for powershell.exe in Traps v 4.0. Among the items on the blacklist is ipconfig.exe. How can an administrator permit powershell.exe to execute ipconfig.exe without altering the rest of the blacklist?. add ipconfig.exe to the Global Child Processes Whitelist, under Restriction settings. Uninstall and reinstall the traps agent. Create a second Child Process Protection rule for powershell.exe to whitelist ipconfig.exe. Remove ipconfig.exe from the rule's blacklist.

Which software category is most likely to cause a conflict with the Traps agent?. Exploit prevention software. Web browser software. Web meeting and collaboration software. Full disk encryption software.

A deployment contains some machines that are not part of the domain. The Accounting and Sales departments are two of these. How can a policy of WildFire notification be applied to Accounting, and a policy of WildFire prevention be applied to Sales, while not affecting any other WildFire policies?. Create the rules and use the Objects tab to add Accounting and Sales to each rule they should apply to. Create a condition for an application found on an Accounting machine. Use that condition for the Accounting groups rule, and create the rule tor Sales without any conditions. Create two rules for WildFire: one for prevention, and one for notification. Make sure the Accounting rule is numbered higher. Create group-specific registry entries on endpoints. Use these registry entries to create conditions for the WildFire rules.

An administrator is concerned about rogue installs of Internet Explorer. Which policy can be created to assure that Internet Explorer can only run from the \Program Files \Internet Explorer\directory?. An execution path policy to blacklist iexplore.exe, and whitelist entry for %programfiles%\iexplore.exe. An execution path policy to blacklist *\iexplore.exe. Trusted signers will allow the default iexplore.exe. A whitelist of *\iexplore.exe with an execution path restriction, and a blackfirst of %system%\iexplore.exe. An execution path policy to blacklist *\iexplore.exe, and a whitelist entry for %programfiles%\Internet Explorer\iexplore.exe.

An administrator receives an alert indicating the ESM service is not starting on the ESM Server. When the administrator tries to start the service manually, the administrator receives an error. "The Endpoint Security Manager service on Local Computer started and then stopped." What is the cause of the failure?. The Account assigned to the service does not have "Log on as a batch job" permissions on the machine. The Account assigned to the service does not have "Log on as a service" permissions on the machine. The Account assigned to the service is not the Local Administrator on the machine. The Account assigned to the service is not an Active Directory Domain user.

The administrator has downloaded the Traps_macOS_4.x.x.zip file. What are the next steps needed to successfully install the Traps 4.x for macOS agent?. Push the Traps_macOS_4.x.x.zip to the target endpoint(s), unzip it, and execute Traps.pkg. Unzip the Traps_macOS_4.x.x.zip, push the Traps pkg file to the target endpoint(s) and execute Traps.pkg. Create a one time action to install the Traps_macOS_4.x.x.zip file on the target endpoint(s). Create an installation package using Traps_macOS_4.x.x on ESM, download the installationpackage.zip, push the installationpackage.zip to target endpoint(s), unzip it, and execute Traps.pkg.

The ESM policy is set to upload unknowns to WildFire. However, when an unknown is executed the Upload status in ESM Console never displays "Upload in progress", and the verdict remains local analysis or unknown. Even clicking the upload button and checking in does not resolve the Issue. A line in the log file suggests not being able to download a file from "https:/ESMSERVER/BitsUploads/... to C:\ProgramData\Cyvera\Temp\..." Which solution fixes this problem?. Restart BITS service on the endpoint. Restart BITS service on ESM. Remove and reinstall all the agents without SSL. In the ESM Console, use the FQDN in multi ESM.

Once an administrator has successfully instated a Content Update, how is the Content Update applied to endpoint?. After Installation on the ESM, an Agent License renewal is required in order to trigger relevant updates. After installation on the ESM, relevant updates occur at the next Heartbeat communication from each endpoint. Installation of a Content Update triggers a proactive push of the update by the ESM server to all endpoints with licensed Traps Agents within the Domain. The Traps Agent must be reinstalled on the endpoint in order to apply the content update. Existing Agents will not be able to take advantage of content updates.

