5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Questions and Answers

 A Watchlist is a collection of queries that run against the data in the VMware Carbon Black Cloud Endpoint Standard. Watchlists enable administrators to monitor the activity of endpoints for specific Tactics, Techniques, or Procedures (TTPs) that are of interest. Administrators can configure alerts for Watchlist hits, which will notify them when a particular TTP is observed on a managed endpoint. Alerts for Watchlist hits can be sent via email, syslog, or webhook. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Threat Hunting, Lesson 3.2: Watchlists, page 3-10
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Watchlists, page 115-116

These components can provide more information about the suspicious running process and its behavior, such as:

• Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.
• Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.
• TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.

The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.

The correct statement regarding Blocking/Isolation rules and Permission rules is D. Blocking & Isolation rules are overridden by Permission Rules. This means that if a file or process matches both a Blocking/Isolation rule and a Permission rule, the action specified by the Permission rule will take precedence over the action specified by the Blocking/Isolation rule. For example, if a file has a reputation of SUSPECT_MALWARE and a Blocking/Isolation rule is set to terminate any SUSPECT_MALWARE file that runs, but a Permission rule is set to allow and log any file that runs from a specific path, the file will be allowed and logged if it runs from that path, regardless of its reputation. Permission rules are useful for tuning the behavior of VMware Carbon Black Cloud Endpoint Standard and preventing false positives or unnecessary blocks1.

The other statements are false or irrelevant. Blocking & Isolation rules are not overridden by Upload Rules. Upload Rules are rules that specify which files and metadata are uploaded to the Carbon Black Cloud for analysis and reputation. Upload Rules do not affect the prevention or detection capabilities of VMware Carbon Black Cloud Endpoint Standard2. Permission Rules are not overridden by Blocking & Isolation rules. As explained above, Permission Rules have a higher priority than Blocking & Isolation rules and can override their actions. Upload Rules are not overridden by Blocking & Isolation rules. Upload Rules and Blocking & Isolation rules are independent of each other and do not affect each other’s functionality. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.
• Upload Rules - VMware Docs, Overview section.

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

• To block an application by its path instead of reputation, the administrator needs to follow these steps:
• The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

 To enable Live Response on all endpoints in a specific policy, the security administrator needs to follow the correct path to configure the required sensor policy setting. The correct path is Enforce > Policies > Policy > Sensor. This path allows the administrator to select a policy group, then click on the Sensor tab, where they can select or deselect the Enable Live Response checkbox as applicable, and then click Save. This will enable or disable Live Response for all endpoints that are assigned to that policy group. The other options are incorrect because they do not match the correctpath to configure the sensor policy setting for Live Response. References: Use Live Response, Use Live Response for VM Workloads

 According to the VMware Carbon Black Cloud User Guide, the reputation priority is in a descending order with 1 being the highest priority and 11 the lowest priority. The highest priority reputation is Ignore, which is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run. The lowest priority reputation is Unknown, which indicates that Carbon Black Cloud has not yet determined the reputation of the file. References:

• Reputation Assignment - VMware Docs, Reputation Priority table.

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result. This feature can help the administrator to confirm that the new rulewould have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule1.

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data. References:

• Endpoint Standard Rules - VMware Docs, Test Rule section.

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Audit Logs - VMware Docs, Overview section.
• Cloud Analysis - VMware Docs, Overview section.

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

The most effective way to meet the goal of blocking ransomware in the organization is to turn on the performs ransomware-like behavior rule in the policies. This rule is a feature of VMware Carbon Black Cloud Endpoint Standard that uses behavioral analytics to detect and prevent actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. By turning on this rule, the administrator can block any application that attempts to perform ransomware-like behavior, regardless of its reputation or signature. This can protect the organization from new or unknown ransomware variants that may not be detected by other methods. The administrator can also customize the rule to apply different actions, such as alert, deny, or terminate, depending on the policy configuration and the security needs of the organization.

The other options are not as effective or appropriate for blocking ransomware in the organization. Option A is not proactive, but reactive, as it relies on looking at current attacks to see if the software that is running is vulnerable to potential ransomware attacks. This may not be sufficient to prevent future attacks that use different software or exploit different vulnerabilities. Option C is not accurate, as analytics alone cannot automatically block all the attacks that may occur. Analytics can help toidentify and prioritize the most critical threats, but the administrator still needs to configure the policies and rules to block the attacks. Option D is not recommended, as it exposes the organization to unnecessary risk. Starting in the monitored policy until it is clear that no attacks are happening means that the administrator is not taking any preventive actions, but only monitoring the endpoint activity and logging the events. This may not be enough to stop or mitigate the impact of a ransomware attack, which can cause irreversible damage or data loss in a short time. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices:

The action that an administrator should take to ensure application.exe cannot run is to remove the Permissions rule for C:\Program Files\IT\Tools*. This is because the Permissions rule has a higher priority than the Blocking and Isolation rule, and it allows any operation on any file in that path, including application.exe. By removing the Permissions rule, the Blocking and Isolation rule will apply and terminate application.exe based on its SUSPECT_MALWARE reputation. The other options are incorrect because they will not prevent application.exe from running. Option A is incorrect because changing the reputation to KNOWN MALWARE will not override the Permissions rule that allows any operation on the file. Option B is incorrect because the file will not be blocked based on reputation alone, as the Permissions rule will bypass the reputation check. Option D is incorrect because adding the hash to the company banned list will not override the Permissions rule that allows any operation on the file. References: Precedence of Policy Rules, Set Permission Policy Rules, Set Blocking and Isolation Policy Rules

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

The Process Analysis page in VMware Carbon Black Cloud Endpoint Standard is a graphical view of the event that shows the process tree, the event timeline, and the event details. The process tree displays the parent-child relationships of the processes involved in the event, as well as the actions taken by the policy, such as blocking or alerting. The event timeline shows the chronological sequence of the events, such as process executions, file modifications, network connections, and registry changes. The event details provide more information about the selected event, such as the process name, path, hash, command line, reputation, and Carbon Black TTPs. The Process Analysis page can help the security administrator to investigate the hash ban event and understand the context and impact of the blocked application. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

 These settings are part of the Prevention policy settings for Windows sensors, and they are not available for macOS or Linux sensors. These settings have the following functions:

• Delay execute for cloud scan: This setting allows the sensor to delay the execution of unknown files until the cloud scan result is returned. This setting can prevent potential malware from running before the cloud reputation is determined.
• Expedited background scan: This setting allows the sensor to perform a background scan of the endpoint as soon as possible after the sensor is installed or updated. This setting can help to identify and remediate any existing threats on the endpoint.
• Scan execute on network drives: This setting allows the sensor to scan files that are executed from network drives. This setting can help to protect the endpoint from network-based attacks.

The other settings are applicable to sensors on both Windows and non-Windows operating systems. B. Allow user to disable protection is a setting that allows the user to temporarily disable the sensor protection from the system tray icon. C. Submit unknown binaries for analysis is a setting that allows the sensor to upload unknown files to the cloud for analysis and reputation. F. Require code to uninstall sensor is a setting that requires the user to enter a code to uninstall the sensor from the endpoint. References:

• Prevention Policy Settings - VMware Docs, Windows Settings section.
• Prevention Policy Settings - VMware Docs, macOS and Linux Settings section.