5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Questions and Answers

• To block an application by its path instead of reputation, the administrator needs to follow these steps:
• The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

 According to the VMware Carbon Black Cloud User Guide, the reputation priority is in a descending order with 1 being the highest priority and 11 the lowest priority. The highest priority reputation is Ignore, which is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run. The lowest priority reputation is Unknown, which indicates that Carbon Black Cloud has not yet determined the reputation of the file. References:

• Reputation Assignment - VMware Docs, Reputation Priority table.

The correct statement regarding Blocking/Isolation rules and Permission rules is D. Blocking & Isolation rules are overridden by Permission Rules. This means that if a file or process matches both a Blocking/Isolation rule and a Permission rule, the action specified by the Permission rule will take precedence over the action specified by the Blocking/Isolation rule. For example, if a file has a reputation of SUSPECT_MALWARE and a Blocking/Isolation rule is set to terminate any SUSPECT_MALWARE file that runs, but a Permission rule is set to allow and log any file that runs from a specific path, the file will be allowed and logged if it runs from that path, regardless of its reputation. Permission rules are useful for tuning the behavior of VMware Carbon Black Cloud Endpoint Standard and preventing false positives or unnecessary blocks1.

The other statements are false or irrelevant. Blocking & Isolation rules are not overridden by Upload Rules. Upload Rules are rules that specify which files and metadata are uploaded to the Carbon Black Cloud for analysis and reputation. Upload Rules do not affect the prevention or detection capabilities of VMware Carbon Black Cloud Endpoint Standard2. Permission Rules are not overridden by Blocking & Isolation rules. As explained above, Permission Rules have a higher priority than Blocking & Isolation rules and can override their actions. Upload Rules are not overridden by Blocking & Isolation rules. Upload Rules and Blocking & Isolation rules are independent of each other and do not affect each other’s functionality. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.
• Upload Rules - VMware Docs, Overview section.

According to the VMware Carbon Black Cloud Sensor Installation Guide, the permission level that is required when a user wants to install a sensor on a Windows endpoint is Administrator. The usermust have local administrator privileges on the endpoint to install the sensor. The user can install the sensor by using one of the following methods:

• Method 1: Invite Users to Install Sensors on Endpoints: This method allows the user to install the sensor by using an installation code that is sent by email from the Carbon Black Cloud console. The user must run the installation code as an administrator on the endpoint.
• Method 2: Install the Sensor on the Endpoint by using the Command Line or Software Distribution Tools: This method allows the user to install the sensor by using the command line, or by using a scripted or automated method such as Group Policy or systems management tools. The user must run the installation command or script as an administrator on the endpoint.

The other permission levels are not sufficient or relevant for installing a sensor on a Windows endpoint. Everyone is a group that includes all users and groups on the endpoint, but it does not grant administrator privileges. Root is a user that has full access and control over a Linux or Unix system, but it is not applicable to a Windows endpoint. User is a general term that refers to any person who uses a computer or network service, but it does not imply administrator privileges. References:

• VMware Carbon Black Cloud Sensor Installation Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.
• Installing Windows Sensors on Endpoints - VMware Docs, Procedure section, step 1.

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

• By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.
• By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

The sensor status details can be found in the Inventory > Endpoints tab of the VMware Carbon Black Cloud interface. This tab displays all the deployed sensors by default, and allows the administrator to filter them by various criteria, such as status, policy, group, OS, or device name. The status column indicates the state of a sensor and any administrator actions that have been taken on the sensor, such as bypass, quarantine, or deregister. The administrator can also view more details about a sensor by clicking on its name, such as the sensor version, last check-in time, device health score, and policy history. The administrator can also take actions on a sensor from this tab, such as updating, isolating, or uninstalling the sensor. References: Sensor Status and Details — Asset Groups, Carbon Black Cloud Endpoint Standard - Technical Overview

These components can provide more information about the suspicious running process and its behavior, such as:

• Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.
• Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.
• TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.

The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.

• The VMware Carbon Black Cloud integration that is supported for SIEM is the Splunk App. The Splunk App allows administrators to bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard1. The Splunk App also supports Splunk SOAR, which enables automated actions and workflows based on Carbon Black Cloud alerts2.
• The other options are not supported for SIEM integration with Carbon Black Cloud. SolarWinds, LogRhythm, and Datadog are not listed among the 140+ ecosystempartnerships and integrations that Carbon Black Cloud offers3. They are also not part of the Next-Gen SOC Alliance, which features Splunk, IBM Security, Google Cloud’s Chronicle, Exabeam, and Sumo Logic integrations with Carbon Black Cloud1. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.6: Integrations
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 12: Integrations
• Integrations and APIs - VMware
• Carbon Black Cloud - Cloud SIEM | Sumo Logic Docs
• VMware Launches Next-Gen SOC Alliance with Splunk, IBM … - VMware Blogs

 According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the threshold, in days, before a machine shows as inactive in the console is 7 days. An inactive device is a device that has not communicated with the Carbon Black Cloud console for more than 7 days. The console displays the last communication time for each device on the Endpoints page. The administrator can use the Inactive Devices filter to view all the inactive devices in the organization. The administrator can also use the Device Status widget on the Dashboard page to see the number and percentage of inactive devices in the organization. The administrator can take various actions to resolve the inactive device issue, such as:

• Check the network connectivity and firewall settings of the device
• Check the sensor status and version on the device
• Check the policy settings and rules applied to the device
• Reinstall the sensor on the device
• Delete the device from the console if it is no longer in use References:
• VMware Carbon Black Cloud Endpoint Standard User Guide, page 14, Inactive Devices section.

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

• Search Syntax - VMware Docs, Wildcards section.

 To enable Live Response on all endpoints in a specific policy, the security administrator needs to follow the correct path to configure the required sensor policy setting. The correct path is Enforce > Policies > Policy > Sensor. This path allows the administrator to select a policy group, then click on the Sensor tab, where they can select or deselect the Enable Live Response checkbox as applicable, and then click Save. This will enable or disable Live Response for all endpoints that are assigned to that policy group. The other options are incorrect because they do not match the correctpath to configure the sensor policy setting for Live Response. References: Use Live Response, Use Live Response for VM Workloads

The tool that the security administrator is using to remediate a security vulnerability that may affect the sensors is Live Response. Live Response is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. Live Response enables the administrator to interact with the sensors and access the endpoints in real time, using various commands and scripts. Live Response can also be used to upload or download files, execute processes, terminate processes, delete files, and more12.

The other tools are not relevant or applicable for this scenario. CBLauncher is a tool that allows the administrator to launch applications on the endpoint without triggering policy rules or alerts. CBLauncher is useful for troubleshooting application compatibility issues or testing new applications, but it does not provide interaction or remote access for further investigation3. PowerCLI is a tool that allows the administrator to automate and manage VMware products and services using PowerShell commands and scripts. PowerCLI is useful for administering VMware virtual machines, hosts, networks, storage, and more, but it does not provide interaction or remote access for further investigation4. IRepCLI is a tool that allows the administrator to generate and upload reputation information for files on the endpoint. IRepCLI is useful for enhancing the threat intelligence and detection capabilities of VMware Carbon Black Cloud, but it does not provide interaction or remote access for further investigation5. References:

• Use Live Response - VMware Docs, Overview section.
• CBLauncher - VMware Docs, Overview section.
• Live Response Commands - VMware Docs, Overview section.
• VMware PowerCLI Documentation, Overview section.
• IRepCLI - VMware Docs, Overview section.

The best rule to prevent ransomware that has not been seen before, without blocking other processes, is B. This rule uses the following criteria:

• Not listed application: This means that the application is not known by Carbon Black Cloud Endpoint Standard, and it has no reputation or signature. This can indicate a new or unknown malware that has not been detected by other methods.
• Performs ransomware-like behavior: This means that the application is performing actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. This can indicate a malicious intent and a high risk of data loss or damage.
• Terminate process: This means that the application is stopped and removed from the endpoint, preventing it from completing its malicious actions or spreading to other devices. This can mitigate the impact and severity of the attack.

The other rules are not as effective or appropriate for preventing ransomware that has not been seen before, without blocking other processes. Rule A would only block adware or potentially unwanted programs (PUPs) that scrape memory of another process, which is not necessarily related to ransomware. Rule C would block any unknown malware that runs or is running, which is too broad and could affect legitimate applications that are not listed by Carbon Black. Rule D would block any not listed application that runs or is running, which is also too broad and could affect legitimate applications that are not listed by Carbon Black. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices: Endpoint Standard Blocking & Isolation Rules, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List