300-720: Securing Email with Cisco Email Security Appliance

A network administrator is modifying an outgoing mail policy to enable domain protection for the organization. A DNS entry is created that has the public key.

Which two headers will be used as matching criteria in the outgoing mail policy? (Choose two.)

message-ID
sender
URL reputation
from
mail-from

Correct answer: B, D

Explanation:

To enable domain protection for the organization, the administrator must configure an outgoing mail policy that matches the sender and the from headers of the email. The sender header is the envelope sender address that is used by SMTP to route the email. The from header is the address that is displayed to the recipient as the source of the email. These headers are used to generate and verify a DomainKeys Identified Mail (DKIM) signature, which is a cryptographic method of validating the authenticity and integrity of an email message.The other headers are not relevant for domain protection. The message-ID header is a unique identifier for each email message. The URL reputation header is a score that indicates the likelihood of a URL being malicious. The mail-from header is an alias for the sender header.Domain ProtectionDKIM Signing

To enable domain protection for the organization, the administrator must configure an outgoing mail policy that matches the sender and the from headers of the email. The sender header is the envelope sender address that is used by SMTP to route the email. The from header is the address that is displayed to the recipient as the source of the email. These headers are used to generate and verify a DomainKeys Identified Mail (DKIM) signature, which is a cryptographic method of validating the authenticity and integrity of an email message.

The other headers are not relevant for domain protection. The message-ID header is a unique identifier for each email message. The URL reputation header is a score that indicates the likelihood of a URL being malicious. The mail-from header is an alias for the sender header.

Domain Protection

DKIM Signing

Which content filter condition checks to see if the "From: header" in the message is similar to any of the users in the content dictionary?

Forged Email Detection
SPF Verification
Subject Header
Duplicate Boundaries Verification

Correct answer: A

Explanation:

The content filter condition that checks to see if the ''From: header'' in the message is similar to any of the users in the content dictionary is Forged Email Detection. This condition compares the sender's name or email address with a list of names or email addresses in a content dictionary and triggers an action if they match or are similar.Reference: [Cisco Secure Email Gateway Administrator Guide - Forged Email Detection]

What are two primary components of content filters? (Choose two.)

conditions
subject
content
actions
policies

Correct answer: A, D

Explanation:

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.The two primary components of content filters are:Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.The other options are not primary components of content filters on Cisco ESA.

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.

Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

Which feature must be configured before an administrator can use the outbreak filter for nonviral threats?

quarantine threat level
antispam
data loss prevention
antivirus

Correct answer: B

Explanation:

The feature that must be configured before an administrator can use the outbreak filter for nonviral threats is antispam. The outbreak filter relies on the antispam engine to detect and block nonviral threats, such as phishing, malware, or spam campaigns. You need to enable antispam scanning and configure the antispam settings before you can use the outbreak filter.

An organization wants to use its existing Cisco ESA to host a new domain and enforce a separate corporate policy for that domain.

What should be done on the Cisco ESA to achieve this?

Use the smtproutes command to configure a SMTP route for the new domain.
Use the deli very config command to configure mail delivery for the new domain.
Use the dsestconf command to add a separate destination for the new domain.
Use the altrchost command to add a separate gateway for the new domain.

Correct answer: A

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011001.htmlone of the steps to accept mail for additional internal domains on the Cisco ESA is to choose Network > SMTP Routes and enter the new domain and the corresponding destination host IP address1.This can also be done using the smtproutes command in the CLI1. The other commands (deliveryconfig, dsestconf, and altrchost) are not related to this task.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011001.html

one of the steps to accept mail for additional internal domains on the Cisco ESA is to choose Network > SMTP Routes and enter the new domain and the corresponding destination host IP address1.This can also be done using the smtproutes command in the CLI1. The other commands (deliveryconfig, dsestconf, and altrchost) are not related to this task.

Email encryption is configured on a Cisco ESA that uses CRES.

Which action is taken on a message when CRES is unavailable?

It is requeued.
It is sent in clear text.
It is dropped and an error message is sent to the sender.
It is encrypted by a Cisco encryption appliance.

Correct answer: A

Explanation:

When CRES (Cisco Registered Envelope Service) is unavailable, Cisco ESA will requeue the message and attempt to resend it later, until the maximum number of retries or the maximum age of the message is reached. The message will not be sent in clear text, dropped, or encrypted by another appliance.

What is a category for classifying graymail?

Malicious
Marketing
Spam
Priority

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].The other options are not valid because:A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].

The other options are not valid because:

A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].

C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].

D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

Which functionality is impacted if the assigned certificate under one of the IP interfaces is modified?

traffic between the Cisco Secure Email Gateway and the LDAP server
emails being delivered from the Cisco Secure Email Gateway
HTTPS traffic when connecting to the web user interface of the Cisco Secure Email Gateway
emails being received by the Cisco Secure Email Gateway

Correct answer: C

Explanation:

If the assigned certificate under one of the IP interfaces is modified, then the HTTPS traffic when connecting to the web user interface of the Cisco Secure Email Gateway will be impacted. The administrator must ensure that the certificate is valid and trusted by the browser or client that is used to access the web user interface. Otherwise, the connection may fail or generate a warning message.Reference: [Cisco Secure Email Gateway Administrator Guide - Configuring Certificates]

When the Spam Quarantine is configured on the Cisco ESA, what validates end-users via LDAP during login to the End-User Quarantine?

Enabling the End-User Safelist/Blocklist feature
Spam Quarantine External Authentication Query
Spam Quarantine End-User Authentication Query
Spam Quarantine Alias Consolidation Query

Correct answer: C

Explanation:

Spam Quarantine End-User Authentication Query is a query that Cisco ESA performs against an LDAP server to validate the end-user credentials during login to the End-User Quarantine.

A Cisco Secure Email Gateway administrator is creating a Mail Flow Policy to receive outbound email from Microsoft Exchange. Which Connection Behavior must be selected to properly process the messages?