A company discovers through the agent health display in ESM Console that a certain Traps agent is not communicating with ESM Server. Administrators suspect that the problem relates to TLS/SSL. Which troubleshooting step determines if this is an SSL issue?. From the agent run the command: telnet (hostname) (port). Check that the Traps service is running. From the agent run the command: ping (hostname). Browse to the ESM hostname from the affected agent.

When installing the ESM, what role must the database user be assigned in Microsoft SQL?. db_owner. db_secuirtyadmin. db_datawriter. db_accessadmin.

Which version of .NET Framework is required as a prerequisite when installing Traps agent on Windows 7?. .NET Framework 4.5. .NET Framework 3.5.1. .NET Framework 2.0. .NET Framework 4.0.

Files are not getting a WildFire verdict. What is one way to determine whether there is a BITS issue?. Check the upload status in the hash control screen. Run a telnet command between Traps agent and ESM Server on port 2125. Use PowerShell to test upload using HTTP POST method. Initiate a "Send support file" from the agent.

Which is the proper order of tasks that an administrator needs to perform to successfully create and install Traps 4.x for macOS agents?. Download ClientUpgradePackage_4.x.x.zip from the support portal. Copy ClientUpgradePackage_4.x.x.zip to target endpoint. Unzip and run traps pkg. Download ClientUpgradePackage.zip from the support portal. Create installation package on ESM using . zip file,download installpackage.zip file. Copy installpackage.zip to target endpoint. Unzip and run traps pkg. Download Traps_macOS_4.x.x.zip from the support portal. Copy Traps_macOS_4.x.x.zip to target endpoint. Unzip and run traps pkg. Download Traps_macOS_4.x.x.zip from the support portal. Create installation package on ESM using .zip file, download installpackage.zip file. Copy installpackage.zip to target endpoint. Unzip and run traps pkg.

A large manufacturer is planning to roll out Traps to 75,000 endpoints. Their environment consists of three major sites with 24,000 endpoints each, plus about 3,000 remote endpoints in smaller remote locations using always-on VPN connections to a single one of the major sites. The customer wants to minimize network traffic between the major sites, but all endpoints have internet access. The customer is looking for a centrally managed solution with common reporting and management for all endpoints in the environment. Which design option would be appropriate for this environment?. Place the Traps database. ESM Console and two ESM core servers in the large site hosting the VPN gateway, and force all endpoints to use VPN at all times. Place the Traps database, ESM Console and seven ESM core servers in a public-cloud environment where the ESM Core servers are accessible from the internet. Place a Traps database, ESM Console and an ESM core server in each of the three large site. Place the Traps database and ESM Console in one of the major sites, and one ESM core server in each of the three major sites.

An administrator has a critical group of systems running Windows XP SP3 that cannot be upgraded. The administrator wants to evaluate the ability of Traps to protect these systems and the word processing applications running on them. How should an administrator perform this evaluation?. Run a known 2015 flash exploit on a Windows XP SP3 VM, and run an exploitation tool that acts as a listener. Use the results to demonstrate Traps capabilities. Run word processing exploits in a Windows 7 VM in a controlled and isolated environment. Document indicators of compromise and compare to Traps protection capabilities. Prepare a Windows 7 VM. Gather information about the word processing applications, determine if some of them are vulnerable, and prepare a working exploit for at least one of them. Execute with an exploitation tool. Gather information about the word processing applications and run them on a Windows XP SP3 VM. Determine if any of the applications are vulnerable and run the exploit with an exploitation tool.

A customer plans to test the malware prevention capabilities of Traps. It has defined this policy. · Local analysis is enabled · Quarantining of malicious files is enabled · Files are to be uploaded to WildFire No executables have been whitelisted or blacklisted in the ESM Console Hash Control screen. Malware sample A has a verdict of Malicious in the WildFire service. Malware sample B is unknown to WildFire. Which behavior will result?. WildFire will block sample A as known malware; sample B will be blocked as an unknown binary while the file is analyzed by WildFire for a final verdict. Hash Control already knows sample A locally in the endpoint cache and will block it. Sample B will not be blocked by WildFire, but will be blocked by the local analysis engine. WildFire will block sample A as known malware, and sample B will compromise the endpoint because it is new and ESM Server has not obtained the required signatures. WildFire will block sample A as known malware; sample B will not be blocked by WildFire, but will be evaluated by the local analysis engine and will or will not be blocked, based on its verdict, until WildFire analysis determines the final verdict.

