User Account Shopping Cart
Practice Exams:
View All

Professional Google Workspace Administrator Google Practice Test Questions and Exam Dumps


Question No 1:

As the Workspace Administrator, you have been asked to configure Google Cloud Directory Sync (GCDS) in order to manage Google Group memberships from an internal LDAP server. However, multiple Google Groups must have their memberships managed manually. 

When you run the GCDS sync, you notice that these manually managed groups are being deleted. What should you do to prevent these groups from being deleted?

A. In the GCDS configuration manager, update the group deletion policy setting to “don't delete Google groups not found in LDAP.”
B. Use the Directory API to check and update the group’s membership after the GCDS sync is completed.
C. Confirm that the base DN for the group email address attribute matches the base DN for the user email address attribute.
D. In the user attribute settings of the GCDS configuration manager options, set the Google domain users deletion/suspension policy to “delete only active Google domain users not found in LDAP.”

Answer: A

Explanation:

Google Cloud Directory Sync (GCDS) is used to synchronize users, groups, and other directory data from a local LDAP directory (like Microsoft Active Directory) to Google Workspace. This ensures consistent identity and group management across systems. However, one of the major considerations when configuring GCDS is how it handles resources in Google that are not present in the LDAP directory — specifically deletions.

In this scenario, you are synchronizing groups using GCDS, but some Google Groups are meant to be managed manually, i.e., they are not reflected in your LDAP directory. When you run the synchronization, these manually-managed groups are deleted, because GCDS treats them as obsolete — not found in the LDAP source — and removes them by default based on its synchronization policy.

To resolve this issue, you need to change the behavior of GCDS so that it does not delete Google Groups that are not present in LDAP. This is exactly what Option A proposes: "In the GCDS configuration manager, update the group deletion policy setting to 'don't delete Google groups not found in LDAP.'" This option correctly identifies the setting that controls whether non-matching groups in Google should be deleted or retained.

Here's how this setting works:

  • By default, GCDS may be configured to delete groups in Google Workspace if they are not found in the LDAP source.

  • If some groups are managed outside of LDAP (manually in the Admin console or via APIs), you can prevent accidental deletion of those groups by updating this specific deletion policy setting.

  • This setting ensures that GCDS only manages the groups it can see in LDAP and leaves others alone, which is precisely what you want in this case.

Let's briefly examine why the other options are not correct:

  • B. Use the Directory API to check and update the group’s membership after the GCDS sync is completed: This is a reactive and manual process that might fix the problem temporarily, but it doesn't address the root cause — GCDS is actively deleting the groups. Also, it's inefficient and error-prone.

  • C. Confirm that the base DN for the group email address attribute matches the base DN for the user email address attribute: The base DN mismatch could cause issues in synchronizing correct records, but it would not prevent deletion of groups that are not present in LDAP. This answer does not address the issue of manual group management.

  • D. In the user attribute settings of the GCDS configuration manager options, set the Google domain users deletion/suspension policy to “delete only active Google domain users not found in LDAP”: This setting applies to users, not groups, so it does not resolve the issue with group deletion.

Therefore, the correct and most effective way to prevent manually managed Google Groups from being deleted during GCDS sync is to change the deletion policy for groups within the GCDS configuration — as described in Option A.

Question No 2:

Your marketing department needs an easy way for users to share items more appropriately. 

They want to easily link-share Drive files within the marketing department, without sharing them with your entire company. What should you do to fulfil this request? (Choose two.)

A. Create a shared drive that's shared internally organization-wide.
B. Update Drive sharing for the marketing department to restrict to internal.
C. Create a shared drive for internal marketing use.
D. Update the link sharing default to the marketing team when creating a document.
E. In the admin panel Drive settings, create a target audience that has all of marketing as members.

Answer: C, E

Explanation:

To fulfill the request of the marketing department to easily link-share Google Drive files internally among their team—without exposing the files to the entire organization—the best solution involves setting up a targeted sharing environment that is both secure and efficient. The main goals here are (1) ease of sharing, (2) control over access, and (3) limiting exposure to just the marketing department, not the whole organization.

