1. Which of the following roles do KATA servers have?





Database server
Sandbox
Network Attack Analyzer
Central Node
(Network) Sensor
2. What does a Sensor do?




Retrieves data from the infrastructure: Network equipment, email, and proxy servers
Scans a copy of traffic using the IDS technology
Sends objects to the Central Node for scanning
Sends objects to the Sandbox for scanning
3. Which of the following solutions can KATA Platform integrate with?





Kaspersky Security for SharePoint Server
Kaspersky Security for Linux Mail Server
Kaspersky Security for Microsoft Exchange
Kaspersky Web Traffic Security
Kaspersky Secure Mail Gateway
4. Which of the following can the Central Node do?




Receive a copy of network traffic on one of the interfaces and extract objects from it for analysis
Act as a proxy for Endpoint Agents connected to another Central Node
Start virtual machines for file analysis
Search telemetry received from Endpoint Agents for indicators of attack
5. To save on equipment maintenance, the customer wants to deploy KATA on a minimal number of
servers. Which configuration would you recommend?




Install all three roles—Central Node, Sensor, and Sandbox—on a single server
Install the Central Node with Sensor functionality on one server, and Sandbox on another server
Install each role—Central Node, Sensor, and Sandbox—on a separate dedicated server
Install the Central Node with Sandbox functionality on one server, and the Sensor on another
server
6. A Network Sensor can act as a proxy for Endpoint Agents. How many Endpoint Agents (maximum) can
a Sensor acting as a proxy support?




1,000
5,000
10,000
15,000
7. Which maximum number of Endpoint Agents can an installation support that has one Central Node
and two dedicated network Sensors?




5,000
10,000
15,000
20,000
8. Which KATA Platform server role must be present in any KATA/KEDR installation?




Sensor
Central Node
Sandbox
None of the above is a must
9. When is it recommended to enable the extraction of email messages from SPAN traffic on a dedicated
Sensor?




Always
Always when SPAN traffic contains non-encrypted SMTP traffic
When other mail integration methods (over POP3 or SMTP) are not available and SPAN traffic
contains non-encrypted SMTP traffic
If mail comes from KSMG
10. Which versions of Kaspersky Endpoint Security include Kaspersky Endpoint Agent that is fully
compatible with KATA Platform 3.7? (Within the framework of Kaspersky EDR Expert solution)




11.4 or later
11.3 or later
11.2 or later
11.0 or later
11. Which of the following Kaspersky Endpoint Agent settings can you specify in the Kaspersky Endpoint
Agent installation package properties in the KSC?




The address and port for connecting to the Central Node
The certificate for connecting to the Central Node
The license key for activating Endpoint Agent
The components to be installed
12. Which of the following Windows versions require that the update described in KB 4528760 must be
installed on the computer prior to installing Endpoint Agent?




Windows 7
Windows 8.1
Windows 10 (any versions)
Windows 10 19H1 and 19H2
14. Which operating system is the Central Node running?




CentOS
Kaspersky Secure OS
Debian
RedHat
15. What is the name of the Kaspersky Endpoint Agent 3.8/3.9 main service process?




avp.exe
agent.exe
endpointagent.exe
soyuz.exe
16. Which of the following is required when installing the Kaspersky Sandbox server?




Two RAID arrays: for the operating system and for virtual machines
A physical server (rather than a virtual machine)
An Intel processor (rather than AMD)
An AMD processor (rather than Intel)
17. Which of the following can result in an error when connecting a Central Node to a Sandbox server?




The Central Node is already connected to another Sandbox server
A license is not installed on the Central Node
The UTC time differs on the servers
Another Central Node is already connected to the Sandbox server
18. Which of the following methods can you use to specify the Central Node certificate for Endpoint
Agents 3.8/3.9?




Via the Kaspersky Endpoint Agent policy in Kaspersky Security Center
Via the agent.exe command line utility
Via the serviceConnectionPoint object in Active Directory
Copy the certificate file to the folder where EnpointAgent.msi is located before the installation
19. Which parameter can you use to download a file from a computer for analysis by the Get file task in
the Central Node web console?




A path mask
The file’s full path
The file’s checksum (without the path)
The file’s creation date (without the path)
22. Where are the files stored that have been quarantined by the Quarantine file task through the
Central Node web console?




In a centralized storage on the KSC server
In local storages on the respective computers
In a centralized storage on the Central Node
In an anonymized storage in the KSN cloud
24. Which of the following CAN’T an ordinary security officer do?




View the VIP status assignment settings (which alerts receive the VIP status)
Open an alert with VIP status
Assign an alert to another security officer
Replace the list of YARA rules
25. How often does Kaspersky Endpoint Agent synchronize settings of tasks, isolation and execution
prevention with the Central Node (under the default configuration)?




Every 15 minutes
Continuously (maintains a permanent connection and instantly learns about configuration
changes)
Once a minute
Every 5 minutes
26. Which technology is responsible for scanning password-protected archives in KATA Platform?




YARA
TAA (Targeted attack analyzer)
Anti-malware engine
Sandbox
27. Which of the following permissions is only granted to the so-called local administrator of the Central
Node?




Connect the Central Node to the Sandbox server
Enable the distributed mode on the Central Node
There is no such role; all users with an administrator role have equal permissions
Install updates
28. Which port do you need to specify in the browser address bar to open the Sensor web interface?




443
8443
None, it is sufficient to type https://<Sensor address>
A Sensor does not have a web interface
29. Central Node can automatically add checksums of dangerous objects detected by some technologies
to the KPSN reputation database. Please specify which ones:




Sandbox only
Sandbox and TAA
TAA only
All detection technologies
30. File scanning requests need to be sent to KATA from an external sensor using the URL
https://<address>:443/kata/scanner/v1/sensors/<UUID>/scans. Which address must be specified after
https?




Address of the KPSN server that has the Monitoring role
Sandbox address
Central Node address
Address of any Sensor connected to the Central Nodex
1. Which of the following roles do KATA servers have?





Central Node
Network Attack Analyzer
Sandbox
Database server
(Network) Sensor
2. Which of the following technologies are used on a Sandbox server for analyzing file running results
within a virtual machine? Partially correct 1/2




Scanner (anti-malware and static analysis)
IDS (Suricata)
YARA
File reputation (KSN)
3. What does a Sensor do? Partially correct 2/3





Scans extracted fires using YARA technology
Extracts objects for analysis from network traffic
Checks extracted URLs using the URL reputation technology
Extracts URLs from network traffic for reputation checks
Scans extracted files using Anti-Malware Engine technology
4. Which component of a dedicated Sensor uses periodically downloaded updates to detect threats?




URL reputation
IDS (Suricata)
Redis Slave
None of the above
6. How many Endpoint Agents can you connect to a secondary Central Node in KATA Platform 3.7?




Up to 5,000
Up to 10,000
Up to 15,000
Up to 20,000
7. What is the maximum traffic volume that an installation with one Central de and four dedicated
Sensors can support?




2 Gops
4 Gbps
6 Gbps
8 Gops
8. Which KATA Platform server role must be present in any KATA/KEDR installation?




Sensor
Central Node
Sandbox
None of the above is a must
9.A Network Sensor can act as a proxy for Endpoint Agents. How many Endpoint Agents (maximum) can
a Sensor acting as a proxy support?




1,000
5,000
10,000
15,000
10. Which port of the Central Node do Endpoint Agents send telemetry datal default)?




443
4443
8443
18443
11. Which of the following needs to be done to enable a Sensor to receive email messages over POP3S?
Partially correct 2/3





Allow incoming connections on POP39 port 995 of the Sensor
Allow outgoing connections on POP3S port 995 of the Sensor
In the mail system, configure a rule that will forward email messages to a special box in the
organization's domain
In the mail system, configure the forwarding of email messages to a special box in a fake domain,
for which the Sensor is configured as the mail server
On the Sensor, configure access parameters for the mailbox where to email messages will be
copied
12. Where must the connection between the Central Node and Sensor be initiated from when
exchanging certificates for IPsec authentication?




From the Central Node
From the Sensor
From any side
You do not need to do anything of the kind
13. How many simultaneously running virtual machines does a Sandbox support (maximum)?




