5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Questions and Answers

 A Watchlist is a collection of queries that run against the data in the VMware Carbon Black Cloud Endpoint Standard. Watchlists enable administrators to monitor the activity of endpoints for specific Tactics, Techniques, or Procedures (TTPs) that are of interest. Administrators can configure alerts for Watchlist hits, which will notify them when a particular TTP is observed on a managed endpoint. Alerts for Watchlist hits can be sent via email, syslog, or webhook. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Threat Hunting, Lesson 3.2: Watchlists, page 3-10
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Watchlists, page 115-116

The Local White reputation is assigned to files that are either pre-existing on the device before the sensor installation, or signed by a trusted certificate, or created by an IT tool. The file signature is verified by the sensor against a list of trusted certificates that are stored locally on the device. If the file is signed by a certificate that matches one of the trusted certificates, the sensor assigns the Local White reputation to the file. This reputation indicates that the file is trusted and allowed to run on the device. The other options are incorrect because they do not qualify for the Local White reputation. Option A is incorrect because adding a file as an IT tool does not automatically assign it the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option C is incorrect because the hash being not on any known good or bad lists is not relevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option D is incorrect because the hash being previously analyzed is notrelevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. References: Reputations Assignment for Pre-Existing Files, Reputation Assignment

 Unenforcing a policy rule means that the rule will still be evaluated, but the actions will not be taken. This allows the administrator to troubleshoot the issue without affecting the endpoints or generating alerts. Disabling, recalling, or deleting a policy rule will remove it from the evaluation process and may affect the security posture of the organization. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide1, VMware Carbon Black Cloud Endpoint Standard - On Demand Course

This rule will prevent any application that is not listed in the Carbon Black Cloud Endpoint Standard from scraping the memory of another process, which is a common technique used by malware to retrieve credentials from the Local Security Authority Subsystem Service (LSASS). This rule will terminate the process that attempts to perform this operation, thus blocking the credential theft. This rule is more specific and effective than option A, which only applies to unknown applications, or option B, which applies to all executable files regardless of their reputation. Option C is incorrect because it will only deny the operation but not terminate the process, which may allow the malware to continue running and try other methods of credential theft. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: Endpoint Standard Rules, Lesson 2: Rule Types and Actions, slide 12.

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

• User: The name of the user who performed the action.
• Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.
• Object: The object that was affected by the action, such as policy, device, hash, and so on.
• Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:

• Audit Logs - VMware Docs, Overview section.

VMware Carbon Black Cloud Endpoint Standard uses a hybrid approach to determine the reputation of files on the endpoints. It combines local scan, which uses signature-based detection to identify known malware, and cloud scan, which uses cloud-based analytics and machine learning to identify unknown or emerging threats. When a sensor’s local AV signatures are out-of-date, it means that the local scan cannot detect the latest malware variants that have been added to the signature database. However, this does not affect the cloud scan, which can still determine the reputation of newly discovered files based on their behavior, characteristics, and context. Therefore, the effect of having out-of-date local AV signatures is that the reputation is determined by cloud reputation, which is more accurate and up-to-date than signature-based detection. The other options are not correct, because the sensor does not prompt the end user, automatically block, or fail to block a new file based on the local AV signatures alone. References: Carbon Black Cloud Endpoint Standard - Technical Overview, View and Update Signature Versions, Endpoint Standard: How to verify AV Signatures are updating

 To prevent the use of unauthorized USB storage devices, the administrator needs to enable the USB Device Control feature in the VMware Carbon Black Cloud Endpoint Standard. This feature allows the administrator to approve or block specific USB devices based on their vendor ID, product ID, serial number, and device type. The administrator can also set a default action for unapproved USB devices, such as block, read-only, or allow. The administrator can manage the USB devices from the USB Devices page under the Settings menu. From this page, the administrator can view the list of USB devices that have been detected by the endpoints, and elect to approve only the allowed USB devices. The administrator can also export or import the list of approved USB devices for backup or replication purposes. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: USB Device Control, pages 4-1 to 4-9.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 11: USB Device Control, pages 147-152.

