ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-701 All Questions

View all questions & answers for the 350-701 exam
Go to Exam

Exam 350-701 topic 1 question 534 discussion

Actual exam question from Cisco's 350-701
Question #: 534
Topic #: 1
[All 350-701 Questions]

A company recently discovered an attack propagating throughout their Windows network via a file named abc123456789xyz.exe. The malicious file was uploaded to a Simple Custom Detection list in the AMP for Endpoints Portal and the currently applied policy for the Windows clients was updated to reference the detection list. Verification testing scans on known infected systems shows that AMP for Endpoints is not detecting the presence of this file as an indicator of compromise. What must be performed to ensure detection of the malicious file?

  • A. Check the box in the policy configuration to send the file to Cisco Threat Grid for dynamic analysis.
  • B. Upload the malicious file to the Blocked Application Control List.
  • C. Upload the SHA-256 hash for the file to the Simple Custom Detection List.
  • D. Use an Advanced Custom Detection List instead of a Simple Custom Detection List.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by unclemonkeyboy at June 1, 2023, 1:34 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DWizard
Highly Voted 1 year, 10 months ago
Selected Answer: B
The answer cannot be C, since the question states "The malicious file was uploaded to a Simple Custom Detection list in the AMP for Endpoints Portal", so the AMP already calculated the SHA-256 hash, you don't need to do it again. Since the file is a .exe file, which means it is executable, you should block it from the application control list. Sorry for not posting a link, this was learned from practice.
upvoted 10 times
...
Demon_Queen_Velverosa
Most Recent 8 months ago
Selected Answer: B
here is the answer from the official cert guide Simple custom detection allows you to add file signatures, while the advanced custom ­detections are more like traditional antivirus signatures. Creating a simple custom detection is similar to adding new entries to a blacklist. You define one or more files that you are trying to quarantine by building a list of SHA-256 hashes. If you already have the SHA-256 hash of a file, you can paste that hash directly into the UI, or you can upload files directly and allow the cloud to create the SHA-256 hash for you. To create a simple custom detection, navigate to Outbreak Control > Custom Detections > Simple and the list of all existing simple custom detections appears, as shown in Figure 11-3. To add a new one, you must type it in the Name box and click Save, as shown in Figure 11-3.
upvoted 2 times
Demon_Queen_Velverosa
8 months ago
Thus we all ready added it and thus the Hash was created and applied it to a policy, but failed to detect it. Thus it may fall outside our security policies. Thus it is not "C"" for it automatically generated the Hash and we already added the app to the simple custom detection list. Thus in this case we still cannot detect it after uploading it and applying it to policy to the simple custom detection list. The lack of detection is still a problem, as the application cant be blocked if not detected. We dont care about removing the app or the file. With the block list it will detect it and blocking it hence it is able to block the app from installing or executing. from the cert guide it says this.... AMP for Endpoints Application Control Like files, applications can be detected, blocked, and whitelisted. As with the other files, AMP does not look for the name of the application but the SHA-256 hash.
upvoted 2 times
Demon_Queen_Velverosa
8 months ago
though every place i look it says c is the correct answer
upvoted 2 times
...
...
...
luismg
8 months, 2 weeks ago
Selected Answer: C
The custom detection list will accept files and hashes but is custom detection list, I vote C
upvoted 1 times
Demon_Queen_Velverosa
8 months ago
yes this is a file but this is also a application which goes into the block lists.
upvoted 1 times
...
...
Tthurston1
1 year ago
Would have to vote C here. The main objective of this question is ...."what must be performed to ensure DETECTION of the malicious file?" While Option B does effectively BLOCK the execution of the file - it is also not the best suited choice for DETECTION purposes. Option C allows us to IDENTIFY and DETECT the file on systems in the network based on its unique hash value.
upvoted 2 times
...
4pelos
1 year, 3 months ago
Correct answer C We can upload the SHA-256 hash of this file to the Simple Customer Detection List so that AMP for Endpoints can block it. Reference: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-simple-custom-detection-list.pdf
upvoted 2 times
...
CCNPWILL
1 year, 7 months ago
Selected Answer: B
reference question #239. Answer is that we need to explicitly add the file to block application list.
upvoted 1 times
...
unclemonkeyboy
2 years ago
Selected Answer: C
C is the answer.
upvoted 3 times
CCNPWILL
1 year, 7 months ago
Wrongo
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel