Demo Zscaler ZDTE Exam Questions

Demo practice questions for guest users.

Section: Practice Mode 8 Questions

Demo Practice

Back To Exam

Question 1

How many rounds of analysis are performed on a sandboxed sample to determine its characteristics?

A

One static analysis, one dynamic analysis, and a second static analysis of all dropped files and artifacts from the dynamic analysis.

B

As many rounds of analysis as the policy is configured to perform.

C

Only a static analysis is performed.

D

Only one static and one dynamic analysis is performed.

Correct Answer: A

Explanation:

Zscaler Cloud Sandbox is designed to detect advanced and previously unknown threats by deeply analyzing suspicious files in an isolated environment. According to Zscaler’s documented analysis pipeline, every sandboxed sample goes through a structured, multi-stage process rather than a single pass.

First, the file undergoes static analysis, where the system inspects the file without executing it. This phase looks at elements such as structure, headers, embedded resources, and known malicious patterns or indicators. Next, the file is executed in a dynamic analysis environment (a sandbox) where Zscaler observes runtime behavior such as process creation, registry modifications, file system changes, network connections, and attempts at evasion or privilege escalation.
During this dynamic phase, the file may drop or create additional files and artifacts. Zscaler then performs a second round of static analysis on those dropped components. This secondary static analysis is crucial because many sophisticated threats unpack or download their real payload only at runtime; analyzing those artifacts provides a much clearer view of the full attack chain.
Because of this defined three-step approach—static, dynamic, then secondary static analysis on dropped artifacts—option A is the correct description of how many rounds of analysis are performed on a sandboxed sample.

Question 2

What is the default classification for a newly discovered application in the App Inventory in the Third-Party App Governance Admin Portal?

A

Sanctioned

B

Unsanctioned

C

Reviewing

D

Unclassified

Correct Answer: D

Explanation:

In Zscaler 3rd-Party App Governance documentation, the App Inventory is where administrators view and manage all discovered third-party apps, add-ons, and extensions. The “Classifying Apps” help article defines the available states: Unclassified , Sanctioned , Reviewing , and Unsanctioned . Crucially, it notes that Unclassified is the default state for any new application before an administrator evaluates it.

“Sanctioned” is used once the organization has explicitly approved an app for use; “Unsanctioned” is used when an app is not allowed; and “Reviewing” indicates it is under investigation. Those labels are the result of governance decisions applied after discovery.
ZDTE study materials on SaaS and app governance mirror this behavior: newly discovered apps enter the inventory without an explicit decision, allowing security teams to triage risk, review permissions, and only then mark them as sanctioned or unsanctioned. Because the default state for a new entry is explicitly documented as Unclassified , the correct answer is D. Unclassified.

‹
1
2
3

Demo Practice Mode

You are viewing only the questions marked as Demo.