Accept
Delay
Relay
Reject

Correct answer: C

Explanation:

Relay is the connection behavior that must be selected to properly process the messages. Relay allows Cisco ESA to accept messages from the specified source and deliver them to the intended destination, without applying any content or reputation filters.To configure a mail flow policy with relay connection behavior on Cisco ESA, the administrator can follow these steps:Select Mail Policies > Mail Flow Policies and click Add Policy.Enter a name and description for the mail flow policy, such as Exchange Outbound.Under Connection Behavior, select Relay.Click Submit.The other options are not valid connection behaviors to properly process the messages, because they either reject, delay, or accept the messages with content or reputation filters applied.

Relay is the connection behavior that must be selected to properly process the messages. Relay allows Cisco ESA to accept messages from the specified source and deliver them to the intended destination, without applying any content or reputation filters.

To configure a mail flow policy with relay connection behavior on Cisco ESA, the administrator can follow these steps:

Select Mail Policies > Mail Flow Policies and click Add Policy.

Enter a name and description for the mail flow policy, such as Exchange Outbound.

Under Connection Behavior, select Relay.

Click Submit.

The other options are not valid connection behaviors to properly process the messages, because they either reject, delay, or accept the messages with content or reputation filters applied.

Which feature must be activated on a Cisco Secure Email Gateway to combat backscatter?

Graymail Detection
Bounce Verification
Forged Email Detection
Bounce Profile

Correct answer: B

Explanation:

A regular expression is a sequence of characters that defines a search pattern for text. To match a string of 123ABCDEFGHJ, you need to use the following regular expression: d{3}[A-Z]{9}. This expression means that the string must start with three digits (d{3}), followed by nine uppercase letters ([A-Z]{9}). This expression will match any string that has the same format as 123ABCDEFGHJ. Reference =User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Regular Expressions [Cisco Secure Email Gateway] - Cisco

A network engineer must tighten up the SPAM control policy of an organization due to a recent SPAM attack. In which scenario does enabling regional scanning improve security for this organization?

when most of the received spam comes from a specific country
when most of the received spam originates outside of the U.S.
when most of the received email originates outside of the U.S.
when most of the received email originates from a specific region

Correct answer: C

Explanation:

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].The other options are not valid because:A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].

The other options are not valid because:

A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].

B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].

D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

Which of the following two statements are correct about the large file attachments (greater than 25MB) feature in Cisco Secure Email Encryption Service? (Choose two.)

Large file attachments can only be sent using the websafe portal
This feature allows users to send up to 50MB of attachments in a secure email.
Large file attachments will be sent as a securedoc attachment
Large file attachments can only be sent using the Cisco Secure Email Add-In.
This feature can only be enabled if the Read from Message feature is enabled

Correct answer: C, E

Explanation:

Large file attachments will be sent as a securedoc attachment. This means that the recipient will receive an encrypted message with a securedoc.html attachment that contains a link to download the large file from the Cisco Secure Email Encryption Service portal[2, p. 9].This feature can only be enabled if the Read from Message feature is enabled. The Read from Message feature allows you to encrypt messages based on keywords or phrases in the subject or body of the message. You need to enable this feature before you can enable the large file attachments feature[2, p. 8].The other options are not valid because:A) Large file attachments can be sent using both the websafe portal and the Cisco Secure Email Add-In. The websafe portal allows you to compose and send encrypted messages from any web browser, while the Cisco Secure Email Add-In allows you to encrypt messages from your email client such as Outlook[2, p. 6-7].B) This feature allows users to send up to 100MB of attachments in a secure email, not 50MB[2, p. 9].D) Large file attachments can be sent using both the websafe portal and the Cisco Secure Email Add-In. The websafe portal allows you to compose and send encrypted messages from any web browser, while the Cisco Secure Email Add-In allows you to encrypt messages from your email client such as Outlook[2, p. 6-7].

Large file attachments will be sent as a securedoc attachment. This means that the recipient will receive an encrypted message with a securedoc.html attachment that contains a link to download the large file from the Cisco Secure Email Encryption Service portal[2, p. 9].

This feature can only be enabled if the Read from Message feature is enabled. The Read from Message feature allows you to encrypt messages based on keywords or phrases in the subject or body of the message. You need to enable this feature before you can enable the large file attachments feature[2, p. 8].

The other options are not valid because:

A) Large file attachments can be sent using both the websafe portal and the Cisco Secure Email Add-In. The websafe portal allows you to compose and send encrypted messages from any web browser, while the Cisco Secure Email Add-In allows you to encrypt messages from your email client such as Outlook[2, p. 6-7].

B) This feature allows users to send up to 100MB of attachments in a secure email, not 50MB[2, p. 9].

D) Large file attachments can be sent using both the websafe portal and the Cisco Secure Email Add-In. The websafe portal allows you to compose and send encrypted messages from any web browser, while the Cisco Secure Email Add-In allows you to encrypt messages from your email client such as Outlook[2, p. 6-7].

Which SMTP extension does Cisco ESA support for email security?

ETRN
UTF8SMTP
PIPELINING
STARTTLS

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].The other options are not valid because:A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].

The other options are not valid because:

A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].

C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].

D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

A network administrator enabled McAfee antivirus scanning on a Cisco Secure Email Gateway and configured the virus scanning action of "scan for viruses only" If the scanner finds a virus in an attachment for an incoming email, what action will be applied to this message?

The email and attachment are forwarded to the network administrator.
No repair is attempted, and the attachment is either dropped or delivered
The attachment is dropped and replaced with a 'Removed Attachment' file
The system will attempt to repair the attachment

Correct answer: B

Explanation:

If the McAfee antivirus scanning is enabled on the Cisco Secure Email Gateway and the virus scanning action is set to ''scan for viruses only'', then no repair is attempted, and the attachment is either dropped or delivered based on the antivirus policy settings. The administrator can choose to drop or deliver the infected attachment by selecting the appropriate action in the antivirus policy.Reference: [Cisco Secure Email Gateway Administrator Guide - Configuring McAfee Antivirus Scanning]

Spammers routinely try to send emails with the recipient field filled with a list of all possible combinations of letters and numbers. These combinations, appended with a company domain name are malicious attempts at learning all possible valid email addresses. Which action must be taken on a Cisco Secure Email Gateway to prevent this from occurring?