Here’s a breakdown of the correct answers:

  • C. Create a shared drive for internal marketing use
     This is a key solution. Creating a shared drive specifically for the marketing team allows for centralized document storage, access control, and permission management. When files are stored in a shared drive, all members of that drive can access them based on their assigned roles (Viewer, Commenter, Contributor, etc.). This eliminates the need for manual sharing every time a document is created. It also keeps files secure and appropriately visible to only relevant team members.

  • E. In the admin panel Drive settings, create a target audience that has all of marketing as members
     This is another essential step. In Google Workspace Admin Console, administrators can create target audiences (groups of users within your organization) to enable easier and safer sharing. When target audiences are set up, users can choose to share files via link with only that specific audience—in this case, the marketing department. This ensures that when someone selects “Anyone with the link” as an option, it doesn’t mean the entire organization, but just the marketing group. It greatly improves user experience and ensures controlled file distribution.

Now let’s look at why the other options are not correct:

  • A. Create a shared drive that's shared internally organization-wide
     This contradicts the core requirement, which is not to share the files company-wide. This option would make all files in that drive available to the entire company, which is the opposite of what marketing wants.

  • B. Update Drive sharing for the marketing department to restrict to internal
     This option is vague and not an actionable setting by itself. Drive sharing restrictions are typically applied at the organizational unit or domain level, not in a way that only "restricts" sharing to the marketing department selectively. Also, if anything, this would more likely prevent external sharing, not manage internal group-specific sharing.

  • D. Update the link sharing default to the marketing team when creating a document
     Google Drive doesn’t currently support setting the default link-sharing audience to a specific team (like marketing) out of the box. However, target audiences (as referenced in option E) allow you to offer the marketing team as a link-sharing option, which is the closest and supported method.

In summary, to ensure secure, streamlined file sharing within the marketing team, creating a dedicated shared drive (C) and setting up a target audience for the marketing team in the Admin console (E) are the most effective and Google-supported solutions.

Question No 3:

Your company has a broad, granular IT administration team, and you are in charge of ensuring proper administrative control. One of those teams, the security team, requires access to the Security Investigation Tool. What should you do?

A. Assign the pre-built security admin role to the security team members.
B. Create a Custom Admin Role with the Security Center privileges, and then assign the role to each of the security team members.
C. Assign the Super Admin Role to the security team members.
D. Create a Custom Admin Role with the security settings privilege, and then assign the role to each of the security team members.

Answer: A

Explanation:

In environments with granular administrative needs, such as those involving multiple specialized IT teams, the assignment of appropriate roles and privileges is critical to maintain least-privilege access, ensuring each administrator only has the capabilities required for their specific responsibilities. In this scenario, the security team requires access to the Security Investigation Tool, a key feature used to examine and respond to security threats and incidents within an organization.

The most efficient and secure approach in this case is to assign the pre-built Security Admin role (Option A) to the members of the security team. This role is specifically designed to grant access to tools and settings within the Security Center, including the Security Investigation Tool, without overextending access to unrelated administrative features. The Security Admin role provides curated privileges ideal for security operations, such as monitoring alerts, reviewing suspicious activity, and running investigations—all of which are required functions for using the Security Investigation Tool effectively.

Let’s explore why the other options are not optimal:

  • B. Create a Custom Admin Role with the Security Center privileges, and then assign the role to each of the security team members.
     While this approach could technically work, it is unnecessarily time-consuming and error-prone. Custom roles require careful configuration and ongoing maintenance. Additionally, if updates are made to platform security privileges in the future, the custom role might not automatically reflect those changes. Using the pre-built role ensures automatic updates and reduces administrative overhead.

  • C. Assign the Super Admin Role to the security team members.
     This option is inappropriate because it violates the principle of least privilege. The Super Admin role gives unrestricted access to the entire admin console, allowing users to manage users, billing, services, security, and more. Providing this level of access to users who only need to perform security investigations is both risky and unnecessary. It opens the door to potential misconfigurations or unauthorized changes in areas outside of their domain.

