Free VMware 5V0-93.22 Practice Exam with Questions & Answers

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

The command detach -q is used to immediately terminate a current Live Response session and return to the Carbon Black Cloud console. This command is useful when the user wants to end the session without waiting for the timeout or the confirmation prompt. The -q option stands for “quiet” and suppresses any output or feedback from the command. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Live Response Commands, page 11.

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

• The connectivity that is required for VMware Carbon Black Cloud Endpoint Standard to perform Sensor Certificate Validation is TCP/443 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com). Sensor Certificate Validation is a feature that allows the Carbon Black Cloud agent to verify the authenticity and validity of the certificates used by the Carbon Black Cloud services. This feature enhances the security and trust of the communication between the agent and the cloud. To perform Sensor Certificate Validation, the agent needs to access the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services provided by GoDaddy, the certificate authority that issues the certificates for Carbon Black Cloud. These services use the HTTPS protocol, which runs on port 443. Therefore, the agent needs to have TCP/443 connectivity to the GoDaddy OCSP and CRL URLs, which are crl.godaddy.com and ocsp.godaddy.com12.
• The other options are incorrect because they do not specify the correct protocol, port, or URLs for Sensor Certificate Validation. TCP/80 is the port for HTTP, not HTTPS, and it is not used by the OCSP and CRL services. GoDaddy CRL URL is only one of the two URLs that the agent needs to access, the other one is GoDaddy OCSP URL. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 1: Introduction, page 1-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 2: Sensor Installation, page 17.

The most effective way to meet the goal of blocking ransomware in the organization is to turn on the performs ransomware-like behavior rule in the policies. This rule is a feature of VMware Carbon Black Cloud Endpoint Standard that uses behavioral analytics to detect and prevent actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. By turning on this rule, the administrator can block any application that attempts to perform ransomware-like behavior, regardless of its reputation or signature. This can protect the organization from new or unknown ransomware variants that may not be detected by other methods. The administrator can also customize the rule to apply different actions, such as alert, deny, or terminate, depending on the policy configuration and the security needs of the organization.

The other options are not as effective or appropriate for blocking ransomware in the organization. Option A is not proactive, but reactive, as it relies on looking at current attacks to see if the software that is running is vulnerable to potential ransomware attacks. This may not be sufficient to prevent future attacks that use different software or exploit different vulnerabilities. Option C is not accurate, as analytics alone cannot automatically block all the attacks that may occur. Analytics can help toidentify and prioritize the most critical threats, but the administrator still needs to configure the policies and rules to block the attacks. Option D is not recommended, as it exposes the organization to unnecessary risk. Starting in the monitored policy until it is clear that no attacks are happening means that the administrator is not taking any preventive actions, but only monitoring the endpoint activity and logging the events. This may not be enough to stop or mitigate the impact of a ransomware attack, which can cause irreversible damage or data loss in a short time. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices:

When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

According to the VMware Carbon Black Cloud Sensor Installation Guide, the permission level that is required when a user wants to install a sensor on a Windows endpoint is Administrator. The usermust have local administrator privileges on the endpoint to install the sensor. The user can install the sensor by using one of the following methods:

• Method 1: Invite Users to Install Sensors on Endpoints: This method allows the user to install the sensor by using an installation code that is sent by email from the Carbon Black Cloud console. The user must run the installation code as an administrator on the endpoint.
• Method 2: Install the Sensor on the Endpoint by using the Command Line or Software Distribution Tools: This method allows the user to install the sensor by using the command line, or by using a scripted or automated method such as Group Policy or systems management tools. The user must run the installation command or script as an administrator on the endpoint.

The other permission levels are not sufficient or relevant for installing a sensor on a Windows endpoint. Everyone is a group that includes all users and groups on the endpoint, but it does not grant administrator privileges. Root is a user that has full access and control over a Linux or Unix system, but it is not applicable to a Windows endpoint. User is a general term that refers to any person who uses a computer or network service, but it does not imply administrator privileges. References:

• VMware Carbon Black Cloud Sensor Installation Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.
• Installing Windows Sensors on Endpoints - VMware Docs, Procedure section, step 1.

 A Watchlist is a collection of queries that run against the data in the VMware Carbon Black Cloud Endpoint Standard. Watchlists enable administrators to monitor the activity of endpoints for specific Tactics, Techniques, or Procedures (TTPs) that are of interest. Administrators can configure alerts for Watchlist hits, which will notify them when a particular TTP is observed on a managed endpoint. Alerts for Watchlist hits can be sent via email, syslog, or webhook. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Threat Hunting, Lesson 3.2: Watchlists, page 3-10
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Watchlists, page 115-116

The VMware Carbon Black sensor uses port 443 by default to communicate with the VMware Carbon Black Cloud. This port is used for both incoming and outgoing TCP connections to the environment-specific URLs that provide console access, API requests, sensor communication, UBS download, signature update, third-party certificate validation, and Live Response uploads. Port 54443 is used as a backup port in case port 443 is blocked or unavailable. Ports 80 and 22 are not used by the VMware Carbon Black sensor. References: Configure a Firewall, Ports and URLs

This rule will prevent any application that is not listed in the Carbon Black Cloud Endpoint Standard from scraping the memory of another process, which is a common technique used by malware to retrieve credentials from the Local Security Authority Subsystem Service (LSASS). This rule will terminate the process that attempts to perform this operation, thus blocking the credential theft. This rule is more specific and effective than option A, which only applies to unknown applications, or option B, which applies to all executable files regardless of their reputation. Option C is incorrect because it will only deny the operation but not terminate the process, which may allow the malware to continue running and try other methods of credential theft. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: Endpoint Standard Rules, Lesson 2: Rule Types and Actions, slide 12.