156-590 Exam Dumps - Check Point Certified Threat Prevention Specialist (CTPS)

The correct answer is C. HTTP/HTTPS . The course-guide answer identifies HTTP/HTTPS as the Anti-Virus protocols enabled by default. Architecturally, this reflects the most common perimeter malware-delivery path: users downloading web content from the Internet. HTTP is naturally visible to the gateway, while HTTPS requires HTTPS Inspection to expose encrypted file transfers and web objects for Anti-Virus inspection. Check Point documentation notes that most traffic is HTTPS rather than HTTP and recommends enabling HTTPS Inspection to maximize the effectiveness of Threat Prevention Software Blades.

The broader Anti-Virus blade can support more protocols than the default enabled set. Check Point documents that HTTP, FTP, SMB, and SMTP are protocols selectable in SmartConsole, and that IMAP and POP3 can also be enabled through configuration. This distinction is the certification point: supported does not necessarily mean enabled by default . FTP, SMB, SMTP, IMAP, and POP3 can extend inspection coverage, but enabling more protocol inspection increases processing scope and must be aligned with topology, performance, and business risk. Reference topics: Anti-Virus Settings, HTTPS Inspection, protocol support, protected scope, Threat Prevention blade effectiveness.

The correct answer is B. Pre-infection . IPS is categorized as a pre-infection Threat Prevention blade because its primary role is to stop exploitation attempts before the protected host becomes compromised. Check Point’s Threat Prevention guide describes IPS as protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities, in-the-wild attacks, exploit kits, and malicious attackers. The same guide distinguishes Anti-Bot & Advanced DNS as post-infection detection of bots on hosts, while Anti-Virus is described as pre-infection detection and blocking of malware at the gateway.

IPS belongs in the pre-infection stage because it prevents the exploit chain from succeeding. It inspects network traffic for vulnerability exploitation, protocol abuse, malformed payloads, known CVE exploitation attempts, server attacks, client attacks, and suspicious patterns that could lead to compromise. “Preventative” is broadly true as an English description, but it is not the specific Check Point lifecycle classification tested here. “Inline” describes where a security function may sit in traffic flow, not the infection-stage category. “Post-infection” is associated with Anti-Bot, which detects and blocks command-and-control communications after a host shows signs of compromise. Reference topics: IPS Software Blade, pre-infection prevention, exploit protection, Threat Prevention architecture, Anti-Bot post-infection contrast.

The correct answer is D. Optimized . In Check Point Threat Prevention, profiles define how the gateway applies protections across blades such as IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. The default profile is Optimized , because it balances effective security with acceptable gateway performance. Check Point documentation states that the Optimized profile is activated by default and that it gives excellent security with good gateway performance.

This design reflects the practical tradeoff in enterprise Threat Prevention: not every protection should be enabled at the most aggressive setting on every gateway, because high-impact protections can increase CPU consumption, latency, and inspection overhead. The Optimized profile uses criteria such as protection severity, confidence, and performance impact to activate protections that are broadly useful without creating unnecessary operational cost. Basic is less aggressive and is intended for lower-impact protection coverage. Strict provides wider coverage but can affect performance more significantly. Standard is not one of the default Threat Prevention profiles in this context. Reference topics: Threat Prevention Profiles, default profile behavior, Optimized Protection Profile settings, blade activation, security/performance balance.

The correct answer is C. ThreatCloud DNS Tunneling Protection . Check Point R81.20 introduced major Advanced Threat Prevention enhancements, including AI Deep Learning improvements for DNS attacks. The R81.20 Release Notes state that AI Deep Learning prevents more DNS attacks in real time and specifically reference ThreatCloud DNS tunneling protection as part of the DNS Security enhancements.

DNS tunneling protection is distinct from Malware DNS Trap. Malware DNS Trap returns a false or bogus IP address for known malicious hosts and domains, and it can help identify compromised clients by observing connection attempts to the false trap address. That mechanism is represented by option A/B, but it is not the R81.20-introduced DNS protection being tested here. ThreatCloud DNS Tunneling Protection targets a different technique: abuse of DNS as a covert channel for command-and-control, data exfiltration, or tunneling traffic through recursive DNS infrastructure. Option D is unrelated to Check Point DNS Threat Prevention architecture. Reference topics: R81.20 Advanced Threat Prevention, DNS Security, ThreatCloud DNS Tunneling Protection, Malware DNS Trap, Anti-Bot and Anti-Virus DNS protections.

The correct answer is D. Log . In Check Point Threat Prevention, tracking determines what evidence is generated when a rule or protection matches traffic. The official Logging and Monitoring guide states that Log is the default option in the Threat Prevention policy , and that it shows the information the Security Gateway used to match the connection, including at minimum source, destination, source port, and destination port. It also explains that richer session details can appear when the rule includes application or data-type matching.

For IPS protections, this default is operationally important because IPS enforcement without logs would make post-event investigation, false-positive analysis, tuning, and compliance validation much harder. None is specifically documented as the default in Access Control policy, not Threat Prevention. Alert is a stronger notification mechanism but is not the default tracking behavior. UserCheck is an end-user interaction mechanism used in selected blades and scenarios, not the default IPS protection tracking value. The default Log setting gives administrators visibility into IPS matches while avoiding the operational noise of alerting on every event. Reference topics: Threat Prevention Track options, IPS logging, Logs & Monitor, protection match evidence, default Threat Prevention tracking.

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.