An ESM server's SSL certificate needs two Enhanced Key Usage purposes: Client Authentication and ________________. Server Authentication. File Recovery. IP Security User. IP Security Tunnel Termination.

There are two custom policy rules in ESM Console. Policy rule number 1000 turns ROP off for winword.exe. Policy rule number 1001 turns ROP on for winword.exe What is the ROP module status for winword.exe?. Due to the collision in the policy rules, ROP is enabled in notification mode. The lower numbered policy rule takes precedence. ROP is off for winword.exe. The higher numbered policy rule takes precedence. ROP is on for winword.exe. The default policy rule takes precedence over both policy rules 1000 and 1001 and disables ROP for winword.exe.

An administrator would like to add Google Chrome and Google Chrome Helper to the exploit prevention policy for macOS. In order to achieve this task, which option should be added to the macOS protected processes list?. chrome app. google chrome and google chrome helper. chrome*. google chrome.

What is the default interval for Traps agents to communicate via heartbeat to the ESM?. Every 1 Minute. Every 1 Hour. Every 1 Day. Every 1 year.

An administrator has installed Traps 4.0. The administrator wants to test the malware protections provided. What sample should they use to test the protections provided by Traps?. A sample with a low number of hits in Virus Total. A toolbar package known to be flagged as grayware by Traps. A sample known to generate false positives in the production environment. An MS Office document which contains a ransomware macro.

A company is using a Web Gateway/Proxy for all outbound connections. The company has deployed Traps within the domain and in testing, discovered that the ESM Servers are unable to communicate with WildFire. All other Traps features are working. What is the most likely cause of the issue?. The administrator needs to configure WildFire proxy settings in each Agent Console. The administrator needs to configure WildFire proxy settings in the ESM Console and in each Agent Console. The Administrator needs to purchase the additional site license required for WildFire. The Administrator needs to configure WildFire proxy settings in the ESM Console.

During installation of the ESM and the agent, SSL was enabled on an endpoint. However, the agent communication is failing. The services.log on the endpoint has the following error. *An error occurred while making the HTTP request to https://hostname:2125/CyveraServer/. This could be due to the fact that the server certificate is not configured property with HTTP SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server." Which certificate can be imported on the endpoint to solve this issue? Assume the hostname is a valid FQDN and the ESM Server and Console have different certificates. ESM Server Public Certificate. ESM Server Serf-Signed Certificate. ESM Console Self-Signed Certificate. ESM Console Public Certificate.

An administrator is installing ESM Core 4.0. The SQL Server is running on a non-standard port (36418). The database connection validation is failing. The administrator has entered the following information: Server Name: Servername\Instance Database: TrapsDB User Name: Domain\Account What is causing the failure?. The database name "TrapsDB" is unsupported. The instance name should not be specified. The non-standard port needs to be specified in the format TrapsDB,36418. The destination port cannot be configured during installation.

An Administrator has identified an EPM-triggered false positive and has used the Create Rule button from within the relevant entry in the Security Events > Preventions > Exploits tab. What is the result of the created rule?. The new rule stops all EPM injection into the faulted process. The new rule stops all EPM injection into processes on the machine on which the prevention was triggered. The new rule excludes the endpoint from Traps protection. The new rule will include the EPM that raised the prevention, the process that triggered the prevention, the machine on which the prevention was triggered, and a descriptive name for the rule.

Which two enhanced key usage purposes are necessary when creating an SSL certificate for an ESM server? (Choose two.). File Recovery. Server Authentication. Client Authentication. Key Recovery.

When planning to test a software exploit using a Metasploit module, what two options should be considered about the victim host to ensure success?. USB port version of the victim host. Speed and make of the victim's RAM. software version of the target application. platform, architecture, and patch level of the victim host.

prevention events refer to launching an Install Wizard that has received a benign verdict from WildFire. All prevention events are reported on a subset of endpoints, that have recently been migrated Mom another Traps deployment. Which two troubleshooting actions are relevant to this investigation? (Choose two.). Check that the servers xml file has been cleared on the migrated endpoints. Check that the ClientInfoHash tag has been cleared on the migrated endpoints. Check that the actions xml file has not been cleared on the migrated endpoints. Check that the WildFire cache has been cleared on the migrated endpoints.