50
100
200
There is no hara amit, the Sandbox will start additional
14. How many hierarchy levels can there be in a distributed KATA installation?




Two: a primary node and secondary nodes
Central Nodes can be joined into a structure, but there will be no hierarchy, all servers will be
peers
All Central Nodes work independently in KATA architecture
There are no limits; any Central Node can be secondary to another node and simultaneously
primary to other nodes
15. Which access limitations can you specify for a senior security officer account in a distributed
KATA/KEDR installation?




Permit accessing information of specific companies only
Prohibit logging on to the consoles of secondary Central Nodes of the company
Allow access to the information of specific Central Nodes only
Prohibit logging on to the console of the primary Central Node
16. Some Endpoint Agents will connect to a Central Node via a dedicated proxy Sensor. What should you
specify in the KATA connection settings for these agents?




The address and certificate of the Central Node, the Agents will receive Sensor parameters:
automatically after the first connection to the Central Node
Sensor address and Central Node certificate
Central Node address and Sensor certificate
Sensor address and Sensor certificate
17. Where can you specify the DNS server for the virtual machines that analyze objects in the Sandbox?




In the Management interface settings
in the Malware interface settings
Nowhere, these settings are hard-coded in the Sandbox
Nowhere, because the Sandbox's virtual machines must not be able to access the internet
19. Which attribute can you use to prohibit access to a file by Prevention rules in Kaspersky EDR Expert?
Partially correct 1/2




Only the SHA256 checksum
Only the MD5 checksum
The full file path
The file name
21. Which of the following exclusions can you configure in endpoint isolation parameters available in the
web console of Kaspersky EDR Expert Central Node? Partially correct 1/2




Outbound connections to the specified address
inbound and outbound ICMP packets (but not packets of other protocols)
Inbound connections from the specified address
Connections from the specified executable file
22. Select the correct statement about TAA(IOA) technology detections.




TAA analysis is applied on schedule once a day to all events of the Threat Hunting database
TAA analysis is applied in the background to all events of the Threat Hunting database
TAA analysis is applied to events received in real time
TAA analysis is only applied at the security officer's request
23. For which KATA Platform technologies can you disable a detection rule if it produces many useless
detections? Partially correct 1/2




IDS
URL reputation
TAA
Antimalware engine
24. How often does Kaspersky Endpoint Agent synchronize settings of tasks, isolation and execution
prevention with the Central Node (under the default configuration)?




Every 15 minutes
Every 5 minutes
Once a minute
Continuously (maintains a permanent connection and instantly learns about configuration
changes)
25. Which of the following KATA Platform servers can you integrate with SIEM?



Sensor
Sandbox
Central Node
27. In which of the following information sources can you see that Kaspersky Endpoint Agent cannot
connect to the Central Node due to an authentication error (certificate issue)?



In the debug log, which you can enable by the following command: agent exe trace=enable
in the events of Kaspersky Endpoint Agent application in the computer properties in the KSC
console
In the Windows Event Log (Application and services log (Kaspersky Security Soyuz) On the
computer card in the Endpoint Agents section of the Central Node web console
28. In which operations are the Static Routes specified in the Sandbox server settings used?




Downloading updates
Sending scanning results to the Central Node
Accessing KSN
Providing access to the internet from within virtual machines
29. Which operations are implemented in REST API of Central Node version 3.7? Partially correct 3/4





Delete a scan task
Get the detailed scanning result by the task id
Get lists of alerts with all details
Get the binary scanning result by the task id
Create a file scan task
30. Which the following must be prepared to connect a third-party system as an external sensor that can
send files for scanning to KATA? Partially correct 1/2




In KATA, create an account under which requests will be sent
Create an Identifier in the UUID format for the external sensor
Create a 'certificate-private key' pair for the external sensor
Enable for external sensors in the KATA web interface
1. Which of the following threat detection technologies are implemented on the Central Node?




Anti-Malware Engine
YARA
TAA (Targeted Attack Analyzer)
Sandboxing (running files within a virtual machine)
2. What does the Central Node do? Partially correct




Sends objects to the Sandbox for scanning
Informs Sensors about license availability
Scans files using various threat detection technologies
Proxies Sensors requests to KSN/KPSN
3. Which of the following operating system versions is used on virtual machines within the Sandbox?




