Check Point Certified Security Administrator (CCSA) Practice Exam

Which tool can you use to block traffic from a malicious host if policy changes are restricted?

• A. Anti-Bot protection.
• B. Anti-Malware protection.
• C. Policy-based routing.
• D. Suspicious Activity Monitoring (SAM) rules.

The correct answer is: Suspicious Activity Monitoring (SAM) rules.

Using Suspicious Activity Monitoring (SAM) rules is an effective method to block traffic from a malicious host when policy changes are restricted. SAM rules are designed to identify and respond to potentially malicious behavior in real-time. They analyze traffic patterns and various indicators of compromise, enabling the security system to take immediate action, such as blocking the malicious traffic, regardless of the overall security policy configurations. This provides a dynamic layer of security response that can adapt quickly to new threats without requiring formal policy adjustments. In contrast, Anti-Bot protection and Anti-Malware protection primarily focus on detecting and mitigating specific threats associated with botnets and malware, respectively. While both are crucial components of a security strategy, they may not directly intervene in blocking traffic from a host if those threats are not categorized as active bot or malware attacks at that moment. Policy-based routing, on the other hand, is mostly used to manage traffic flow based on predetermined criteria rather than real-time threat detection and response. It does not address immediate threats from malicious hosts without prior policy configuration to dictate such behavior. Thus, SAM rules are specifically designed for reactive defense against suspicious activities, allowing for the quick blocking of traffic from identified malicious hosts without needing to alter broader security policies.