An administrator can check which two indicators to verity that Traps for Mac is running correctly on an installed endpoint? (Choose two.). Use cytool from the command line interface to display the running Traps agent services. In the Activity Monitor, verify that CyveraSecvice is running. Ping other Traps agents from the macOS agent. Verity that the Traps agent icon is displayed on the macOS finder bar.

A company wants to implement a new Virtual Desktop Infrastructure (VDI) in which the endpoints are protected with Traps. It must select a VDI platform that is supported by Palo Alto Networks for Traps use. Which two platform are supported? (Choose two.). Citrix XenDesktop. VMware Horizon View. Listeq. Nimboxx.

A customer has an environment with the following: · 1,000 agents communicating over SSL with two servers - one containing the ESM Server and another one where the ESM Console is installed · BitsUploads resides on the ESM Console server · ESM Server and Console are using the default pods tor communication In a scenario where a file is failing to be uploaded from macOS, which three reasons could be directly related to the failure? (Choose three.). Traps agent is not able to check in with the ESM Server. The rate of upload is lower than 100Kb/S. The BITS address in the ESM is incorrect. Port 2125 is blocked on the server which hosts BitsUploads. Port 443 is blocked on the server which hosts BitsUploads.

Which two are valid optional parameters when upgrading Traps agent from the ESM console using Upgrade from path? (Choose two.). Conditions. Processes. ESM Server. Target Objects. Features.

From the ESM console, which two ways can an administrator verify that their installed macOS agents are functional? (Choose two.). Click the Settings Tab > Agent > Installation Package to view the agents installed. Click the Dashboard Tab, and refer to the Computer Distribution and Version window. Click the Monitor Tab > Agent > Health. Sort by OS and look for the macOS endpoints. Click the Monitor Tab > Data Retrieval.

An administrator has decided to test Traps functionality using malware samples in an isolated non-production environment. In order to effectively test Traps, what three types of samples should the administrator avoid? (Choose three.). A sample with a low number of hits in Virus Total. An MS Office document which contains a ransomware macro. A sample known to be flagged as grayware by Traps. A freeware video application which spawns malicious processes. A sample known to generate false positives in the production environment.

A company is trying to understand which platform can be installed on their environment: Select the three endpoints where Traps can be installed (Choose three). Windows 10 LTSB with 2 GB RAM, 500MB free disk space and Intel Core i5 CPU. Windows 2000 SP4 with 1 GB RAM, 4 GB free disk space and Intel Pentium 4 CPU. Apple iPhone 6s. Windows Server 2012 R2 Standard Edition in FIPS Mode, with 4GB RAM, 20GB free disk space, running on VMware ESXi. 15" MacBook Pro running macOS 10.12 with 16GB RAM, Intel Core i7 CPU and 100GB tree disk space.

An administrator is testing an exploit that is expected to be blocked by the JIT Mitigation EPM protecting the viewer application in use. No prevention occurs, and the attack is successful. In which two ways can the administrator determine the reason for the missed prevention? (Choose two.). Check in the HKLM\SYSTEM\Cyvera\Policy registry key and subkeys whether JIT Mitigation is enabled for this application. Check if a Just-In-Time debugger is installed on the system. Check that the Traps libraries are injected into the application. Check that all JIT Mitigation functions are enabled in the HKLM\SYSTEM\Cyvera\Policy\Organization\Process\Default registry key.

A retail company just purchased Traps for its 8,000 endpoints. Many of its users work remotely. The company is not using any VPN solution, but would still like to manage all endpoints regardless where they are. Which two aspects should be part of the recommendation? (Choose two.). As each ESM Core server can handle up to 30,000 endpoints, use at least 1 ESM Core server internally and 1 ESM core server in the DMZ for external endpoints. Placing an ESM Core server in the DMZ or in a cloud hosting service allows external endpoints to connect to it, even without a VPN client. Protection for remote endpoints is currently not supported. Since the ESM servers can only be installed in an internal network, endpoints without VPN will not be able to connect to it. If there is no connection to the ESM Core server, Traps agents automatically connect to WildFire and endpoints are fully protected. No additional ESM Core servers are needed.