Windows XP
Android
Linux
Windows Server 2012 R2
4. What does a Sensor do?




Scans a copy of trating the IDS technology
Retoeves data from the infrastructure Network equipment, mail and proxy servers
Sinds objects to the Sandbox for scanning
Sends objects to the Central Node for scanning
5. Which absent about the shy to connecteint ennor 3.4 to a Central Node of KATA Platform 8.7 la
cement? (Within the framework of Kaspersky OR Expert solution)


You CANNOT connect Endpoint Sensor 3.6 to KATA Platform 3.7
You can connect Endpoint Sensor 3.6 to KATA Platform 3.7 with full support of all Kaspersky EDR
Expert features


You can connect Endpoint Sensor 3.6 to KATA Platform 3.7, but only telemetry transfer from
hosts and file execution prevention is supported in this case
You can connect Endpoint Sensor 3.6 to KATA Platform 3.7, but only telemetry transfer from
hosts is supported in this case
6. Which license do you need to be able to send objects for scanning to KATA Platform Sandbox via REST
API?




This functionality does not require a license
Any KATA or KEDR license
KATA
KEDR
9. Which ports does a Sandbox server listen to under the default settings and why?





TCP 22: to connect to the text console and access the technical support mode
TCP 80 to distribute updates
UDP 161 for requests about Sandbox status from the Central Node
TCP 443 to receive objects for scanning and request results from the Central Node
TCP 8443 to provide access to the web interface
10. Which unit of measure is used for KATA licenses?




Endpoints (network computers.
Users
Central Nodes
None of the above
11. Which of the following options of connecting to the Central Node can you implement by configuring
Kaspersky Endpoint Agent policy?



Trust any Central Node certificate
Trust the specified Central Node certificate
Trust any of the specified Central Node certificates
12. What is a "company" in a distributed KATA/KEDR installation?




One or several secondary Central Nodes
One or several Central Nodes
A range of IP addresses to which a threat may be related
Mail domain to which threats may be related
13. In which of the following situations will Kaspersky Endpoint Agent 3.9 trust the Central Node
certificate when establishing a secure connection?




If the certificate is stored in the Endpoint Agent settings (for example, has been delivered with
the Kaspersky Endpoint Agent policy from the KSC server)
If the certificate is issued by a trusted certification authority according to the settings of the
computer where the Endpoint Agent is installed
If Active Directory has a service Connection Point object where this certificate is specified
Kaspersky Endpoint Agent 3.9 trusts any Central Node certificate
16. You have installed a Sandbox server, but the virtual machine configuration section is empty. How can
you add virtual machines to the Sandbox?




Start updating. The images will be downloaded from Kaspersky servers
Import the images of virtual machines from ISO images. If you do not have any, request them
from technical support
A Sandbox server needs to be installed with virtual machines. Request another Sandbox
installation image with built-in virtual machines from Kaspersky technical support
Virtual machine images are located on the Central Node and will be loaded to the Sandbox after
you connect it to the Central Node
18. Which operating system is a Sandbox server running?




Kali Linux
Kaspersky Secure OS
Debian Linux
Centos Linux
19. An analyst has activated network isolation for a compromised endpoint using Kaspersky EDR and has
not configured any exclusions. Which of the following exceptions always work?


For the DNS protocol
For Active Directory protocols



For Kaspersky applications
For the DHCP protocol
For the ICMP protocol
20. Where are the files stored that have been quarantined by the Quarantine file task through the
Central Node web console?




In a centralized storage on the KSC server
In local storages on the respective computers
in a centralized storage on the Central Node
In an anonymized storage in the KSN cloud
21. Select the statements that correctly characterize the URL reputation module on the Sensor. Partially
correct 1/2




Uses updatable databases
Supports a custom list of untrusted URUS
Uses information from KSN
Detects addresses of botnet C&C servers
22. Which of the following exclusions can you configure for TAA analysis?




By file checksum
By TAA nile identifier
Byfle path mask
By computer name
24. How often does Kaspersky Endpoint Agent send telemetry events to the Central Node under the
default settings?