Select the SMTP Authentication Query checkbox
Perform LDAP acceptance validation.
Quarantine external authentication queries.
Enable end user safelist features

Correct answer: B

Explanation:

LDAP acceptance validation is a feature that allows the Cisco Secure Email Gateway to check if the recipient address of an incoming message exists in an LDAP directory before accepting it.This feature can help prevent spammers from sending emails with invalid recipient addresses and reduce the load on the appliance2. Reference =User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Configuring LDAP Queries [Cisco Secure Email Gateway] - Cisco

Which action on the Cisco ESA provides direct access to view the safelist/blocklist?

Show the SLBL cache on the CLI.
Monitor Incoming/Outgoing Listener.
Export the SLBL to a .csv file.
Debug the mail flow policy.

Correct answer: C

Explanation:

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.The other options are not valid because:A) Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].B) Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].D) Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.

The other options are not valid because:

A) Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].

B) Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].

D) Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

A trusted partner of an organization recently experienced a new campaign that was leveraging JavaScript attachments to trick users into executing malware. As a result, they created a local policy to deny messages with JavaScript attachments. Which action should the administrator of the organization take to ensure encrypted communications are delivered to the intended partner recipient?

Insert the X-PostX-Use-Script' header with a value of false to the encrypted messages
Select JavaScript-free' option within the Cisco Secure Email Encryption Service Add-in
Create an outgoing content filter and add the Encrypt and Deliver Nov/ action with Use-Script option deselected
Create a new encryption profile and deselect the 'Use-Script' envelope settings option.

Correct answer: D

Explanation:

According to theUser Guide for Cisco Secure Email Encryption Service Add-In 1, the 'Use-Script' option allows you to use JavaScript in the encrypted message envelope. This option is enabled by default, but you can disable it if you want to send encrypted messages to recipients who have security policies that block JavaScript attachments[2, p. 14].The other options are not valid because:A)Inserting the X-PostX-Use-Script header with a value of false to the encrypted messages is not a supported feature of the Cisco Secure Email Encryption Service Add-in1.B) Selecting JavaScript-free option within the Cisco Secure Email Encryption Service Add-in is not a valid option.The add-in does not have such an option1.C) Creating an outgoing content filter and adding the Encrypt and Deliver Nov/ action with Use-Script option deselected is not possible. The Encrypt and Deliver Nov/ action does not have a Use-Script option[2, p. 13].

According to theUser Guide for Cisco Secure Email Encryption Service Add-In 1, the 'Use-Script' option allows you to use JavaScript in the encrypted message envelope. This option is enabled by default, but you can disable it if you want to send encrypted messages to recipients who have security policies that block JavaScript attachments[2, p. 14].

The other options are not valid because:

A)Inserting the X-PostX-Use-Script header with a value of false to the encrypted messages is not a supported feature of the Cisco Secure Email Encryption Service Add-in1.

B) Selecting JavaScript-free option within the Cisco Secure Email Encryption Service Add-in is not a valid option.The add-in does not have such an option1.

C) Creating an outgoing content filter and adding the Encrypt and Deliver Nov/ action with Use-Script option deselected is not possible. The Encrypt and Deliver Nov/ action does not have a Use-Script option[2, p. 13].

Which components are required when encrypting SMTP with TLS on a Cisco Secure Email Gateway appliance when the sender requires TLS verification?

DER certificate and matching public key from a CA
self-signed certificate in PKCS#7 format
X. 509 certificate and matching private key from a CA
self-signed certificate in PKCS#12 format

Correct answer: C

Explanation:

To encrypt SMTP with TLS on a Cisco Secure Email Gateway appliance when the sender requires TLS verification, the components that are required are an X.509 certificate and matching private key from a CA. The certificate must be signed by a trusted CA and contain the domain name or IP address of the listener in the Subject or Subject Alternative Name fields. The private key must be unencrypted and match the certificate.Reference: [Cisco Secure Email Gateway Administrator Guide - Configuring TLS]

An administrator identifies that, over the past week, the Cisco ESA is receiving many emails from certain senders and domains which are being consistently quarantined. The administrator wants to ensure that these senders and domain are unable to send anymore emails.

Which feature on Cisco ESA should be used to achieve this?

incoming mail policies
safelist
blocklist
S/MIME Sending Profile

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].The other options are not valid because:A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].

The other options are not valid because:

A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].

C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].

D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

The CEO sent an email indicating that all emails containing a string of 123ABCDEFGHJ cannot be delivered and must be sent into quarantine for further inspection. Given the requirement, which regular expression should be used to match on that criteria?

\\D{3}[A-Z]{9}
\d{3}[A-Z]{9}
\W{3}[A-Z]{9}
{3}\d{9}[A-Z]

Correct answer: B

Explanation:

A regular expression is a sequence of characters that defines a search pattern for text. To match a string of 123ABCDEFGHJ, you need to use the following regular expression: d{3}[A-Z]{9}. This expression means that the string must start with three digits (d{3}), followed by nine uppercase letters ([A-Z]{9}). This expression will match any string that has the same format as 123ABCDEFGHJ. Reference =User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Regular Expressions [Cisco Secure Email Gateway] - Cisco

To comply with a recent audit, an engineer must configure anti-virus message handling options on the incoming mail policies to attach warnings to the subject of an email.

What should be configured to meet this requirement for known viral emails?

Virus Infected Messages
Unscannable Messages
Encrypted Messages
Positively Identified Messages

Correct answer: C

Explanation:

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.The other options are not valid because:A) A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.B) An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.D) A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.

The other options are not valid because:

A) A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.

B) An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.

D) A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

Which cloud service provides a reputation verdict for email messages based on the sender domain and other attributes?

