Pass the Checkpoint CCES 156-536 Questions and answers with ValidTests

User Logon Pre-boot Remote Help is a troubleshooting feature in Harmony Endpoint designed to assist users locked out of Full Disk Encryption (FDE)-protected computers before the operating system boots. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfexplicitly outlines the types of assistance available.

Onpage 425, under "Remote Help," the documentation states:

"There are two types of Full Disk Encryption Remote Help:

One Time Login - One Time Login lets users access Remote Help using an assumed identity for one session, without resetting the password. Users who lose their Smart Cards must use this option.

Remote password change - This option is applicable for users with fixed passwords who are locked out."

This extract confirms that Pre-boot Remote Help providesbothOne-Time Logon and Remote Password Change, directly matchingOption B. These options address different scenarios: One-Time Logon for temporary access (e.g., lost Smart Cards) and Remote Password Change for resetting forgotten fixed passwords.

Option A("Only One-Time Logon") is incorrect as it excludes Remote Password Change, which is explicitly listed as a second type of help.

Option C("Cleartext Password") is not mentioned anywhere in the documentation and would be insecure, making it invalid.

Option D("Only Remote Password Change") omits One-Time Logon, which is also a supported assistance type, rendering it incomplete.

Option Bis the only choice that fully reflects the dual assistance types provided by User Logon Pre-boot Remote Help as per the official documentation.

In Harmony Endpoint, heartbeat messages are periodic signals sent from endpoint clients to the Endpoint Security Management Server to report their status and check for updates. The default time interval for these messages is 60 seconds. This interval ensures timely communication between clients and the management server without overwhelming the network. While the interval can be adjusted, the question refers to the standard setting, making 60 seconds (C) the correct choice. 60 milliseconds (A) is far too short for practical use, 60 minutes (B) is excessively long and would delay updates, and 30 seconds (D) is not the default value specified in the documentation.

Harmony Endpoint’s Next-Generation Anti-Virus (NGAV) is designed to combat advanced threats using a combination of behavioral analysis, exploit prevention, and ransomware protection. The documentation specifies that NGAV includesAnti-Ransomware,Anti-Exploit, andBehavioral Guardas core capabilities.

TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfoutlines these onpage 20, under "Endpoint Security Client":

"Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics: Prevents ransomware attacks. Monitors files and the registry for suspicious processes and network activity. Analyzes incidents reported by other components."

Additionally, onpage 358, under "Harmony Endpoint Threat Extraction, Emulation and Anti-Exploit":

"Anti-Exploit: Detects and prevents exploitation of vulnerabilities in software."

While the term "NGAV" is not explicitly used, these components—Anti-Ransomware, Behavioral Guard, and Anti-Exploit—represent the next-generation approach to antivirus protection, focusing on behavior-based detection and prevention of advanced threats like exploits and ransomware. This matchesOption A.

The other options are incorrect:

Option B ("Anti-IPS, Anti-Firewall & Anti-Guard"): These are not recognized capabilities in the documentation; they appear to be fabricated terms.

Option C ("Zero-Phishing, Anti-Bot & Anti-Virus"): Zero-Phishing (page 366) and Anti-Bot (page 353) are separate features, and Anti-Virus is traditional, not NGAV-specific.

Option D ("Threat Extraction, Threat-Emulation & Zero-Phishing"): These relate to document sanitization and phishing protection (pages 358-366), not NGAV’s core focus.

Thus,Option Aaccurately reflects Harmony Endpoint NGAV capabilities.

Process Requirement:

Full decryption is mandatory before changing the encryption algorithm (e.g., switching from AES-128 to AES-256).

Re-encryption occurs after algorithm selection, with no on-the-fly conversion supported.

Firmware Agnostic:

Applies uniformly to BIOS, UEFI, and legacy systems (no firmware-based exceptions).

Documentation Source:

*Check Point Full Disk Encryption Administration Guide R81.10+*:

"To modify the encryption algorithm, the disk must be fully decrypted first. After decryption, deploy a new policy with the updated algorithm to trigger re-encryption."

⚠️ Critical Note:

Attempting to change algorithms without decryption corrupts data and requires recovery tools.

Why Other Options Fail:

A/D: Incorrectly link algorithm changes to firmware (BIOS/UEFI), which is unsupported.

C: On-the-fly re-encryption is technologically infeasible for FDE solutions due to cryptographic key hierarchy constraints.

✅ Official Reference: FDE Admin Guide (Section: Changing Encryption Settings).

Port Protection, a feature within the Media Encryption & Port Protection (MEPP) component of Check Point Harmony Endpoint, is designed toprotect activity on the ports of a client computer to help prevent data leakage. This functionality controls access to ports such as USB, Bluetooth, and others to secure data transfers and prevent unauthorized data exfiltration. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides clear evidence onpage 280, under "Media Encryption & Port Protection":

"Protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on)."

Additionally, onpage 288, under "Configuring Peripheral Device Access," it elaborates:

"Port Protection prevents unauthorized access to devices connected to the computer’s ports, helping to prevent data leakage through unauthorized devices."

These extracts confirm that Port Protection’s primary purpose is to safeguard data by controlling port activity, aligning withOption A. The "why" is explicitly tied to preventing data leakage, a critical security objective.

Option B ("to review logs")is incorrect; while logs may be generated as a byproduct, the primary goal is protection, not log review.

Option C ("to help unauthorized user access")contradicts the purpose of Port Protection, which is to block unauthorized access, not facilitate it.

Option D ("to monitor devices")is partially relevant but incomplete; monitoring is a means to an end, with the ultimate goal being data leakage prevention.

Endpoint clients typically communicate with the EPS (Endpoint Policy Server) for policy updates and logging. The EPS then communicates with the EMS (Endpoint Management Server) for central management (Harmony Endpoint Architecture Documentation)

Endpoint Policy Servers (EPS) are integral to the Harmony Endpoint architecture, designed to optimize communication between Endpoint clients and the Endpoint Security Management Server (EMS). TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfexplicitly defines their placement.

Onpage 25, under "Optional Endpoint Security Elements," the documentation states:

"Endpoint Policy Servers improve performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites."

This confirms that EPS are positionedbetween the Endpoint clients and the EMS, handling tasks like policy downloads, heartbeats, and updates to offload the EMS.Option Baccurately reflects this architecture.

Evaluating the other options:

Option A: "Between the Endpoint clients and the EPS" is nonsensical, as EPS (Endpoint Policy Servers) cannot be between themselves and clients—it’s a self-referential error.

Option C: "Between the Endpoint clients and the NMS" introduces "NMS," likely a typo for Network Management System, which isn’t part of Harmony Endpoint’s architecture per the document.

Option D: "Between the Endpoint clients and the SMS" refers to the Security Management Server (SMS), which manages gateways in Check Point’s broader ecosystem, not the EMS specific to Harmony Endpoint (seepage 23for EMS definition).

Thus,Option Bis directly supported by the documentation as the correct placement of EPS.

Harmony Endpoint offers advanced post-infection capabilities to analyze and mitigate threats after they occur. These features are detailed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfunder its threat prevention sections.

Onpage 346, under "Forensics," the guide states:

"Forensics provides automated attack analysis, helping to understand the nature and impact of threats."

Onpage 336, under "Quarantine Settings and Attack Remediation," it notes:

"Quarantine Settings and Attack Remediation allow for isolating infected files and systems."

Additionally, onpage 329, under "Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics," it mentions:

"Analyzes incidents reported by other components."

These extracts collectively confirm that Harmony Endpoint includes:

Automated Attack Analysis (Forensics)– Automatically analyzing threats post-infection.

Remediation and Response– Addressing and repairing the damage (implied in attack remediation).

Quarantine– Isolating infected elements to prevent further spread.

This matchesOption Bperfectly.

Evaluating the other options:

Option A: IPS Attack Analysis (Forensics), Deploy and Destroy, and Isolation– "IPS" is a network feature, not endpoint-specific, and "Deploy and Destroy" is not a documented term.

Option C: FW Attack Analysis (Forensics), Detect and Prevent, and Isolation– "FW" (Firewall) is unrelated to endpoint post-infection, and "Detect and Prevent" are pre-infection actions.

Option D: IPS Attack Analysis (Forensics), Detect and Prevent, and Isolation– Again, "IPS" is incorrect, and "Detect and Prevent" is not post-infection-focused.

Option Baccurately represents Harmony Endpoint’s post-infection capabilities as per the documentation.