156-730

Check Point Accredited Sandblast Administrator

Version 5.0

QUESTION NO: 1

Which protocols are supported by the THREAT EMULATION blade?

A. CIFS, FTP, and optional HTTP and SMTP support

B. HTTP(S), SMTP/TLS only
C. HTTP and SMTP only, there is no SSL/TLS security support
D. HTTP(S), SMTP/TLS with optional CIFS

Answer: D

QUESTION NO: 2

Which SmartConsole can you use to view Threat Emulation forensics reports?

A. SmartView Monitor
B. SmartView Reporter
C. SmartLog
D. SmartDashboard

Answer: C

QUESTION NO: 3
How does Threat Extraction work?
A. Scan and extract files for Command and Control activity.
B. It emulates a document and, if malicious, converts it into a PDF.
C. It extracts active content from a document.
D. It scans the document for malicious code and removes it.

Answer: C

QUESTION NO: 4
What kind of approach or approaches will Check Point SandBlast apply to prevent malicious
EXE-files?

A. Machine learning algorithmB. Signature

B. Exploit
C. Whitelist and Exploit

Answer: C

QUESTION NO: 5
You have installed the SandBlast Agent with forensics. An attack has occurred, which triggered
the Forensics Blade to collect information. You clicked to open the forensics report but for some
reason it is not showing the report as it should. What could be the issue?

A. The attack was based on a macro and the Forensics Blade only supports executables.
B. There is a Microsoft update missing which causes the report not to show as it should.
C. There was no real attack and this is a false positive.
D. Threat Emulation is disabled.

Answer: B

QUESTION NO: 6
The file reclassifier is a Threat Emulation component used to perform which function on files in
the stream?

A. Count the hits of each file extension, used as part of the reporting mechanism.
B. Used to measure Threat Emulation usage and reporting back to Check Point.
C. Used to rename files extension so they are processed using the correct application based on
the file magic.
D. Used to rename files extension so they are processed using the correct application based on
the current file extension.

Answer: D

QUESTION NO: 7
Which of the following is FALSE about the SandBlast Agent capabilities?
A. Stop data exfiltration to prevent disclosure of sensitive information, and quarantine infected
systems to limit spread of malware.
B. Detect and block command and control communications, even when working remotely.
C. Connect to remote offices via virtual private networking in order to gain secure access to local
resources.
D. Get unparalleled visibility into specific endpoint and processes to enable faster recovery post-
infection.

Answer: C

QUESTION NO: 8
With regard to SandBlast Cloud emulation, which statement is INCORRECT?
A. SandBlast Cloud licensing offers fair usage caps which customers should never reach.
B. SandBlast Cloud licensing requires a license SKU per gateway.
C. Only new files not seen before are emulated on the cloud and count against fair usage cap.
D. For simplicity, SandBlast Cloud offers a single license SKU per User Center, covering all
files sent from all gateways in that User Center.

Answer: D

QUESTION NO: 9
Threat Emulation Cloud offers pods to perform emulation, in which geographies are these pods
located

A. USA and Germany onlyB. Germany, Israel, USA

B. UK, USA, South America
C. Israel, Germany, Russia
Answer: B

QUESTION NO: 10
You can restrict a user from downloading an original file if it is getting a malicious verdict from
Threat Emulation?

A. True – This is possible through the SmartDashboard Threat extraction settings.

B. False – Due to security concerns, a user will never be able to download a file found to be
malicious.
C. True – Under Threat emulation settings you can configure this option.
D. False – Threat Emulation provides a recommendation verdict. The user can download the file
even if it is found to be malicious.

Answer: C

QUESTION NO: 11
Which deployment modes support Prevent?1. Inline
2. SPAN port
3. MTA

A. 1 and 3 are correctB. 1, 2, and 3 are correct

B. 1 and 2 are correct
C. 2 and 3 are correct

Answer: A

QUESTION NO: 12
What are the SandBlast deployment options?1. Cloud emulation
2. Emulation on the Endpoint itself
3. Local Emulation
4. Remote emulation

A. 1 and 2 are correctB. 1 and 3 are correct

B. 1, 3, and 4 are correct
C. 2 and 3 are correct
Answer: C

QUESTION NO: 13
Regarding a proper Threat Emulation sizing for an environment with 1000 users for web and
email traffic which assumptions are correct?
1. 2000 unique files per day within SMTP/S
2. 2500 unique files per day within HTTP/S
3. 7000 unique files per day within SMTP/S
4. 5000 unique files per day within HTTP/s

A. 1 and 2 are correctB. 1 and 3 are correct

B. 1 and 4 are correct
C. 2 and 3 are correct

Answer: A

QUESTION NO: 14
Which command do you use to monitor the current status of the emulation queue?
A. tecli show emulator queueB. tecli show emulator emulations
B. tecli show emulator queue size
C. tecli show emulation emu

Answer: B

QUESTION NO: 15
Which Blades of the SandBlast Agent are used for remediation?
A. DLP and Compliance bladesB. Anti-Bot blade and Threat Emulation blades
B. Forensics and Threat Emulation blades
C. Threat Emulation and Threat Extraction Blades

Answer: C
QUESTION NO: 16
What’s the password for the encrypted malicious file available via the Threat Emulation
forensics report?

A. maliciousB. forensics
B. password
C. infected

Answer: C

QUESTION NO: 17
When running the Threat Emulation first time wizard, which of these is NOT an option for file
analysis location?

A. ThreatCloud Emulation ServiceB. tecli advanced remote

B. Locally on this Threat Emulation Appliance
C. Other Threat Emulation Appliance

Answer: B

QUESTION NO: 18
A Threat Extraction license is always bundled with Threat Emulation.
A. False – they can be purchased separately.
B. True – it is part of the NGTX license.
C. True – it is part of the NGTP and EBP license.
D. False – Threat extraction is part of the basic NGFW license.

Answer: A

QUESTION NO: 19
What attack vectors are protected by using the SandBlast Agent?
A. Mail, Web, Office 365B. Outside the office, removable media, lateral movement
B. Office 365, Outside of the office, removable media, lateral movement
C. email, Lateral movement, Removable media, encrypted channels
Answer: B

QUESTION NO: 20
How can the SandBlast Agent protect against encrypted archives?
A. The SandBlast Agent cannot protect from an encrypted malware.
B. Since to open the encrypted archive the user must know the password, once opened and the
writing to the disk has begun. the SandBlast Agent will immediately scan the file.
C. Password protected archive file is opened via brute force and dictionary attack. Once file is
open the SandBlast Agent can scan it and send it to emulation.
D. Only if the administrator has added a special password file and the password that is used for
the archive is part of the password list on the file.

Answer: D

QUESTION NO: 21
What Mail Transfer Agent is used with SandBlast?
A. ExchangeB. Check Point
B. Postfix
C. Sendmail

Answer: C

QUESTION NO: 22
How can CPU Level Emulation detect ROP?
A. Locate a CPU flow buffer with mismatch between called and returned addresses.
B. Increased CPU temperature.
C. Wrong order in the ROP Gadgets Dictionary.
D. It is detected as soon as the evasion code runs and injects the malicious code into a legitimate
process.

Answer: A
QUESTION NO: 23
What are the deployment methods available with the SandBlast Agent? Choose the BEST
answer.

A. Using GPO or SCCM to deploy the deployment agent.

B. Using Configure SandBlast Agent to collaborate with Emulation and Ant-Virus solutions
update to upgrade and install the SandBlast Agent.
C. Using both GPO or SCCM for deployment agent and End Point management to push the
Agent.
D. Manually installing on every station.

Answer: C

QUESTION NO: 24
Which feature do you enable to allow the gateway to participate in email flow and therefore hold
mails and strip malicious attachment if found?

A. MTAB. EMT
B. SME
C. MIV

Answer: A

QUESTION NO: 25
Can several gateways send files to one SandBlast appliance?
A. Yes, if they are managed by the same SmartCenter/Domain.
B. Yes, from R77.30.
C. No, only one GW can send files to a SandBlast appliance.
D. No, SandBlast appliance does not support HA or LB.

Answer: B

QUESTION NO: 26
You have enabled Antivirus to scan all traffic passing through your Check Point gateway. With
the default settings your Antivirus will scan all traffic in streaming mode. For certain file types
you would like to enable a mode that will collect the entire file before scanning. This enables you
to inspect archives. What is this functionality called?

A. Deep scanB. Inspect

B. Threatspect
C. CPU Level scan

Answer: A

QUESTION NO: 27
Why should you use a Mail Transfer Agent when configuring Prevent/Hold-mode?
1. TE inspection in streaming mode can cause the sending mail server not to send any additional
emails until the emulation of the prior email is completed.
2. TE inspection in Mail Transfer Agent mode will accept all valid incoming emails before
inspection.
3. It will allow the email to reach the user while at the same time be sent for Dynamic Analysis.
4. There is no Mail Transfer Agent mode for Threat Emulation, only for Anti-Spam.

A. 2 and 4 are correctB. 2 and 3 are correct

B. 1 and 2 are correct
C. All are correct

Answer: C

QUESTION NO: 28
What is a ROP Gadgets Dictionary?
A. Lookup table used by CPU Level Emulation to detect malwareB. A generated stack of return
addresses
B. Feature sets which can be used to discover the true meaning of the code
C. List of commonly used passwords

Answer: B

QUESTION NO: 29
What kind of approach or approaches will Check Point SandBlast apply to prevent MALICIOUS
DOCUMENTS?

A. Whitelist and Exploit

B. Blacklist/machine learning
C. Signature
D. Exploit

Answer: D

QUESTION NO: 30

What are the given options for remediation?

1. Remediation script
2. Auto remediation
3. Using Threat Emulation to block and remove the infected file
4. Use the locally installed Anti-Virus to perform a complete system scan

A. 3 and 4
B. 2 and 3
C. 1 and 4
D. 1 and 2

Answer: D

QUESTION NO: 31
Select the true statement about Threat Emulation Open Server appliances.
A. Supports custom images without any special requirement.
B. No requirement to enable VT (Hardware Virtualization).
C. Only Cloud emulation service is supported on an open platform.
D. Threat Extraction is not supported on an open platform.

Answer: C
QUESTION NO: 32
Anti-Bot uses the following detection/prevention features:
1. Reputation lookup of DNS/IP/URL access
2. Dynamic analysis for Bots
3. Outbound SPAM
4. Bot behavior signatures

A. 1, 2, and 3B. 1, 3 and 4

B. 1 and 3
C. 2 and 3

Answer: B

QUESTION NO: 33
What is TRUE for SandBlast local emulation deployment?1. Any Check Point gateway can
perform local emulation.
2. SandBlast Appliance is required.
3. Existing gateway can collect files and forward to emulation.

A. 2 and 3 are correctB. 1, 2, and 3 are correct

B. 1 and 3 are correct
C. 1 and 2 are correct

Answer: A

QUESTION NO: 34
Which statements below are CORRECT regarding Threat Prevention profiles in
SmartDashboard?
1. You can assign multiple profiles per gateway.
2. A profile can be assigned to one or more rules.
3. Only one profile per gateway is allowed.
4. A profile can be assigned to only one rule.

A. 1 and 2 are correctB. 1 and 4 are correct

B. 2 and 3 are correct
C. 1, 2, 3 and 4 are correct
Answer: C

QUESTION NO: 35
With regard to SandBlast licensing options, which is INCORRECT?
A. The NGTP package offers the most complete Threat Prevention offeringsB. The TETX
package can be added on top of NGTP package to create the NGTX package
B. The TETX package includes both Threat Emulation and Threat Extraction
C. The NGTX package offers the most complete Threat Prevention offerings

Answer: A

QUESTION NO: 36
What are the 3 stages of securing the network with the SandBlast Agent?
A. Prevent, Identify and Contain, Effective response and remediationB. Asses, Detect, Prevent
B. Prevent, Contain, Block
C. Detect, Prevent, remediate

Answer: A

QUESTION NO: 37
Which phase(s) is(are) NOT part of the Cyber Kill Chain?
A. ExploitationB. Command and Control
B. Remediation
C. Action and Objectives

Answer: C

QUESTION NO: 38
You analyze your Threat Prevention events in SmartEvent and there is one specific event with a
PDF-document you suspect being malicious. What is a typical behavior Threat Emulation would
detect as malicious? When the PDF is opened in VM:
A. it tries to open in Acrobat Reader.
B. there are no changes to the registry.
C. it opens with Administrator privileges.
D. there is an outgoing network connection.

Answer: D

QUESTION NO: 39

When enabling Threat Emulation on a standard Check Point gateway, which command allows
you to offload emulation to multiple private cloud SandBlast appliances?

A. ted add remote

B. tecli add remote emulator
C. add te remote emulator
D. tecli advanced remote

Answer: D

QUESTION NO: 40
At which layer in the Attack Infection Flow can CPU Level Emulation detect a malicious file?
A. The malware binaryB. The Exploit stage
B. The shell code
C. The vulnerability

Answer: B