Cisco AppDynamics
Cisco Secure Email Threat Defense
Cisco Secure Cloud Analytics
Cisco Talos

Correct answer: D

Explanation:

Cisco Talos is a cloud service that provides a reputation verdict for email messages based on the sender domain and other attributes such as IP address, sender behavior, message content, and attachment analysis. Cisco Talos is integrated with Cisco Secure Email Gateway and provides real-time threat intelligence and protection against spam, phishing, malware, and other email-borne threats.The other options are not valid because:A) Cisco AppDynamics is a cloud service that provides application performance monitoring and optimization for enterprise applications. It does not provide reputation verdicts for email messages.B) Cisco Secure Email Threat Defense is a cloud service that provides visibility and remediation capabilities for email threats detected by Cisco Secure Email Gateway. It does not provide reputation verdicts for email messages.C) Cisco Secure Cloud Analytics is a cloud service that provides network visibility and threat detection for cloud environments. It does not provide reputation verdicts for email messages.

Cisco Talos is a cloud service that provides a reputation verdict for email messages based on the sender domain and other attributes such as IP address, sender behavior, message content, and attachment analysis. Cisco Talos is integrated with Cisco Secure Email Gateway and provides real-time threat intelligence and protection against spam, phishing, malware, and other email-borne threats.

The other options are not valid because:

A) Cisco AppDynamics is a cloud service that provides application performance monitoring and optimization for enterprise applications. It does not provide reputation verdicts for email messages.

B) Cisco Secure Email Threat Defense is a cloud service that provides visibility and remediation capabilities for email threats detected by Cisco Secure Email Gateway. It does not provide reputation verdicts for email messages.

C) Cisco Secure Cloud Analytics is a cloud service that provides network visibility and threat detection for cloud environments. It does not provide reputation verdicts for email messages.

What is the purpose of Cisco Email Encryption on Cisco ESA?

to ensure anonymity between a recipient and MTA
to ensure integrity between a sender and MTA
to authenticate direct communication between a sender and Cisco ESA
to ensure privacy between Cisco ESA and MTA

Correct answer: C

Explanation:

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.The other options are not valid because:A) Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].B) Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].D) Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.

The other options are not valid because:

A) Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].

B) Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].

D) Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

An organization wants to prevent proprietary patent documents from being shared externally via email. The network administrator reviewed the DLP policies on the Cisco Secure Email Gateway and could not find an existing policy with the appropriate matching patterns. Which type of DLP policy template must be used to create a policy that meets this requirement?

privacy protection
custom policy
regulatory compliance
acceptable use

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].The other options are not valid because:A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].

The other options are not valid because:

A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].

C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

A Cisco Secure Email Gateway administrator must provide outbound email authenticity and configures a DKIM signing profile to handle this task. What is the next step to allow this organization to use DKIM for their outbound email?

Enable the DKIM service checker
Export the DNS TXT record to provide to the DNS registrar
Import the DNS record of the service provider into the Cisco Secure Email Gateway.
Configure the Trusted Sender Group message authenticity policy.

Correct answer: C

Explanation:

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.The other options are not valid because:A) A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.B) An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.D) A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.

The other options are not valid because:

A) A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.

B) An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.

D) A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

What is the default HTTPS port when configuring spam quarantine on Cisco ESA?

83
82
443
80

Correct answer: C

Explanation:

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].The other options are not valid because:A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].

The other options are not valid because:

A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].

B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].

D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

Which Cisco Secure Email Threat Defense visibility and remediation mode is only available when using Cisco Secure Email Gateway as the message source?

Basic Authentication
No Authentication
Microsoft 365 Authentication
Cisco Security Cloud Sign On

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].The other options are not valid because:A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].

The other options are not valid because:

A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].

C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

An engineer is tasked with reviewing mail logs to confirm that messages sent from domain abc.com are passing SPF verification and being accepted by the Cisco ES

The engineer notices that SPF verification is not being performed and that SPF is not being referenced in the logs for messages sent from domain abc.com.

Why is the verification not working properly?

SPF verification is disabled in the Recipient Access Table.
SPF verification is disabled on the Mail Flow Policy.
The SPF conformance level is set to SIDF compatible on the Mail Flow Policy.
An SPF verification Content Filter has not been created.

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].The other options are not valid because:A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].

The other options are not valid because:

A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].

C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

Which type of DNS record would contain the following line, which references the DKIM public key per RFC 6376?

v=DKIM1; p=76E629F05F709EF665853333EEC3F5ADE69A2362BECE406582670456943283BE

CNAME
AAAA
TXT
PTR

Correct answer: C

Explanation:

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.The other options are not valid because:A) A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.B) An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.D) A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.

The other options are not valid because:

A) A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.

B) An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.

D) A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

An engineer is configuring an SMTP authentication profile on a Cisco ESA which requires certificate verification.

Which section must be configured to accomplish this goal?

Mail Flow Policies
Sending Profiles
Outgoing Mail Policies
Verification Profiles

Correct answer: C

Explanation:

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].The other options are not valid because:A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].

The other options are not valid because:

A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].

B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].

D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

The company security policy requires that the finance department have an easy way to apply encryption to their outbound messages that contain sensitive data Users must be able to flag the messages that require encryption versus a Cisco Secure Email Gateway appliance scanning all messages and automatically encrypting via detection Which action enables this capability?

Create an encryption profile with [SECURE] in the Subject setting and enable encryption on the mail flow policy
Create an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting
Create an encryption profile and an outgoing content filter that includes \[SECURE\] within the Subject Header: Contains condition along with the Encrypt and Deliver Now action
Create a DLP policy manager message action with encryption enabled and apply it to active DLP policies for outgoing mail.

Correct answer: C

Explanation:

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.The other options are not valid because:A) Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].B) Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].D) Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.

The other options are not valid because:

A) Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].

B) Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].

D) Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

What is a benefit of deploying Cisco Secure Email and Web Manager?

centralized management of software updates for Cisco Secure Email Gateway
centralized management of logs for Cisco Secure Email Gateway
centralized management of quarantined email
centralized management of botnet directories

Correct answer: C

Explanation:

One of the benefits of deploying Cisco Secure Email and Web Manager is that it provides centralized management of quarantined email for multiple Cisco Secure Email Gateway appliances. The administrator can use the Cisco Secure Email and Web Manager to view, search, release, delete, or forward quarantined messages from a single web interface.Reference: [Cisco Secure Email and Web Manager User Guide - Configuring Centralized Spam Quarantine]

Refer to the exhibit.

