Symantec Administration of Symantec Advanced Threat Protection 3.0 250-441 Exam Dumps: Updated Questions & Answers (October 2025)

Question # 1

During a recent virus outbreak, an Incident Responder found that the Incident Response team was successful in identifying malicious domains that were communicating with the infected endpoints.

Which two options should the Incident Responder select to prevent endpoints from communicating with malicious domains? (Select two.)

Use the isolate command in ATP to move all endpoints to a quarantine network.

Blacklist suspicious domains in the ATP manager.

Deploy a High-Security Antivirus and Antispyware policy in the Symantec Endpoint Protection Manager (SEPM).

Create a firewall rule in the Symantec Endpoint Protection Manager (SEPM) or perimeter firewall that blocks traffic to the domain.

Run a full system scan on all endpoints.

Question # 2

Why is it important for an Incident Responder to copy malicious files to the ATP file store or create an image of the infected system during the Recovery phase?

To have a copy of the file policy enforcement

To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)

To create custom IPS signatures

To document and preserve any pieces of evidence associated with the incident

Question # 3

Which two database attributes are needed to create a Microsoft SQL SEP database connection? (Choose

two.)

Database version

Database IP address

Database domain name

Database hostname

Database name

Question # 4

An Incident Responder is going to run an indicators of compromise (IOC) search on the endpoints and wants

to use operators in the expression.

Which tokens accept one or more of the available operators when building an expression?

All tokens

Domainname, Filename, and Filehash

Filename, Filehash, and Registry

Domainname and Filename only

Question # 5

An Incident Responder notices traffic going from an endpoint to an IRC channel. The endpoint is listed in an

incident. ATP is configured in TAP mode.

What should the Incident Responder do to stop the traffic to the IRC channel?

Isolate the endpoint with a Quarantine Firewall policy

Blacklist the IRC channel IP

Blacklist the endpoint IP

Isolate the endpoint with an application control policy

Question # 6

Which action should an Incident Responder take to remediate false positives, according to Symantec best

practices?

Blacklist

Whitelist

Delete file

Submit file to Cynic

Question # 7

Why is it important for an Incident Responder to analyze an incident during the Recovery phase?

To determine the best plan of action for cleaning up the infection

To isolate infected computers on the network and remediate the threat

To gather threat artifacts and review the malicious code in a sandbox environment

To access the current security plan, adjust where needed, and provide reference materials in the event of a similar incident

Question # 8

What is the minimum amount of RAM required for a virtual deployment of the ATP Manager in a production environment?

48 GB

64 GB

16 GB

32GB

Question # 9

Which stage of an Advanced Persistent Threat (APT) attack do attackers map an organization’s defenses from the inside?

Discovery

Capture

Exfiltration

Incursion

Question # 10

How does an attacker use a zero-day vulnerability during the Incursion phase?

To perform a SQL injection on an internal server

To extract sensitive information from the target

To perform network discovery on the target

To deliver malicious code that breaches the target

Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dcdisc65

Symantec Administration of Symantec Advanced Threat Protection 3.0 250-441 Exam Dumps: Updated Questions & Answers (October 2025)

Answer:

Answer:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Most Popular Certification Exams

Site Map

Help

Payment

Contact us

Site Secure