Once every 30 seconds or after 1024 events have been accumulated (whichever happens first)
Continually, as soon as the events are logged
Every 5 minutes
Every 30 minutes
25. Which types of events will be sent to SIEM if you enable integration with SIEM in the Central Node
web interface? Partially correct 1/2



Alerts about detected threats
Component statuses (heartbeats)
All telemetry from Endpoint Agentsa

Audit events
27. In which of the following information sources can you see that Kaspersky Endpoint Agent cannot
connect to the Central Node due to an authentication error (certificate issue)?




In the Windows Event Log (Application and services log Kaspersky Security Soyuz)
On the computer card in the Endpoint Agents section of the Central Node web console
in the debug log, which you can enable by the following command: agent.exe-trace=enable
In the events of Kaspersky Endpoint Agent application in the computer properties in the KSC
console
28. Which of the following permissions is only granted to the so-called local administrator of the Central
Node?




Enable the distributed mode on the Central Node
There is no such role; all users with an administrator role have equal permissions
Connect the Central Node to the Sandbox server
install updates
29. Which filtering parameters can you use when requesting alerts via the Central Node API?





Names of technologies
Source
Number of alerts
Time span
Token of a previous request
30. Which of the following must be prepared to connect a third-party system as an external sensor that
can send files for scanning to KATA? Partially correct 1/2




Create an identifier in the UUID format for the external sensor
Create a certificate-private key pair for the external sensor
in KATA, create an account under which requests will be sent
Enable support for external sensors in the KATA web interface
1. Which object types can be transferred for analysis to Sandbox servers?


Captured traffic fragments in pcap format
Files


Memory dumps
URLs
2. Which file types can be transferred for analysis to a Sandbox server? Partially correct 1/2




Windows executable files
Android executable files
Microsoft Office and Adobe Acrobat documents
Linux executable files
3. Which of the following can the Central Node do?




Receive a copy of network traffic on one of the interfaces and extract objects from it for analysis
Start virtual machines for file analysis
Search telemetry received from Endpoint Agents for indicators of attack
Act as a proxy for Endpoint Agents connected to another Central Node
4. What does a Sensor do?




Scans a copy of traffic using the IDS technology
Retrieves data from the infrastructure: Network equipment, email, and proxy servers
Sends objects to the Sandbox for scanning
Sends objects to the Central Node for scanning
5. A dedicated Sensor receives a copy of network traffic that contains an organization’s encrypted mail
traffic. Which mail traffic retrieval methods would you recommend configuring on this Sensor?




POP3 and SMTP
Only SPAN
Either POP3 or SMTP
SPAN, POP3, and SMTP
6. What is the maximum traffic volume that an installation with one Central Node and four dedicated
Sensors can support?




2 Gbps
4 Gbps
6 Gbps
8 Gbps
7. To save on equipment maintenance, the customer wants to deploy KATA on a minimal number of
servers. Which configuration would you recommend?




Install the Central Node with Sensor functionality on one server, and Sandbox on another server
Install all three roles—Central Node, Sensor, and Sandbox—on a single server
Install the Central Node with Sandbox functionality on one server, and the Sensor on another
server
Install each role—Central Node, Sensor, and Sandbox—on a separate dedicated server
8. How many RAID arrays are recommended when installing a Central Node?




1
2
3
4
9. Which license do you need to be able to send objects for scanning to KATA Platform Sandbox via REST
API?




This functionality does not require a license
Any KATA or KEDR license
KATA
KEDR
11. Which of the following Kaspersky Endpoint Agent settings can you specify in the Kaspersky Endpoint
Agent installation package properties in the KSC?




The certificate for connecting to the Central Node
The address and port for connecting to the Central Node
The license key for activating Endpoint Agent
The components to be installed
12. Which of the following processes belong to Kaspersky Endpoint Agent 3.8/3.9?




atom.exe
proton.exe
sputnik.exe
soyuz.exe
13. Which of the following KATA Platform servers supports use of DHCP when configuring network
interfaces?




Central Node
Sandbox
Sensor
None of the above
14. Some Endpoint Agents will connect to a Central Node via a dedicated proxy Sensor. What should you
specify in the KATA connection settings for these agents?