For improved security, an administrator wants to warn users about opening any links or attachments within an email How must the administrator configure an HTML-coded message at the top of an email body to create this warning?

Create a text resource type of Disclaimer Template paste the HTML code into the text box. then use this text resource inside a content filter
Create a text resource type of Disclaimer Template change to code view to paste the HTML code into the text box, then use this text resource inside a content filter
Create a text resource type of Notification Template, paste the HTML code into the text box, then use this text resource inside a content filter.
Create a text resource type of Notification Template, change to code view to paste the HTML code into the text box. then use this text resource inside a content filter.

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].The other options are not valid because:A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

According to the [Cisco Secure Email User Guide], you can create a text resource of type Disclaimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[1, p. 15-16].

The other options are not valid because:

A) Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[1, p. 15].

C) Creating a text resource type of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

D) Creating a text resource type of Notification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[1, p. 17].

A Cisco Secure Email Gateway administrator recently enabled the Outbreak Filters Global Service Setting to detect Viral as well as Non-Viral threat detection, with no detection of Non-viral threats after 24 hours of monitoring Outbreak Filters What is the reason that Non-Viral threat detection is not detecting any positive verdicts?

Non-Viral threat detection requires Antivirus or AMP enablement to properly function
The Outbreak Filters option Graymail Header must be enabled
Non-Viral threat detection requires AntiSpam or Intelligent Multi-Scan enablement to properly function.
The Outbreak Filters option URL Rewriting must be enabled.

Correct answer: C

Explanation:

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].The other options are not valid because:A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects and blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[1, p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provide the necessary scanning and filtering capabilities for Non-Viral threat detection[1, p. 26].

The other options are not valid because:

A) Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[1, p. 27-28].

B) The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[1, p. 25].

D) The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[1, p. 25].

An administrator notices that the Cisco Secure Email Gateway delivery queue on an appliance is consistently full. After further investigation, it is determined that the IP addresses currently in use by appliance are being rate-limited by some destinations. The administrator creates a new interface with an additional IP address using virtual gateway technology, but the issue is not solved Which configuration change resolves the issue?

Use the CLI command altsrchost to set the new interface as the source IP address for all mail.
Use the CLI command loadbalance auto to enable mail delivery over all interfaces.
Use the CLI command alt-src-host to set the new interface as a possible delivery candidate.
Use the CLI command deliveryconfig to set the new interface as the primary interface for mail delivery

Correct answer: D

Explanation:

Determining Which Interface is Used for Mail Delivery Unless you specify the output interface via the deliveryconfig command or via a message filter ( alt-src-host ), or through the use of a virtual gateway, the output interface is selected by the AsyncOS routing table. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_011001.html?bookSearch=true

A company has recently updated their security policy and now wants to drop all email messages larger than 100 MB coming from external sources. The Cisco Secure Email Gateway is LDAP integrated and all employee accounts are in the group "Employees". Which filter rule configuration provides the desired outcome?

if (mail-from-group == 'Employees') and (body-size > '100M') {drop()}
if (mail-from-group != 'Employees') and (body-size > 100M) {drop();}
if (mail-from-group == 'Employees') and (body-size > 100M) {bounce();}
if ('mail-from-group != Employees') and (body-size > 100M) {drop();}

Correct answer: B

Explanation:

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].The other options are not valid because:A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

According to the [Cisco Secure Email User Guide], graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[5, p. 25]. Marketing is one of the subcategories of graymail that includes messages that advertise products or services[5, p. 26].

The other options are not valid because:

A) Malicious is not a category for classifying graymail. It is a category for classifying email messages that contain malicious content such as malware, phishing, or fraud[5, p. 25].

C) Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[5, p. 25].

D) Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[5, p. 25].

What is the default method of remotely accessing a newly deployed Cisco Secure Email Virtual Gateway when a DHCP server is not available?

Manual configuration of an IP address is required through the serial port before remote access
DHCP is required for the initial IP address assignment
Use the IP address of 192.168 42 42 via the Management port
Manual configuration of an IP address is required through the hypervisor console before remote access

Correct answer: C

Explanation:

The default method of remotely accessing a newly deployed Cisco Secure Email Virtual Gateway when a DHCP server is not available is to use the IP address of 192.168.42.42 via the Management port. This IP address is assigned by default to the Management port of the virtual gateway and can be used to access the web user interface or the command-line interface of the appliance.Reference: [Cisco Secure Email Gateway Installation and Upgrade Guide - Configuring Network Settings]

Which global setting is configured under Cisco ESA Scan Behavior?

minimum attachment size to scan
attachment scanning timeout
actions for unscannable messages due to attachment type
minimum depth of attachment recursion to scan

Correct answer: A

A Cisco ESA administrator has several mail policies configured. While testing policy match using a specific sender, the email was not matching the expected policy.

What is the reason of this?

The Tram* header is checked against all policies in a top-down fashion.
The message header with the highest priority is checked against each policy in a top-down fashion.
The To' header is checked against all policies in a top-down fashion.
The message header with the highest priority is checked against the Default policy in a top-down fashion.

Correct answer: D

An organization has a strict policy on URLs embedded in emails. The policy allows visibility into what the URL is but does not allow the user to click it. Which action must be taken to meet the requirements of the security policy?

Enable the URL quarantine policy
Defang the URL.
Replace the URL with text
Redirect the URL to the Cisco security proxy

Correct answer: A

Refer to the exhibits. What must be done to enforce end user authentication before accessing quarantine?

Enable SPAM notification and use LDAP for authentication.
Enable SPAM Quarantine Notification and add the %quarantine_url% variable.
Change the end user quarantine access from None authentication to SAAS.
Change the end user quarantine access setting from None authentication to Mailbox.

