nerdexam
Cisco

350-401 · Question #158

An engineer must protect their company against ransomware attacks. Which solution allows the engineer to block the execution stage and prevent file encryption?

The correct answer is A. Use Cisco AMP deployment with the Malicious Activity Protection engineer enabled.. Explanation Option A is correct because Cisco AMP's Malicious Activity Protection (MAP) engine is specifically designed to monitor running processes and detect ransomware-like behavior - such as rapid file encryption - at the execution stage, stopping it in real time before signi

Submitted by salim_om· Mar 6, 2026Security

Question

An engineer must protect their company against ransomware attacks. Which solution allows the engineer to block the execution stage and prevent file encryption?

Options

  • AUse Cisco AMP deployment with the Malicious Activity Protection engineer enabled.
  • BUse Cisco AMP deployment with the Exploit Prevention engine enabled.
  • CUse Cisco Firepower and block traffic to TOR networks.
  • DUse Cisco Firepower with Intrusion Policy and snort rules blocking SMB exploitation.

How the community answered

(26 responses)
  • A
    92% (24)
  • C
    4% (1)
  • D
    4% (1)

Explanation

Explanation

Option A is correct because Cisco AMP's Malicious Activity Protection (MAP) engine is specifically designed to monitor running processes and detect ransomware-like behavior - such as rapid file encryption - at the execution stage, stopping it in real time before significant damage occurs. This engine acts as a behavioral guardrail that intercepts the file encryption process itself, directly addressing the question's requirement.

Option B is wrong because the Exploit Prevention engine targets memory-based exploits and vulnerabilities (e.g., buffer overflows), not the execution-stage file encryption behavior characteristic of ransomware. Option C is wrong because blocking TOR network traffic addresses command-and-control (C2) communication, which is a different kill-chain stage - not the execution/encryption phase. Option D is wrong because blocking SMB exploitation (like EternalBlue) prevents lateral movement and delivery, not the actual file encryption execution stage.

Memory Tip: Think MAP = "Malicious Activity Protection" = stops the ransomware in action. If a question asks about stopping file encryption or the execution stage specifically, MAP is your answer - it watches behavior, not just signatures.

Topics

#Ransomware protection#Endpoint security#Cisco Secure Endpoint (AMP)#Malicious Activity Protection

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice