Pass the Checkpoint CTPS 156-590 Questions and answers with Dumpstech

The correct answer is A. Users surfing the website directly by IP address or using domains registered within the last 30 days . Anti-Bot is focused on post-infection compromise evidence: it identifies hosts that may already be infected and attempts to prevent command-and-control communication or other botnet behavior. Check Point documentation describes Anti-Bot as a Threat Prevention component that blocks botnet behavior and communication to Command and Control centers, while the broader Threat Prevention solution provides multi-layered pre- and post-infection defense.

Direct IP browsing and use of newly registered domains are suspicious because malware frequently avoids mature domain reputation controls, rotates infrastructure quickly, or contacts IP-based C2 endpoints directly to bypass domain-based filtering. Domains registered within a recent window are a common risk indicator because malicious campaigns often use disposable infrastructure with short operational lifetimes. Option B is not inherently evidence of bot infection; explicit proxy use may be a network design choice. Option C describes normal intranet access patterns. Option D may indicate weak encryption hygiene but is not specific evidence of compromise. In Anti-Bot analysis, indicators such as suspicious destinations, direct IP access, newly observed domains, and C2-like behavior help identify infected internal hosts. Reference topics: Anti-Bot, post-infection detection, Command and Control communication, suspicious domains, infected-host analysis.

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is B. fail-close . Fail mode defines how the Threat Prevention inspection engine behaves when it is overloaded or experiences an internal failure. Check Point’s Threat Prevention Engine Settings documentation defines two options: Allow all connections (Fail-open) and Block all connections (Fail-close) . Fail-open allows connections when the engine is overloaded or fails; Fail-close blocks connections in that condition.

Because the question specifically says Mike wants to block all files if an internal failure occurs, the secure choice is fail-close. This prioritizes protection and containment over availability. It is appropriate where allowing unscanned files would be unacceptable, such as highly regulated environments, malware-sensitive segments, or traffic paths carrying untrusted downloads. The tradeoff is operational: fail-close can interrupt business traffic if the inspection engine is unavailable, overloaded, or unable to complete the decision. Fail-open is the default availability-oriented behavior because it keeps traffic moving during failure, but it permits files or connections that may not have completed inspection. “Open system” and “closed system” are not the correct Check Point Threat Prevention fail-mode terms in this context. Reference topics: Threat Prevention Engine Settings, ThreatSpect fail mode, fail-open, fail-close, inspection failure handling.

The correct answer is C. Pre-infection . IPS is primarily a pre-infection protection because it is designed to stop exploitation attempts before the target host is compromised. Check Point describes its Threat Prevention solution as a multi-layered defense with both pre-infection and post-infection protections. Within that framework, IPS is the blade that delivers proactive intrusion prevention through signatures, behavioral protections, and preemptive protections, adding protection on top of Firewall enforcement.

This differs from Anti-Bot, which is classically post-infection because it detects infected hosts communicating with command-and-control infrastructure. IPS focuses earlier in the attack chain: reconnaissance, vulnerability exploitation, protocol violations, malicious payload delivery, and attempts to abuse exposed client or server software. It inspects packets and data for risks before successful exploitation results in malware installation, unauthorized access, or control of the system. “Post-inspection” and “pre-inspection” are not the correct lifecycle categories for IPS in Check Point certification terminology. “Post-infection” belongs more naturally to Anti-Bot and compromised-host detection. Reference topics: Threat Prevention Solution, IPS Software Blade, pre-infection defense, proactive intrusion prevention, exploit prevention.

The correct answer is B. Detect Mode . Detect Mode is used when an administrator wants visibility into Threat Prevention behavior without immediately enforcing a blocking decision. In troubleshooting and tuning, this is essential because it allows security teams to identify which protections would have triggered, review logs, validate false positives, and adjust profiles or exceptions before moving to full prevention. Check Point’s official troubleshooting guidance for Autonomous Threat Prevention describes Detect Only mode and states that protections set to Prevent allow traffic to pass while continuing to track threats according to the Track setting.

This makes Detect Mode the correct operational mode for safe tuning. It preserves observability while reducing the risk of production disruption during policy validation, IPS profile changes, new blade rollout, or incident investigation. Observe Mode , Display Mode , and Watch Mode are not the Check Point Threat Prevention operating modes used for this purpose in the exam context. In a certification scenario, Detect Mode should be understood as a non-blocking validation state: it logs and tracks what Threat Prevention would have done, but does not stop the connection based on a Prevent action. Reference topics: Detect Only, Threat Prevention troubleshooting, profile tuning, false-positive validation, Track settings.

The correct answer is C. This feature is to prevent IPS Enforcement to interfere with important Security Gateway operations, such as Control Connections . IPS Implied Exceptions are designed as safeguard exceptions for traffic that is necessary for the Security Gateway, management, or Check Point infrastructure to operate correctly. The purpose is not to define general unmatched-traffic behavior. Instead, they prevent IPS enforcement from disrupting essential control-plane and gateway-related communications. Check Point’s Threat Prevention exception documentation shows that IPS exceptions are a formal part of policy tuning and that exception changes are enforced through policy installation.