Correct answer: A

When the spam quarantine is configured on the Cisco Secure Email Gateway, which type of query is used to validate non administrative user access to the end-user quarantine via LDAP?

spam quarantine end-user authentication
spam quarantine alias consolidation
spam quarantine external authorization
local mailbox (IMAP/POP) authentication

Correct answer: A, C

An engineer is configuring a Cisco ESA for the first time and needs to ensure that any email traffic coming from the internal SMTP servers is relayed out through the Cisco ESA and is tied to the Outgoing Mail Policies.

Which Mail Flow Policy setting should be modified to accomplish this goal?

Exception List
Connection Behavior
Bounce Detection Signing
Reverse Connection Verification

Correct answer: B

A list of company executives is routinely being spoofed, which puts the company at risk of malicious email attacks An administrator must ensure that executive messages are originating from legitimate sending addresses Which two steps must be taken to accomplish this task? (Choose two.)

Create an incoming content filter with SPF detection.
Enable the Forged Email Detection feature under Security Settings.
Enable DMARC feature under Mail Policies.
Create an incoming content filter with the Forged Email Detection condition
Create a content dictionary including a list of the names that are being spoofed.

Correct answer: A

Refer to the exhibit. Which configuration on the scan behavior must be updated to allow the attachment to be scanned on the Cisco ESA?

Add an additional mapping for attachment type for zip files.
Enable assume match pattern if the email was not scanned for any reason.
Increase the maximum recursion depth from 5 to a larger value.
Increase the maximum attachment size to scan to a larger value.

Correct answer: A

Which feature utilizes sensor information obtained from Talos intelligence to filter email servers connecting into the Cisco ESA?

SenderBase Reputation Filtering
Connection Reputation Filtering
Talos Reputation Filtering
SpamCop Reputation Filtering

Correct answer: A

Which action is a valid fallback when a client certificate is unavailable during SMTP authentication on Cisco ESA?

LDAP Query
SMTP AUTH
SMTP TLS
LDAP BIND

Correct answer: B

Which type of attack is prevented by configuring file reputation filtering and file analysis features?

denial of service
zero-day
backscatter
phishing

Correct answer: B

When DKIM signing is configured, which DNS record must be updated to load the DKIM public signing key?

AAAA record
PTR record
TXT record
MX record

Correct answer: C

Refer to the exhibit. An engineer needs to change the existing Forged Email Detection message filter so that it references a newly created dictionary named 'Executives'.

What should be done to accomplish this task?

Change 'from' to 'Executives'.
Change 'TESF to 'Executives'.
Change fed' to 'Executives'.
Change 'support' to 'Executives'.

Correct answer: D

An administrator has created a content filter to quarantine all messages that result in an SPF hardfail to review the messages and determine whether a trusted partner has accidentally misconfigured the DNS settings. The administrator sets the policy quarantine to release the messages after 24 hours, allowing time to review while not interrupting business.

Which additional option should be used to help the end users be aware of the elevated risk of interacting with these messages?

Notify Recipient
Strip Attachments
Notify Sender
Modify Subject

Correct answer: D

A company has deployed a new mandate that requires all emails sent externally from the Sales Department to be scanned by DLP for PCI-DSS compliance. A new DLP policy has been created on the Cisco ESA and needs to be assigned to a mail policy named 'Sales' that has yet to be created.

Which mail policy should be created to accomplish this task?

Outgoing Mail Policy
Preliminary Mail Policy
Incoming Mail Flow Policy
Outgoing Mail Flow Policy

Correct answer: A

Spreadsheets containing credit card numbers are being allowed to bypass the Cisco ESA.

Which outgoing mail policy feature should be configured to catch this content before it leaves the network?

file reputation filtering
outbreak filtering
data loss prevention
file analysis

Correct answer: B

Refer to the exhibit. How should this configuration be modified to stop delivering Zero Day malware attacks?

Change Unscannable Action from Deliver As Is to Quarantine.
Change File Analysis Pending action from Deliver As Is to Quarantine.
Configure mailbox auto-remediation.
Apply Prepend on Modify Message Subject under Malware Attachments.

Correct answer: C

Which action must be taken before a custom quarantine that is being used can be deleted?

Delete the quarantine that is assigned to a filter.
Delete the quarantine that is not assigned to a filter.
Delete only the unused quarantine.
Remove the quarantine from the message action of a filter.

Correct answer: D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011111.html

Which two query types are available when an LDAP profile is configured? (Choose two.)

proxy consolidation
user
recursive
group
routing

Correct answer: D, E

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011010.html

Which two statements about configuring message filters within the Cisco ESA are true? (Choose two.)

The filters command executed from the CLI is used to configure the message filters.
Message filters configuration within the web user interface is located within Incoming Content Filters.
The filterconfig command executed from the CLI is used to configure message filters.
Message filters can be configured only from the CLI.
Message filters can be configured only from the web user interface.

Correct answer: A, D

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/213940-esa-using-a- message-filter-to-take-act.html

Which two are configured in the DMARC verification profile? (Choose two.)

name of the verification profile
minimum number of signatures to verify
ESA listeners to use the verification profile
message action into an incoming or outgoing content filter
message action to take when the policy is reject/quarantine

Correct answer: A, E

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010101.html#task_1231917

Which type of query must be configured when setting up the Spam Quarantine while merging notifications?

Spam Quarantine Alias Routing Query
Spam Quarantine Alias Consolidation Query
Spam Quarantine Alias Authentication Query
Spam Quarantine Alias Masquerading Query

Correct answer: B

Which two components must be configured to perform DLP scanning? (Choose two.)

Add a DLP policy on the Incoming Mail Policy.
Add a DLP policy to the DLP Policy Manager.
Enable a DLP policy on the Outgoing Mail Policy.
Enable a DLP policy on the DLP Policy Customizations.
Add a DLP policy to the Outgoing Content Filter.

Correct answer: B, C

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/ b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010001.html

What is a benefit of implementing URL filtering on the Cisco ESA?

removes threats from malicious URLs
blacklists spam
provides URL reputation protection
enhances reputation against malicious URLs

Correct answer: C

When email authentication is configured on Cisco ESA, which two key types should be selected on the signing profile? (Choose two.)

