Forescout FSCP Exam - Topic 3 Question 15 Discussion

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to theForescout Administration Guide - Define Policy Scope documentationandWindows Update Compliance Template configuration, when the condition of a sub-rule is looking for Windows Antivirus updates, the scope and main rule should read:Scope 'corporate range', filter by group 'windows managed', main rule 'No conditions'.

Policy Scope Definition:

According to the policy scope documentation:

When defining the scope for a Windows Antivirus/Updates policy:

Scope- Should be set to 'corporate range' (endpoints within the corporate IP address range)

Filter by group- Should filter by the 'windows managed' group (Windows endpoints that are manageable)

Main rule- Should have 'No conditions' (meaning the policy applies to all endpoints matching the scope and group)

Why 'No conditions' for the Main Rule:

According to the Windows Update Compliance Template documentation:

The main rule is designed to be:

Broad in scope- Applies to all eligible Windows managed endpoints

Without specific conditions- Specific conditions are handled by sub-rules

Efficient filtering- The scope and group filter do the initial endpoint selection

The sub-rules then contain the specific conditions (e.g., 'Windows Antivirus Update Date < 30 days ago') to evaluate each endpoint's compliance.

Policy Structure for Windows Updates:

According to the documentation:

text

Policy Scope: 'Corporate Range'

Filter by Group: 'windows managed'

Main Rule: 'No Conditions'

Sub-rule 1: 'Windows Antivirus Update Date > 30 days'

Action: Trigger update

Sub-rule 2: 'Windows Antivirus Running = False'

Action: Start Antivirus Service

Sub-rule 3: 'Windows Updates Missing = True'

Action: Initiate Windows Updates

'Windows Managed' Group:

According to the policy template documentation:

The 'windows managed' group specifically includes:

Windows endpoints that can be remotely managed

Endpoints with proper connectivity to management services

Systems with necessary admin accounts configured

Machines capable of executing remote scripts and commands

Why Other Options Are Incorrect:

A . Scope 'all ips', filter by group blank, main rule member of group 'Windows'- Too broad scope (includes non-Windows systems); 'all ips' is inefficient

B . Scope 'corporate range', filter by group 'None', main rule 'member of Group = Windows'- Correct scope and filtering wrong (should filter by group, not in main rule)

C . Scope 'threat exemptions', filter by group 'windows managed', main rule 'member of group = windows'- Wrong scope (threat exemptions is for excluding systems); redundant main rule

E . Scope 'all ips', filter by group 'windows', main rule 'No Conditions'- Too broad initial scope; 'all ips' is inefficient and includes non-corporate systems

Recommended Policy Configuration:

According to the documentation:

For Windows Antivirus/Updates policies:

Scope- Define as 'corporate range' to limit to organizational endpoints

Filter by Group- Set to 'windows managed' to exclude non-manageable systems

Main Rule- Set to 'No conditions' for simplicity; let scope/group do the filtering

Sub-rules- Define specific compliance conditions (e.g., patch level, antivirus status)

This structure ensures:

Efficient policy evaluation

Only applicable Windows endpoints are assessed

Manageable systems are prioritized

Specific compliance checks occur in sub-rules

Referenced Documentation:

Define Policy Scope documentation

Windows Update Compliance Template v2

Defining a Policy Main Rule