  • D. Create a Custom Admin Role with the security settings privilege, and then assign the role to each of the security team members.
     This option falls short because the “security settings privilege” alone does not necessarily grant access to the Security Investigation Tool or broader Security Center functionalities. It may allow changes to basic security configurations, but not provide investigative tools or visibility into security events.

By selecting A, the organization benefits from a well-maintained, pre-defined role tailored to the exact use case, ensuring that the security team can carry out their duties without overstepping into areas they don’t need access to. This improves operational efficiency, strengthens security posture, and upholds role-based access control (RBAC) best practices.

Question No 4:

Your organization has a new security policy to prevent data exfiltration on iOS devices. How can you stop users from copying content from Google apps (Gmail, Drive, Docs, Sheets, and Slides) 

In their work account to personal Google apps or third-party apps on iOS devices using the Google Admin Console?

A. Navigate to “Data Protection” setting in Google Admin Console's Device management section and disable the “Allow users to copy data to personal apps” checkbox
B. Disable “Open Docs in Unmanaged Apps” setting in Google Admin Console’s Device management section
C. Navigate to Devices > Mobile and endpoints > Universal Settings > General and turn on Basic Mobile Management
D. Clear the “Allow items created with managed apps to open in unmanaged apps” checkbox

Answer:  D

Explanation:

In scenarios where organizations want to restrict data exfiltration on iOS devices, particularly from Google Workspace apps like Gmail, Drive, Docs, Sheets, and Slides, it is important to configure data protection policies that enforce a boundary between managed (work) and unmanaged (personal) apps.

Google Workspace provides specific settings in the Admin Console that help prevent sensitive work data from being copied to personal or unauthorized apps. This is particularly crucial for mobile environments like iOS, where users might have both personal and work accounts or apps installed.

Let’s analyze each option:

A. While disabling an option like “Allow users to copy data to personal apps” sounds aligned with the requirement, this exact wording does not match a setting in the Google Admin Console. It's also important to note that Google's data loss prevention (DLP) settings are typically controlled through context-aware access and app management, not with a general checkbox labeled this way. Therefore, this is a distractor.

B. “Open Docs in Unmanaged Apps” is related to restricting document access in unmanaged environments, but it’s not the precise setting that prevents content copying across apps. It might restrict opening documents in non-approved apps but doesn't cover the broader requirement of blocking clipboard or data transfer between managed and unmanaged apps on iOS.

C. Turning on Basic Mobile Management offers only foundational control over devices, such as password enforcement and device wipe capabilities. It does not include the advanced app management features required for controlling data flow between managed and unmanaged apps. To enforce such restrictions, Advanced Mobile Management and integration with Apple’s MDM framework are necessary.

D. Clearing the checkbox “Allow items created with managed apps to open in unmanaged apps” is the correct configuration for this requirement. This setting is part of advanced mobile management for iOS in the Google Admin Console and ensures that data created or accessed within managed Google Workspace apps cannot be shared, copied, or opened in unmanaged apps—whether they are personal Google apps or third-party ones. This enforces a strict separation between work and personal data, which is exactly what is needed to address the data exfiltration concern.

When this setting is disabled (checkbox cleared), iOS enforces that content from managed apps stays within the managed workspace environment, leveraging Apple's Managed Open In functionality. This prevents users from using standard iOS features like copy/paste, share sheet, or open in… to move content outside the organization's control.

Therefore, to fulfill the requirement of blocking the ability to copy content from a work account to a personal account or third-party app on iOS, the admin should clear the “Allow items created with managed apps to open in unmanaged apps” checkbox, making D the correct answer.

Question No 5:

Your organization recently set up context-aware access policies for Google Drive to restrict access to only corporate-managed desktops. However, some users are still able to access Drive from unmanaged devices.

Which preliminary checks should be performed to diagnose why the policy isn’t working as expected? (Choose two.)