DKIM
Public Keys
Domain Keys
Symmetric Keys
Private Keys

Correct answer: A, C

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/213939-esa- configure-dkim-signing.html

Which two features of Cisco Email Security are added to a Sender Group to protect an organization against email threats? (Choose two.)

NetFlow
geolocation-based filtering
heuristic-based filtering
senderbase reputation filtering
content disarm and reconstruction

Correct answer: C, D

Which process is skipped when an email is received from safedomain.com, which is on the safelist?

message filter
antivirus scanning
outbreak filter
antispam scanning

Correct answer: A

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214269-filter-to- handle-messages-that-skipped-d.html

Refer to the exhibit. An engineer is trying to connect to a Cisco ESA using SSH and has been unsuccessful. Upon further inspection, the engineer notices that there is a loss of connectivity to the neighboring switch.

Which connection method should be used to determine the configuration issue?

Telnet
HTTPS
Ethernet
serial

Correct answer: D

How does the graymail safe unsubscribe feature function?

It strips the malicious content of the URI before unsubscribing.
It checks the URI reputation and category and allows the content filter to take an action on it.
It redirects the end user who clicks the unsubscribe button to a sandbox environment to allow a safe unsubscribe.
It checks the reputation of the URI and performs the unsubscribe process on behalf of the end user.

Correct answer: D

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200383-Graymail- Detection-and-Safe-Unsubscribin.html

Which two Cisco ESA features are used to control email delivery based on the sender? (Choose two.)

incoming mail policies
spam quarantine
outbreak filter
safelists
blocklists

Correct answer: D, E

What is the default port to deliver emails from the Cisco ESA to the Cisco SMA using the centralized Spam Quarantine?

8025
6443
6025
8443

Correct answer: C

Which scenario prevents a message from being sent to the quarantine as an action in the scan behavior on Cisco ESA?

A policy quarantine is missing.
More than one email pipeline is defined.
The 'modify the message subject' is already set.
The 'add custom header' action is performed first.

Correct answer: B

What are two prerequisites for implementing undesirable URL protection in Cisco ESA? (Choose two.)

Enable outbreak filters.
Enable email relay.
Enable antispam scanning.
Enable port bouncing.
Enable antivirus scanning.

Correct answer: A, C

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01111.html

An administrator is trying to enable centralized PVO but receives the error, "Unable to proceed with Centralized Policy, Virus and Outbreak Quarantines configuration as esa1 in Cluster has content filters / DLP actions available at a level different from the cluster level."

What is the cause of this error?

Content filters are configured at the machine-level on esa1.
DLP is configured at the cluster-level on esa2.
DLP is configured at the domain-level on esa1.
DLP is not configured on host1.

Correct answer: D

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118026-technote- esa-00.html

Which two certificate authority lists are available in Cisco ESA? (Choose two.)

default
system
user
custom
demo

Correct answer: B, D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/ b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_chapter_011000.html#task_1194859

What must be configured to allow the Cisco ESA to encrypt an email using the Cisco Registered Envelope Service?

provisioned email encryption profile
message encryption from a content filter that select 'Message Encryption' over TLS
message encryption from the mail flow policies with 'CRES' selected
content filter to forward the email to the Cisco Registered Envelope server

Correct answer: B

An analyst creates a new content dictionary to use with Forged Email Detection.

Which entry will be added into the dictionary?

mycompany.com
Alpha Beta
^Alpha\ Beta$
[email protected]

Correct answer: A

Explanation:

https://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/ whitepaper_C11-737596.html

Which two actions are configured on the Cisco ESA to query LDAP servers? (Choose two.)

accept
relay
delay
route
reject

Correct answer: A, D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/ b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_011010.html

When outbreak filters are configured, which two actions are used to protect users from outbreaks? (Choose two.)

redirect
return
drop
delay
abandon

Correct answer: A, D

Which two action types are performed by Cisco ESA message filters? (Choose two.)

non-final actions
filter actions
discard actions
final actions
quarantine actions

Correct answer: A, D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/ b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html

Refer to the exhibit.

Which SPF record is valid for mycompany.com?

v=spf1 a mx ip4:199.209.31.2 -all
v=spf1 a mx ip4:10.1.10.23 -all
v=spf1 a mx ip4:199.209.31.21 -all
v=spf1 a mx ip4:172.16.18.230 -all

Correct answer: D

An email containing a URL passes through the Cisco ESA that has content filtering disabled for all mail policies. The sender is [email protected], the recipients are [email protected], [email protected], [email protected], and [email protected]. The subject of the email is Test Document395898847. An administrator wants to add a policy to ensure that the Cisco ESA evaluates the web reputation score before permitting this email.

Which two criteria must be used by the administrator to achieve this? (Choose two.)

Subject contains Test Document'
Sender matches test1.com
Email body contains a URL
Date and time of email
Email does not match [email protected]

Correct answer: A, C

Which antispam feature is utilized to give end users control to allow emails that are spam to be delivered to their inbox, overriding any spam verdict and action on the Cisco ESA?

end user allow list
end user spam quarantine access
end user passthrough list
end user safelist

Correct answer: B

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_11-1/ b_ESA_Admin_Guide_ces_11_1/b_ESA_Admin_Guide_chapter_011111.pdf

Which benefit does enabling external spam quarantine on Cisco SMA provide?

ability to back up spam quarantine from multiple Cisco ESAs to one central console
access to the spam quarantine interface on which a user can release, duplicate, or delete
ability to scan messages by using two engines to increase a catch rate
ability to consolidate spam quarantine data from multiple Cisco ESA to one central console

Correct answer: D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma11-0/user_guide/ b_SMA_Admin_Guide/b_SMA_Admin_Guide_chapter_010101.html

What is a valid content filter action?

decrypt on delivery
quarantine
skip antispam
archive

Correct answer: B

Which attack is mitigated by using Bounce Verification?

spoof
denial of service
eavesdropping
smurf

Correct answer: B

Which two features are applied to either incoming or outgoing mail policies? (Choose two.)

