5V0-93.22 Sample Questions Answers

 These settings are part of the Prevention policy settings for Windows sensors, and they are not available for macOS or Linux sensors. These settings have the following functions:

• Delay execute for cloud scan: This setting allows the sensor to delay the execution of unknown files until the cloud scan result is returned. This setting can prevent potential malware from running before the cloud reputation is determined.
• Expedited background scan: This setting allows the sensor to perform a background scan of the endpoint as soon as possible after the sensor is installed or updated. This setting can help to identify and remediate any existing threats on the endpoint.
• Scan execute on network drives: This setting allows the sensor to scan files that are executed from network drives. This setting can help to protect the endpoint from network-based attacks.

The other settings are applicable to sensors on both Windows and non-Windows operating systems. B. Allow user to disable protection is a setting that allows the user to temporarily disable the sensor protection from the system tray icon. C. Submit unknown binaries for analysis is a setting that allows the sensor to upload unknown files to the cloud for analysis and reputation. F. Require code to uninstall sensor is a setting that requires the user to enter a code to uninstall the sensor from the endpoint. References:

• Prevention Policy Settings - VMware Docs, Windows Settings section.
• Prevention Policy Settings - VMware Docs, macOS and Linux Settings section.

When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

According to the VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, alerts are categorized as either “Threat” or “Observed” based on the severity and confidence of the event. “Threat” alerts indicate a high-severity and high-confidence event that is more likely to be malicious, such as a ransomware attack, a credential theft, or a network beacon. “Observed” alerts indicate a low-severity and low-confidence event that is less likely to be malicious, such as a suspicious registry modification, a fileless script execution, or a process injection. The categorization of alerts helps analysts prioritize their investigations and responses. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, page 14, section 2.3.1. Alert Categories. [Link]

To create a search that excludes “system.exe”, the administrator needs to use the minus sign (-) as a negation operator in the search query. The negation operator excludes any events that match the specified field and value from the search results. For example, the query -process_name:system.exe will return all the events that do not have “system.exe” as the process name. The other options are incorrect because they do not use the negation operator. The hash sign (#) is used to search for exact matches, the asterisk (*) is used as a wildcard character, and the angle brackets (< >) are used to search for ranges of values. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 2: Search, pages 2-5 to 2-6.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Search, pages 83-84.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

• By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.
• By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

Placing the device in quarantine is the recommended immediate action to prevent further exfiltration of data by the malware. Quarantine is a feature of VMware Carbon Black Cloud Endpoint Standard that allows you to isolate a device from the network, preventing any communication with other devices or external servers. This can help contain an active threat and prevent further damage. You can quarantine a device from the Devices page or from the Device Summary page. You can also unquarantine a device when the threat is resolved. References:

• VMware Carbon Black Cloud Endpoint Standard - On Demand, Module 5: Responding to Threats, Lesson 2: Quarantine a Device, slide 5.
• VMware Carbon Black Cloud Endpoint Standard, page 11, Quarantine a Device.

The impact of using the wildcards in the application at path field is that executable files in the “Program Files” directory and subdirectories will be ignored by the VMware Carbon Black Cloud Endpoint Standard sensor. This is because the permission rule has the following options selected:

• Application at path: C:\Program Files**
• Operation Attempt: Performs any operation
• Action: Bypass

The application at path field specifies the path of the executable file that the rule applies to. The ** wildcard matches a partial path across all subdirectory levels and is recursive. For example, C:\Program Files** matches any files in that directory and all subdirectories1.

The operation attempt field specifies the type of operation that the executable file attempts to perform. The Performs any operation option means that the rule applies to any operation, such as creating a file, modifying a registry key, or executing a command.

The action field specifies the action that the VMware Carbon Black Cloud Endpoint Standard sensor takes when the rule is triggered. The Bypass option means that the sensor ignores the executable file and does not apply any blocking rules or log any events for it2.

Therefore, by using the wildcards in the application at path field, the permission rule effectively excludes any executable files in the “Program Files” directory and subdirectories from the VMware Carbon Black Cloud Endpoint Standard sensor’s prevention and detection capabilities. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.
• Set Permission Policy Rules - VMware Docs, Procedure section, step 4.
• Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table, ** row.

 According to the VMware Carbon Black Cloud Sensor Installation Guide, the port that will be the fallback if the VMware Carbon Black Cloud sensor is not able to establish connectivity to the VMware Carbon Black Cloud Content Management URL over the standard SSL port TCP/443 is TCP/8443. This port is used for content management fallback, which allows the sensor to receive instructions (manifests) that configure a wide variety of the Carbon Black Cloud features and their underlying rules. The sensor will attempt to connect to the Content Management URL over TCP/443 first, and if that fails, it will try TCP/8443. If both ports fail, the sensor will not be able to communicate with the Carbon Black Cloud console and will not receive any policy updates or commands1.

The other ports are not used for content management fallback. TCP/54443 is used for Unified Binary Store (UBS) fallback, which allows the sensor to upload file metadata and content to the Carbon Black Cloud for analysis and reputation. TCP/80 is used for third-party certificate validation, which allows the sensor to verify the communication certificate with the Carbon Black Cloud backend. It will not fallback and fail is not a valid option, as the sensor has a built-in fallback mechanism for content management1. References:

• Configure a Firewall - VMware Docs, Ports and URLs table.

To identify whether a sensor’s signature pack is out-of-date in VMware Carbon Black Cloud, the user can go to the Inventory page, select the Endpoints tab, and click on the device name of the endpointthey want to check. This will open the Endpoint Details page, where the user can see the Sensor Update Status, which shows the current version and date of the sensor’s signature pack, as well as the latest available version and date. If the current version is lower than the latest version, the sensor’s signature pack is out-of-date and needs to be updated. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.2.1: Monitor Sensor Health and Update Status, Page 25.