A. Confirm that the user has a Google Workspace Enterprise Plus license.
B. Delete and recreate a new Context-Aware Access device policy.
C. Check whether device policy application is installed on users’ devices.
D. Confirm that the user has at least a Google Workspace Business license.
E. Check whether Endpoint Verification is installed on users’ desktops.

Answer: A, E

Explanation:

When Context-Aware Access policies do not function as intended, the issue often lies in either licensing or missing technical prerequisites on user devices. In this case, since users are bypassing the policy and accessing Google Drive from non-corporate machines, the following two checks are essential:

A. Confirm that the user has a Google Workspace Enterprise Plus license.
Context-Aware Access is only supported for certain Google Workspace editions, particularly Enterprise Plus, Education Plus, and Enterprise Essentials Plus. Without the proper license tier, the context-aware policies cannot be enforced, no matter how correctly they are configured. If the affected users do not have the necessary license, the policies will not apply to them. This check ensures the policy enforcement mechanism is available to begin with.

E. Check whether Endpoint Verification is installed on users’ desktops.
Endpoint Verification is a crucial component for enforcing Context-Aware Access, especially when device-based conditions (like whether the machine is corporate-managed) are part of the policy. This small agent, once installed and active, reports back device attributes to Google Workspace, allowing the system to evaluate whether the device meets policy requirements. If Endpoint Verification is missing or not functioning properly, the system will be unable to recognize the device's status, leading to unintended access.

Now let’s consider why the other options are not the best preliminary checks:

B. Delete and recreate a new Context-Aware Access device policy.
While this might seem like a practical troubleshooting step, it's premature before confirming the foundational elements such as licensing and software configuration. Deleting and recreating policies should only occur after verifying that users have the correct setup and still experience issues.

C. Check whether device policy application is installed on users’ devices.
This is typically relevant for mobile device management (MDM) scenarios or for Chrome device management using the Google Device Policy app. However, for desktop environments where Endpoint Verification is the primary enforcement mechanism for Context-Aware Access, checking for the device policy app may not be relevant.

D. Confirm that the user has at least a Google Workspace Business license.
While licensing is important, a Business license alone is not sufficient for using Context-Aware Access. This feature requires one of the higher-end licenses like Enterprise Plus. Therefore, checking for a basic Business license won’t help resolve the issue and might mislead the troubleshooting process.

In conclusion, checking that users have the appropriate Enterprise Plus license and verifying that Endpoint Verification is installed are the most essential preliminary actions when diagnosing a failure in Context-Aware Access enforcement.

Question No 6:

Your organization has enabled spoofing protection against unauthenticated domains. You are receiving complaints that email from multiple partners is not being received. While investigating this issue, you find that emails are all being sent to quarantine due to the configured safety setting. 

What should be the next step to allow users to review these emails and reduce the internal complaints while keeping your environment secure?

A. Add your partner domains IPs to the Inbound Gateway setting.
B. Change the spoofing protection to deliver the emails to spam instead of quarantining them.
C. Add your partner sending IP addresses to an allowlist.
D. Change the spoofing protection to deliver the emails to inboxes with a custom warning instead of quarantining them.

Answer: D

Explanation:

In this scenario, spoofing protection has been enabled to improve email security by flagging and quarantining messages that fail authentication checks such as SPF, DKIM, or DMARC. While this setup protects against malicious spoofed messages, it can also mistakenly quarantine legitimate emails from trusted partners who may not have properly configured email authentication records. This can result in frustration and service disruptions if users do not see important communications from known external sources.

Since the emails are currently being quarantined, users cannot easily access or review them, which results in increased complaints. The goal is to maintain email security while improving email visibility for users and reducing false positives.

Option D, which involves changing the spoofing protection to deliver the emails to inboxes with a custom warning instead of quarantining them, is the most appropriate and balanced approach. Here's why:

  • User Awareness: Delivering these messages to inboxes with a custom warning banner still informs users that the message may be risky, but it gives them access to the content. This reduces confusion and complaints.