Indication of Compromise
application filtering
outbreak filters
sender reputation filtering
antivirus

Correct answer: C, E

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/ b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01001.html

What is the maximum message size that can be configured for encryption on the Cisco ESA?

20 MB
25 MB
15 MB
30 MB

Correct answer: A

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117972-technote- esa-00.html

Which two factors must be considered when message filter processing is configured? (Choose two.)

message-filter order
lateral processing
structure of the combined packet
mail policies
MIME structure of the message

Correct answer: A, E

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01000.html

Which two steps are needed to disable local spam quarantine before external quarantine is enabled? (Choose two.)

Uncheck the Enable Spam Quarantine check box.
Select Monitor and click Spam Quarantine.
Check the External Safelist/Blocklist check box.
Select External Spam Quarantine and click on Configure.
Select Security Services and click Spam Quarantine.

Correct answer: A, B

A recent engine update was pulled down for graymail and has caused the service to start crashing. It is critical to fix this as quickly as possible.

What must be done to address this issue?

Roll back to a previous version of the engine from the Services Overview page.
Roll back to a previous version of the engine from the System Health page.
Download another update from the IMS and Graymail page.
Download another update from the Service Updates page.

Correct answer: A

Which two steps configure Forged Email Detection? (Choose two.)

Configure a content dictionary with executive email addresses.
Configure a filter to use the Forged Email Detection rule and dictionary.
Configure a filter to check the Header From value against the Forged Email Detection dictionary.
Enable Forged Email Detection on the Security Services page.
Configure a content dictionary with friendly names.

Correct answer: A, B

Explanation:

https://explore.cisco.com/esa-feature-enablement/user-guide-for-async-11

A Cisco ESA administrator was notified that a user was not receiving emails from a specific domain. After reviewing the mail logs, the sender had a negative sender-based reputation score.

What should the administrator do to allow inbound email from that specific domain?

Create a new inbound mail policy with a message filter that overrides Talos.
Ask the user to add the sender to the email application's allow list.
Modify the firewall to allow emails from the domain.
Add the domain into the allow list.

Correct answer: D

When virtual gateways are configured, which two distinct attributes are allocated to each virtual gateway address? (Choose two.)

domain
IP address
DNS server address
DHCP server address
external spam quarantine

Correct answer: A, B

Which suboption must be selected when LDAP is configured for Spam Quarantine End-User Authentication?

Designate as the active query
Update Frequency
Server Priority
Entity ID

Correct answer: A

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma11-5/user_guide/ b_SMA_Admin_Guide_11_5/b_SMA_Admin_Guide_11_5_chapter_01010.html

What occurs when configuring separate incoming mail policies?

message splintering
message exceptions
message detachment
message aggregation

Correct answer: A

Which two configurations are used on multiple LDAP servers to connect with Cisco ESA? (Choose two.)

load balancing
SLA monitor
active-standby
failover
active-active

Correct answer: A, D

Explanation:

You can enter multiple host names to configure the LDAP servers for failover or load-balancing. Separate multiple entries with commas.

What are two phases of the Cisco ESA email pipeline? (Choose two.)

reject
workqueue
action
delivery
quarantine

Correct answer: B, D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-1/user_guide/ b_ESA_Admin_Guide_12_1/b_ESA_Admin_Guide_12_1_chapter_011.pdf (p.1)

Which method enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way?

Set up the interface group with the flag.
Issue the altsrchost command.
Map the envelope sender address to the host.
Apply a filter on the message.

Correct answer: B

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/ b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html#con_1133810

What is the default behavior of any listener for TLS communication?

preferred-verify
off
preferred
required

Correct answer: B

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118954-config-esa- 00.html

Which setting affects the aggressiveness of spam detection?

protection level
spam threshold
spam timeout
maximum depth of recursion scan

Correct answer: B

Explanation:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118220-technote- esa-00.html

What is the order of virus scanning when multilayer antivirus scanning is configured?

The default engine scans for viruses first and the McAfee engine scans for viruses second.
The Sophos engine scans for viruses first and the McAfee engine scans for viruses second.
The McAfee engine scans for viruses first and the default engine scans for viruses second.
The McAfee engine scans for viruses first and the Sophos engine scans for viruses second.

Correct answer: C

Explanation:

If you configure multi-layer anti-virus scanning, the Cisco appliance performs virus scanning with the McAfee engine first and the Sophos engine second. It scans messages using both engines, unless the McAfee engine detects a virus. If the McAfee engine detects a virus, the Cisco appliance performs the anti-virus actions (repairing, quarantining, etc.) defined for the mail policy.https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01011.html

If you configure multi-layer anti-virus scanning, the Cisco appliance performs virus scanning with the McAfee engine first and the Sophos engine second. It scans messages using both engines, unless the McAfee engine detects a virus. If the McAfee engine detects a virus, the Cisco appliance performs the anti-virus actions (repairing, quarantining, etc.) defined for the mail policy.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01011.html

Which Cisco ESA security service is configured only through an outgoing mail policy?

antivirus
DLP
Outbreak Filters
AMP

Correct answer: B

Explanation:

Reference https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/ b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_01001.html

Vendor:	Cisco
Exam Code:	300-720
Exam Name:	Securing Email with Cisco Email Security Appliance
Date:	Dec 28, 2025
File Size:	47 KB

Download Securing Email with Cisco Email Security Appliance.300-720.Pass4Success.2025-12-28.101q.vcex

How to open VCEX files?

Demo Questions

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Question 26

Question 27

Question 28

Question 29

Question 30

Question 31

Question 32

Question 33

Question 34

Question 35

Question 36

Question 37

Question 38

Question 39

Question 40

Question 41

Question 42

Question 43

Question 44

Question 45

Question 46

Question 47

Question 48

Question 49

Question 50

Question 51

Question 52

Question 53

Question 54

Question 55

Question 56

Question 57

Question 58

Question 59

Question 60

Question 61

Question 62

Question 63

Question 64

Question 65

Question 66

Question 67

Question 68

Question 69

Question 70

Question 71

Question 72

Question 73

Question 74

Question 75

Question 76

Question 77