The VMware Carbon Black sensor uses port 443 by default to communicate with the VMware Carbon Black Cloud. This port is used for both incoming and outgoing TCP connections to the environment-specific URLs that provide console access, API requests, sensor communication, UBS download, signature update, third-party certificate validation, and Live Response uploads. Port 54443 is used as a backup port in case port 443 is blocked or unavailable. Ports 80 and 22 are not used by the VMware Carbon Black sensor. References: Configure a Firewall, Ports and URLs

VMware Carbon Black Cloud Endpoint Standard uses a hybrid approach to determine the reputation of files on the endpoints. It combines local scan, which uses signature-based detection to identify known malware, and cloud scan, which uses cloud-based analytics and machine learning to identify unknown or emerging threats. When a sensor’s local AV signatures are out-of-date, it means that the local scan cannot detect the latest malware variants that have been added to the signature database. However, this does not affect the cloud scan, which can still determine the reputation of newly discovered files based on their behavior, characteristics, and context. Therefore, the effect of having out-of-date local AV signatures is that the reputation is determined by cloud reputation, which is more accurate and up-to-date than signature-based detection. The other options are not correct, because the sensor does not prompt the end user, automatically block, or fail to block a new file based on the local AV signatures alone. References: Carbon Black Cloud Endpoint Standard - Technical Overview, View and Update Signature Versions, Endpoint Standard: How to verify AV Signatures are updating

The tool that the security administrator is using to remediate a security vulnerability that may affect the sensors is Live Response. Live Response is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. Live Response enables the administrator to interact with the sensors and access the endpoints in real time, using various commands and scripts. Live Response can also be used to upload or download files, execute processes, terminate processes, delete files, and more12.

The other tools are not relevant or applicable for this scenario. CBLauncher is a tool that allows the administrator to launch applications on the endpoint without triggering policy rules or alerts. CBLauncher is useful for troubleshooting application compatibility issues or testing new applications, but it does not provide interaction or remote access for further investigation3. PowerCLI is a tool that allows the administrator to automate and manage VMware products and services using PowerShell commands and scripts. PowerCLI is useful for administering VMware virtual machines, hosts, networks, storage, and more, but it does not provide interaction or remote access for further investigation4. IRepCLI is a tool that allows the administrator to generate and upload reputation information for files on the endpoint. IRepCLI is useful for enhancing the threat intelligence and detection capabilities of VMware Carbon Black Cloud, but it does not provide interaction or remote access for further investigation5. References:

• Use Live Response - VMware Docs, Overview section.
• CBLauncher - VMware Docs, Overview section.
• Live Response Commands - VMware Docs, Overview section.
• VMware PowerCLI Documentation, Overview section.
• IRepCLI - VMware Docs, Overview section.

• The IDs that may be used to search and investigate security incidents in Carbon Black Cloud are hash, sensor, and alert.
• A hash is a unique identifier for a file or process that can be used to track its activity and behavior across endpoints. A hash can be searched in the Investigate page to view its reputation, prevalence, and associated alerts.
• A sensor is a unique identifier for an endpoint that has the Carbon Black Cloud agent installed. A sensor can be searched in the Endpoints page to view its status, policy, and associated alerts. A sensor can also be searched in the Investigate page to view its processes, events, and network connections.
• An alert is a unique identifier for a security incident that is generated by Carbon Black Cloud based on the policy rules and threat intelligence. An alert can be searched in the Alerts page to view its details, timeline, and remediation actions. An alert can also be searched in the Investigate page to view its associated processes, events, and network connections.
• A threat is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A threat is a term used to describe a malicious actor or activity that poses a risk to the organization. A threat can be detected by Carbon Black Cloud based on the threat intelligence feeds and watchlists, but it is not a unique identifier for a specific incident.
• An event is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. An event is a term used to describe a single action or occurrence that is recorded by the Carbon Black Cloud agent on an endpoint. An event can be viewed in the Investigate page as part of a process or alert, but it is not a unique identifier for a specific incident.
• A user is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A user is a term used to describe a person who has access to the Carbon Black Cloud console or API. A user can be searched in the Users page to view their role, permissions, and activity, but they are not directly related to security incidents. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.1: Investigate
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.2: Alerts
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3: Endpoints
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.4: Threats
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.5: Users

The impact of using the wildcards in the path for this rule is C. Any executable in the downloads directory for any user on the system will be bypassed for inspection. This is because the permission rule has the following options selected:

• Application at path: C:\Users*\Downloads**
• Operation Attempt: Performs any operation
• Action: Bypass

The application at path field specifies the path of the executable file that the rule applies to. The * wildcard matches 0 or more consecutive characters up to a single subdirectory level. For example, C:\Users*\ matches any subdirectory under the Users directory, such as C:\Users\Lorie, C:\Users\John, or C:\Users\Alice. The ** wildcard matches a partial path across all subdirectory levels and is recursive. For example, \Downloads** matches any files in that directory and all subdirectories. Therefore, by using the wildcards in the application at path field, the permission rule covers any executable file in the downloads directory for any user on the system.

The operation attempt field specifies the type of operation that the executable file attempts to perform. The Performs any operation option means that the rule applies to any operation, such as creating a file, modifying a registry key, or executing a command.

The action field specifies the action that the VMware Carbon Black Cloud Endpoint Standard sensor takes when the rule is triggered. The Bypass option means that the sensor ignores the executable file and does not apply any blocking rules or log any events for it1.

Therefore, by using the wildcards in the path for this rule, the permission rule effectively bypasses any executable file in the downloads directory for any user on the system from the VMware Carbon Black Cloud Endpoint Standard sensor’s prevention and detection capabilities. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.