  • Security Maintained: Instead of outright allowing potentially unauthenticated or spoofed messages, you're giving users the tools to make informed decisions. You're not disabling spoofing protection entirely; you're just adjusting how suspect messages are treated.

  • Granular Control: Admins can customize the warning messages and define the criteria under which warnings are shown, offering flexibility.

  • Temporary Measure: This approach can be used as a temporary mitigation while you work with partner organizations to ensure they configure their email systems with proper SPF, DKIM, and DMARC settings.

Let’s look at why the other options are less ideal:

  • A. Add your partner domains IPs to the Inbound Gateway setting: This setting is used to specify trusted mail servers that relay email to your Google Workspace domain, typically internal systems or third-party gateways under your control. It is not appropriate for adding external partner systems because it could lead to security gaps by treating unauthenticated messages as trusted.

  • B. Change the spoofing protection to deliver the emails to spam instead of quarantining them: While this makes the messages visible, it sends them to spam folders, which many users ignore or fail to check regularly. It’s also less user-friendly and doesn’t clearly communicate the specific spoofing risk.

  • C. Add your partner sending IP addresses to an allowlist: This creates security risks, as it allows unauthenticated or spoofed messages from those IPs to bypass security checks. If any of those IPs are compromised, malicious content could enter the organization. This is not a best practice unless you're 100% certain the IPs are secure and controlled by the partner.

In conclusion, Option D provides the optimal balance between maintaining security standards and improving user experience. It avoids completely disabling spoofing protection or weakening the system’s integrity while allowing users to review emails from legitimate partners. As you address the issue long term, you can also encourage partners to adopt and configure authentication protocols like SPF, DKIM, and DMARC, further enhancing trust and deliverability.

Question No 7:

As the Workspace Administrator, you have been asked to delete a temporary Google Workspace user account in the marketing department. This user has created Drive documents in My Documents that the marketing manager wants to keep after the user is gone and removed from Workspace. The data should be visible only to the marketing manager. 

As the Workspace Administrator, what should you do to preserve this user's Drive data?

A. In the user deletion process, select “Transfer” in the data in other apps section and add the manager's email address.
B. Use Google Vault to set a retention period on the OU where the users reside.
C. Before deleting the user, add the user to the marketing shared drive as a contributor and move the documents into the new location.
D. Ask the user to create a folder under MyDrive, move the documents to be shared, and then share that folder with the marketing team manager.

Answer: A

Explanation:

When an organization uses Google Workspace, user accounts may be temporary—for instance, for interns or short-term contractors. However, any files created by these users in My Drive (i.e., under their personal Google Drive account) remain the property of that account. If an account is deleted without transferring ownership, all content in the user’s My Drive is permanently lost. Therefore, the best practice is to transfer data ownership before deleting the user.

Option A is correct because Google Workspace offers a built-in transfer tool in the admin console. During the user deletion process, administrators are prompted to transfer Drive and Gmail data to another user. By selecting “Transfer” and entering the marketing manager’s email, all of the temporary user’s files from My Drive will be migrated to the manager's account, ensuring nothing is lost. This also keeps the data private, as the files are now under the sole control of the manager.

Let’s explore why the other options are incorrect or less appropriate:

Option B refers to using Google Vault, which is a data retention and eDiscovery tool. While Vault can retain data for legal and compliance reasons, it does not transfer ownership or make files visible to other users. Vault also doesn’t serve the purpose of general file access or collaboration. Moreover, Vault retention applies only to accounts under retention rules, and files aren’t visible unless explicitly searched for by an authorized Vault user. Therefore, this doesn’t solve the business need of transferring Drive documents to a specific manager for practical use.

Option C suggests moving the files to a shared drive, which would preserve them beyond the user’s deletion, since shared drive content is owned by the organization, not individuals. However, this solution has multiple flaws. First, only files already created within or moved to a shared drive will be preserved. Second, not all file types can be moved to a shared drive. Third, permissions in shared drives are managed at the drive level, not individual file level, so all shared drive members may see the files—not just the marketing manager. This violates the requirement that only the manager should access the data.

