An administrator has been tasked with preventing the use of unauthorized USB storage devices from being used in the environment.
Which item needs to be enabled in order to enforce this requirement?
- A . Enable the Block access to all unapproved USB devices within the policies option.
- B . Choose to disable USB device access on each endpoint from the Inventory page.
- C . Select the option to block USB devices from the Reputation page.
- D . Elect to approve only allowed USB devices from the USB Devices page.
An administrator needs to create a search, but it must exclude "system.exe".
How should this task be completed?
- A . #process_name:system.exe
- B . *process_name:system.exe
- C . <process_name:system.exe>
- D . -process_name:system.exe
An administrator needs to use an ID to search and investigate security incidents in Carbon Black Cloud.
Which three IDs may be used for this purpose? (Choose three.)
- A . Threat
- B . Hash
- C . Sensor
- D . Event
- E . User
- F . Alert
Which VMware Carbon Black Cloud integration is supported for SIEM?
- A . SolarWinds
- B . LogRhythm
- C . Splunk App
- D . Datadog
What connectivity is required for VMware Carbon Black Cloud Endpoint Standard to perform Sensor Certificate Validation?
- A . TCP/443 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com)
- B . TCP/80 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com)
- C . TCP/443 to GoDaddy CRL URL (crl.godaddy.com and ocsp.godaddy.com)
- D . TCP/80 to GoDaddy CRL URL (crl.godaddy.com and ocsp.godaddy.com)
An administrator wants to block an application by its path instead of reputation. The following steps have already been taken:
Go to Enforce > Policies > Select the desired policy >
Which additional steps must be taken to complete the task?
- A . Click Enforce > Add application path name
- B . Scroll down to the Permissions section > Click Add application path > Enter the path of the desired application
- C . Scroll down to the Blocking and Isolation section > Click Edit (pencil icon) for the desired Reputation
- D . Scroll down to the Blocking and Isolation section > Click Add application path > Enter the path of the desired application
An administrator is investigating an alert and reads a summary that says:
The application powershell.exe was leveraged to make a potentially malicious network connection.
Which action should the administrator take immediately to block that connection?
- A . Click Delete Application
- B . Click Quarantine Asset
- C . Click Export Alert
- D . Click Drop Connection
Which command is used to immediately terminate a current Live Response session?
- A . kill
- B . detach -q
- C . delete
- D . execfg
A user downloaded and executed malware on a system. The malware is actively exfiltrating data.
Which immediate action is recommended to prevent further exfiltration?
- A . Check Security Advisories and Threat Research contents.
- B . Place the device in quarantine.
- C . Run a background scan.
- D . Request upload of the file for analysis.
What are the highest and lowest file reputation priorities, respectively, in VMware Carbon Black Cloud?
- A . Priority 1: Ignore, Priority 11: Unknown
- B . Priority 1: Unknown, Priority 11: Ignore
- C . Priority 1: Known Malware, Priority 11: Common White
- D . Priority 1: Company Allowed, Priority 11: Not Listed/Adaptive White
An administrator wants to find information about real-world prevention rules that can be used in
VMware Carbon Black Cloud Endpoint Standard.
How can the administrator obtain this information?
- A . Refer to an external report from other security vendors to obtain solutions.
- B . Refer to the TAU-TIN’s on the VMware Carbon Black community page.
- C . Refer to the VMware Carbon Black Cloud sensor install guide.
- D . Refer to VMware Carbon Black Cloud user guide.
Is it possible to search for unsigned files in the console?
- A . Yes, by using the search:
NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED - B . No, it is not possible to return a query for unsigned files.
- C . Yes, by using the search:
process_publisher_state:FILE_SIGNATURE_STATE_UNSIGNED - D . Yes, by looking at signed and unsigned executables in the environment and seeing if another difference can be found, thus locating unsigned files in the environment.
The administrator has configured a permission rule with the following options selected:
– Application at path: C:Program Files**
– Operation Attempt: Performs any operation
– Action: Bypass
What is the impact, if any, of using the wildcards in the application at path field?
- A . Executable files in the "Program Files" directory and subdirectories will be ignored.
- B . Executable files in the "Program Files" directory will be blocked.
- C . Executable files in the "Program Files" directory will be logged.
- D . Executable files in the "Program Files" directory will be subject to blocking rules.
A script-based attack has been identified that inflicted damage to the corporate systems. The security
administrator found out that the malware was coded into Excel VBA and would like to perform a search to further inspect the incident.
Where in the VMware Carbon Black Cloud Endpoint Standard console can this action be completed?
- A . Endpoints
- B . Settings
- C . Investigate
- D . Alerts
An administrator would like to proactively know that something may get blocked when putting a policy rule in the environment.
How can this information be obtained?
- A . Search the data using the test rule functionality.
B Examine log files to see what would be impacted - B . Put the rules in and see what happens to the endpoints.
D Determine what would happen based on previously used antivirus software
An administrator has just placed an endpoint into bypass.
What type of protection, if any, will VMware Carbon Black provide this device?
- A . VMware Carbon Black will be uninstalled from the endpoint.
- B . VMware Carbon Black will place the machine in quarantine.
- C . VMware Carbon Black will not provide any protection to the endpoint.
- D . VMware Carbon Black will apply policy rules.
A security administrator needs to review the Live Response activities and commands that have been executed while performing a remediation process to the sensors.
Where can the administrator view this information in the console?
- A . Users
- B . Audit Log
- C . Notifications
- D . Inbox
Which statement accurately characterizes Alerts that are categorized as a "Threat" versus those categorized as "Observed"?
- A . "Threat" indicates an ongoing attack. "Observed" indicates the attack is over and is being watched.
- B . "Threat" indicates a more likely malicious event. "Observed" are less likely to be malicious.
- C . "Threat" indicates a block (Deny or Terminate) has occurred. "Observed" indicates that there is no block.
- D . "Threat" indicates that no block (Deny or Terminate) has occurred. "Observed" indicates a block.
An administrator is working in a development environment that has a policy rule applied and notices that there are too many blocks. The administrator takes action on the policy rule to troubleshoot the issue until the blocks are fixed.
Which action should the administrator take?
- A . Unenforce
- B . Disable
- C . Recall
- D . Delete
An organization has the following requirements for allowing application.exe:
– Must not work for any user’s D: drive
– Must allow running only from inside of the user’s TempAllowed directory
– Must not allow running from anywhere outside of TempAllowed
For example, on one user’s machine, the path is C:UsersLorieTempAllowedapplication.exe.
Which path meets this criteria using wildcards?
- A . C:Users?TempAllowedapplication.exe
- B . C:Users*TempAllowedapplication.exe
- C . *:Users**TempAllowedapplication.exe
- D . *:Users*TempAllowedapplication.exe