The address and certificate of the Central Node; the Agents will receive Sensor parameters
automatically after the first connection to the Central Node
Sensor address and Central Node certificate
Sensor address and Sensor certificate
Central Node address and Sensor certificate
15. You have received two ISO images for KATA deployment: kata-cn-3.7.0-xxxx-inst.x86_64_en-ru.iso
and sandbox-3.7.0-xxx.x86_64_en-ru.iso. How can you install a dedicated Sensor?



From the Central Node installation image
From the Sandbox installation image
From a special image that you need to request from the technical support
16. Which of the following settings are manageable only on the primary Central Node, and cannot be
managed on secondary ones?




Notifications
Licenses
Users
VIP
17. Which of the following needs to be done to enable a Sensor to receive email messages over POP3S?





Allow incoming connections on POP3S port 995 of the Sensor
On the Sensor, configure access parameters for the mailbox where to email messages will be
copied
In the mail system, configure the forwarding of email messages to a special box in a fake domain,
for which the Sensor is configured as the mail server
In the mail system, configure a rule that will forward email messages to a special box in the
organization’s domain
Allow outgoing connections on POP3S port 995 of the Sensor
18. How many hierarchy levels can there be in a distributed KATA installation?




Central Nodes can be joined into a structure, but there will be no hierarchy; all servers will be
peers
All Central Nodes work independently in KATA architecture
Two: a primary node and secondary nodes
There are no limits: any Central Node can be secondary to another node and simultaneously
primary to other nodes
19. In which case does Central Node supplement an existing alert instead of creating a new alert by TAA
technology?




If there is an alert for the same TAA rule created in the last 24 hours
If Central Node detects new events with indicators of attack, it always creates a new alert
If there is an unprocessed alert for the same TAA rule
If there is an unprocessed alert for the same TAA rule created in the last 24 hours
20. Which task types are available in Kaspersky EDR?





Stop process
Get process memory dump
Delete file
Get file
Get drive contents by sector number
21. Which technologies are used to scan a file requested by the Get file task via the Central Node web
console?





Antimalware engine
YARA
IOC
Sandbox
TAA
22. In which format can you import indicators of attack to search computers for them using Kaspersky
EDR?




YARA
OpenIOC
STIX
None of the above, Kaspersky EDR uses a proprietary format for indicators of compromise
23. Which of the following CAN’T an ordinary security officer do?




Assign an alert to another security officer
Replace the list of YARA rules
View the VIP status assignment settings (which alerts receive the VIP status)
Open an alert with VIP status
24. Select the statements that correctly characterize the Intrusion Detection System module on a Sensor.




Blocks connections in which dangerous activity is detected
Analyzes a copy of traffic in real time
Uses an updatable list of rules from Kaspersky update servers
Permits the addition of custom rules in Snort 2.x/Suricata format
25. Which types of custom rules can you import into KATA Platform settings?



IDS rules (in the suricata/snort format)
URL reputation rules (in the format of regular expressions)
YARA rules
TAA Rules (in the OpenIOC format)
26.ut which events can you configure in the web interface of a KATA Central Node?




About alerts
About audit events (logging on to the system, changed settings)
About changes in the status of the components (failure, recovery)
About availability of patches or new versions of solution components
28. Which port do you need to specify in the browser address bar to open the Sensor web interface?




None, it is sufficient to type https://<Sensor address>
8443
443
A Sensor does not have a web interface
29. Which identifiers of a dangerous file does KATA publish in the KPSN reputation database (for other
Kaspersky products connected to the same KPSN)?



MD5 checksum
Full file path
SHA256 checksum

Thumbprint of the certificate with which the file is signed
30. To automatically add dangerous objects to the KPSN reputation database, you need to configure
KATA Platform authentication settings by specifying a certificate and private key. What are they and
where can you find them?




The certificate and key of the KPSN web interface; copy them from the /etc/ssl/certs/ folder on
the KPSN server that has the Monitoring role
The certificate and key of a KPSN user who has the permissions to use KPSN API; download them
from the user’s workspace in the KPSN web console
The certificate and key of the Central Node web interface; copy them from the /etc/ssl/certs/
folder on the Central Node
Any certificate-key pair