Option D involves asking the user to manually share a folder, which is inefficient and risky. The user may forget, make errors, or not complete the task before their account is deactivated. Moreover, sharing a folder only gives viewing or editing rights—it does not transfer ownership, and once the account is deleted, the files may be lost or become inaccessible. This solution relies too much on user compliance and doesn’t ensure long-term preservation of files.

In summary, transferring the user’s data ownership to the marketing manager via the Google Admin console during the deletion process is the most secure, efficient, and administrator-controlled way to preserve the content and limit access.

Question No 8:

As a Google Workspace administrator for your organization, you are tasked with controlling which third-party apps can access Google Workspace data. 

Before implementing controls, as a first step in this process, you want to review all the third-party apps that have been authorized to access Workspace data. What should you do?

A. Open Admin Console > Security > API Controls > App Access Control > Manage Third Party App Access.
B. Open Admin Console > Security > API Controls > App Access Control > Manage Google Services.
C. Open Admin Console > Security > Less Secure Apps.
D. Open Admin Console > Security > API Controls > App Access Control > Settings.

Answer:  A

Explanation:

To effectively manage third-party app access to Google Workspace data, the first and most important step is to review existing third-party apps that have already been authorized by users in your domain. This allows administrators to audit potential security risks, monitor data exposure, and make informed decisions before applying any restrictions or whitelisting policies. The correct location to view this data is through the "Manage Third Party App Access" section under API Controls in the Admin Console.

Let’s break down the exact navigation path:

  • Go to the Admin Console

  • Click on Security

  • Select API Controls

  • Then go to App Access Control

  • Finally, click on Manage Third Party App Access

This page provides a comprehensive list of all third-party apps that have been authorized to access Google Workspace data via OAuth 2.0 scopes. It includes details such as:

  • The app name and developer

  • The scopes of access requested (like Gmail, Drive, Calendar)

  • The number of users who have authorized each app

  • Whether the app is trusted, blocked, or restricted

By reviewing this data, administrators can identify potentially risky applications, especially those that request broad scopes like full access to Gmail or Drive, and decide whether to allow, block, or trust them accordingly. This is vital in ensuring data governance, privacy compliance, and information security.

Now, let's examine why the other choices are incorrect:

  • B. Manage Google Services: This menu is used to control user access to native Google services (such as Google Drive, Gmail, Calendar) rather than third-party apps. It doesn’t provide a view of which third-party apps are accessing Workspace data.

  • C. Less Secure Apps: This section is related to apps that do not use modern security standards like OAuth 2.0. While this setting is important for legacy applications, it does not show all third-party OAuth apps that users have already authorized. Moreover, Google is phasing out support for less secure apps.

  • D. Settings under App Access Control: The Settings tab allows general configuration of how App Access Control works (e.g., whether to allow users to authorize apps or not), but it doesn’t provide a list of existing authorized third-party apps. It’s more about setting policies, not reviewing current access.

Therefore, A is the correct answer because it allows administrators to audit and review third-party app access before implementing any controls, making it the essential first step in managing app access to Google Workspace data.

Question No 9:

Your organization wants increased visibility into the actions taken by Google personnel, especially in relation to support cases involving your data. 

Which feature in the Google Admin Console should you use to gain this visibility?

A. From Google Admin Panel, go to Audit, and select Access Transparency Logs
B. From Google Admin Panel, go to Audit, and select Login Audit Log
C. From Google Admin Panel, go to Audit, and select Rules Audit Log
D. From Google Admin Panel, go to Audit, and select Admin Audit Log

Answer: A

Explanation:

To ensure transparency and accountability regarding how Google personnel interact with your organization’s data, Google provides a specialized auditing tool called Access Transparency. This tool is specifically designed to record Google staff activity in your environment, particularly during support interactions or internal troubleshooting processes involving your data.

Let’s break down why A is the correct answer and why the others are not.