The operational logic is straightforward: IPS protections can be aggressive, and some protections inspect protocol behavior that may resemble attack traffic. If critical control connections, management channels, clustering traffic, or internal gateway operations were treated exactly like ordinary data-plane traffic, IPS could interfere with the stability of the platform. Implied Exceptions provide a built-in safety layer to avoid that outcome. Options A, B, and D incorrectly describe rulebase cleanup behavior or layer absence behavior. Those concerns are handled by policy structure, ordered layers, and default/cleanup behavior, not by IPS Implied Exceptions. Reference topics: IPS Exceptions, Implied IPS Exceptions, control connections, gateway operations, exception rule policy installation.

The correct answer is C. HTTP/HTTPS . The course-guide answer identifies HTTP/HTTPS as the Anti-Virus protocols enabled by default. Architecturally, this reflects the most common perimeter malware-delivery path: users downloading web content from the Internet. HTTP is naturally visible to the gateway, while HTTPS requires HTTPS Inspection to expose encrypted file transfers and web objects for Anti-Virus inspection. Check Point documentation notes that most traffic is HTTPS rather than HTTP and recommends enabling HTTPS Inspection to maximize the effectiveness of Threat Prevention Software Blades.

The broader Anti-Virus blade can support more protocols than the default enabled set. Check Point documents that HTTP, FTP, SMB, and SMTP are protocols selectable in SmartConsole, and that IMAP and POP3 can also be enabled through configuration. This distinction is the certification point: supported does not necessarily mean enabled by default . FTP, SMB, SMTP, IMAP, and POP3 can extend inspection coverage, but enabling more protocol inspection increases processing scope and must be aligned with topology, performance, and business risk. Reference topics: Anti-Virus Settings, HTTPS Inspection, protocol support, protected scope, Threat Prevention blade effectiveness.

The correct answer is B. The Security Gateway sends a packet capture file along with the log file. The former can be analyzed with an external tool, such as Wireshark . Packet Capture is a tracking enhancement used when logs alone are not enough to understand the traffic that triggered a security event. Check Point documentation explains that Packet Capture lets administrators capture network traffic and that the packet-capture content provides greater insight into the traffic that generated the log. When this feature is activated, the Security Gateway sends a packet-capture file with the log to the Log Server.

This is especially useful for IPS and Threat Prevention troubleshooting because analysts can inspect payload structure, headers, protocol behavior, retransmissions, and exact traffic context behind a prevention or detection event. Packet captures can then be opened in external protocol-analysis tools such as Wireshark for deeper investigation. Option A is incorrect because Packet Capture is not specifically an XDR visualization feature. Option C is unrelated to tracking and describes a timeout-style behavior. Option D describes threshold/reset logic, not packet evidence collection. Reference topics: Packet Capture Track option, Logs & Monitor, Threat Prevention event analysis, IPS troubleshooting, packet-level evidence.

The correct answer is D. Correlates Security Gateway logs into easily understandable events . SmartEvent is Check Point’s event-correlation and analysis system. It does not simply generate raw logs; logs are generated by Security Gateways and other Check Point components. SmartEvent consumes those logs, analyzes them against event policies, identifies patterns, and produces higher-level events suitable for investigation, dashboards, reports, and incident workflows. Check Point documentation explains that the SmartEvent Correlation Unit analyzes each log entry from a Log Server, looks for patterns according to the installed Event Policy, and forwards identified events to the SmartEvent Server.

This directly eliminates the distractors. SmartEvent does not run on the Security Gateway as the log-generating enforcement component. It does not generate logs merely so views can be customized; rather, it indexes, correlates, and presents logs and events. It is not principally a Multi-Domain syslog-forwarding tool. Its architectural value is correlation: it transforms large volumes of gateway logs into meaningful security events, reducing analyst workload and enabling threat timelines, reports, executive summaries, and incident management. Reference topics: SmartEvent Architecture, SmartEvent Correlation Unit, Event Policy, Log Server analysis, threat-event correlation.

The correct answer is A. The CPAS Daemon (cpasd) . In the course-guide context, cpasd is the process associated with Anti-Virus communication toward Check Point ThreatCloud for protection-update and classification purposes. The functional reason is that Anti-Virus file inspection depends on Check Point’s ThreatSpect and ThreatCloud intelligence pipeline. Check Point documentation explains that each Security Gateway has a Malware database and a local cache; when the cache has no answer, it queries the ThreatCloud repository. For Anti-Virus, the signature is sent for file classification.

The ThreatCloud network is dynamically updated and distributes attack information that can convert zero-day attack data into known signatures that Anti-Virus can block. This explains why the communication process matters: AV enforcement is not limited to a static local signature set; it relies on cloud-assisted reputation, classification, and continuously updated intelligence. The distractors do not match this function. RAD is mainly associated with resource categorization and URL/Application intelligence. pslavd is not the ThreatCloud update communication process named in this question. ted belongs to Threat Emulation, not Anti-Virus protection updates. Reference topics: Anti-Virus, CPAS/cpasd, ThreatCloud repository, Malware database, local cache, file classification.