A. Access Transparency Logs
This is the correct and most precise option. Access Transparency gives your organization detailed logs of actions taken by Google support and engineering staff when they access your content. This includes information such as:

  • The time of access

  • Reason for access

  • The support case number (if applicable)

  • Google personnel identity (obfuscated but traceable for auditing)

This feature is critical for organizations that have compliance obligations or need to maintain detailed records of how their data is accessed, even by cloud service providers like Google. Access Transparency aligns with modern zero-trust and data sovereignty principles by providing auditable proof of administrative actions by third-party service providers.

This is especially valuable when your organization has escalated support cases with Google, as it helps you verify when and why Google staff accessed sensitive data. Access Transparency logs are typically available to Google Workspace Enterprise Plus or Education Plus customers.

B. Login Audit Log
The Login Audit Log tracks user sign-in activity across your domain. It includes information like IP address, device used, and authentication method. While useful for tracking user access, it does not track actions taken by Google support staff or internal personnel from Google.

C. Rules Audit Log
This log shows activity related to rules configured in the Admin Console, such as custom alerts, rules triggering automated responses, and changes to rule settings. It helps monitor internal admin behavior and rule enforcement but offers no visibility into Google support actions or access to organizational data by Google staff.

D. Admin Audit Log
This log displays actions performed by administrators within your organization in the Admin Console, such as creating users, changing settings, or updating groups. While valuable for internal security and compliance, it does not track external access by Google personnel.

In summary, if your goal is to audit and gain visibility into how and when Google support staff access your organization's data—especially in response to support tickets—Access Transparency Logs are the only appropriate and comprehensive solution.

Question No 10:

Your organization recently experienced a sophisticated malware attack delivered through embedded macros in email attachments. As a Workspace administrator, how can you add an additional layer of protection beyond Gmail’s built-in malware defenses to guard against future unknown threats?

A. Run queries in Security Investigation Tool
B. Turn on advanced phishing and malware protection
C. Enable Security Sandbox
D. Enable Gmail confidential mode

Answer: C

Explanation:

In the scenario where your organization has already been affected by an advanced malware attack—specifically one delivered through embedded macros in attachments—relying solely on Gmail’s conventional malware scanning is not enough. These types of threats are often zero-day attacks or exploit new techniques that bypass signature-based defenses. This is where Security Sandbox becomes crucial.

C. Enable Security Sandbox is the correct answer because it provides an advanced, behavior-based analysis environment for scanning email attachments. When enabled, the Security Sandbox isolates and executes attachment files in a secure environment to monitor their behavior. If a file attempts suspicious actions—such as launching macros, accessing the network, or manipulating files in abnormal ways—the system flags it as a potential threat before it reaches the user’s inbox. This is particularly important for identifying zero-day malware, macro-based threats, and other evasive malicious payloads that traditional scanning methods might miss.

Now let’s break down why the other choices are not the best fit for this situation:

A. Run queries in Security Investigation Tool
 This is a reactive tool. It allows administrators to investigate and mitigate issues after they occur by running forensic-style searches across Gmail and other Workspace services. While useful for post-incident analysis, it does not prevent threats from reaching users in the first place.

B. Turn on advanced phishing and malware protection
This is a solid defense measure and should be enabled in any secure Workspace environment. However, it primarily includes predefined rules, machine learning, and reputation-based filtering. Although it significantly improves protection over the default settings, it may still miss sophisticated or unknown (zero-day) threats, particularly those embedded in macro-enabled documents. It does not run files in a secure execution environment like the Security Sandbox does.

D. Enable Gmail confidential mode
Confidential mode is designed to protect sensitive data leakage by allowing senders to restrict the ability to forward, copy, download, or print messages. It can also enforce message expiration or require SMS verification. However, it does not provide malware protection or address threats related to email attachments.

In summary, enabling Security Sandbox is the best proactive step a Workspace administrator can take to combat advanced or unknown malware attacks embedded in email attachments. By running suspicious files in a secure, controlled environment and analyzing their behavior, Sandbox ensures that threats are identified before they ever reach users—providing an essential additional layer of defense against future attacks.


Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.