 To enable Live Response on all endpoints in a specific policy, the security administrator needs to follow the correct path to configure the required sensor policy setting. The correct path is Enforce > Policies > Policy > Sensor. This path allows the administrator to select a policy group, then click on the Sensor tab, where they can select or deselect the Enable Live Response checkbox as applicable, and then click Save. This will enable or disable Live Response for all endpoints that are assigned to that policy group. The other options are incorrect because they do not match the correctpath to configure the sensor policy setting for Live Response. References: Use Live Response, Use Live Response for VM Workloads

The tool that the security administrator is using to remediate a security vulnerability that may affect the sensors is Live Response. Live Response is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. Live Response enables the administrator to interact with the sensors and access the endpoints in real time, using various commands and scripts. Live Response can also be used to upload or download files, execute processes, terminate processes, delete files, and more12.

The other tools are not relevant or applicable for this scenario. CBLauncher is a tool that allows the administrator to launch applications on the endpoint without triggering policy rules or alerts. CBLauncher is useful for troubleshooting application compatibility issues or testing new applications, but it does not provide interaction or remote access for further investigation3. PowerCLI is a tool that allows the administrator to automate and manage VMware products and services using PowerShell commands and scripts. PowerCLI is useful for administering VMware virtual machines, hosts, networks, storage, and more, but it does not provide interaction or remote access for further investigation4. IRepCLI is a tool that allows the administrator to generate and upload reputation information for files on the endpoint. IRepCLI is useful for enhancing the threat intelligence and detection capabilities of VMware Carbon Black Cloud, but it does not provide interaction or remote access for further investigation5. References:

• Use Live Response - VMware Docs, Overview section.
• CBLauncher - VMware Docs, Overview section.
• Live Response Commands - VMware Docs, Overview section.
• VMware PowerCLI Documentation, Overview section.
• IRepCLI - VMware Docs, Overview section.

The sensor status details can be found in the Inventory > Endpoints tab of the VMware Carbon Black Cloud interface. This tab displays all the deployed sensors by default, and allows the administrator to filter them by various criteria, such as status, policy, group, OS, or device name. The status column indicates the state of a sensor and any administrator actions that have been taken on the sensor, such as bypass, quarantine, or deregister. The administrator can also view more details about a sensor by clicking on its name, such as the sensor version, last check-in time, device health score, and policy history. The administrator can also take actions on a sensor from this tab, such as updating, isolating, or uninstalling the sensor. References: Sensor Status and Details — Asset Groups, Carbon Black Cloud Endpoint Standard - Technical Overview

The path that meets the criteria for allowing application.exe using wildcards is :\Users*\Temp\Allowed\application.exe. This path specifies that the executable file can run only from inside of the user’s Temp\Allowed directory, regardless of the drive letter or the user name. The wildcards used in this path are:

• *: Matches any single character or no character at all. For example, *:\ matches any drive letter, such as C:, D:, or E:.
• **: Matches a partial path across all subdirectory levels and is recursive. For example, \Users**\ matches any subdirectory under the Users directory, such as \Users\Lorie, \Users\John, or \Users\Alice\Documents.

The other paths do not meet the criteria for allowing application.exe using wildcards. A. C:\Users?\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it only matches a single character for the user name, which may not be sufficient. B. C:\Users*\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it may match more than one character for the user name, which may not be desired. D. *:\Users*\Temp\Allowed\application.exe allows running from any drive, but it may match more than one character for the user name, which may not be desired. References:

• Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table.

According to the VMware Carbon Black Cloud Sensor Installation Guide, the permission level that is required when a user wants to install a sensor on a Windows endpoint is Administrator. The usermust have local administrator privileges on the endpoint to install the sensor. The user can install the sensor by using one of the following methods:

• Method 1: Invite Users to Install Sensors on Endpoints: This method allows the user to install the sensor by using an installation code that is sent by email from the Carbon Black Cloud console. The user must run the installation code as an administrator on the endpoint.
• Method 2: Install the Sensor on the Endpoint by using the Command Line or Software Distribution Tools: This method allows the user to install the sensor by using the command line, or by using a scripted or automated method such as Group Policy or systems management tools. The user must run the installation command or script as an administrator on the endpoint.

The other permission levels are not sufficient or relevant for installing a sensor on a Windows endpoint. Everyone is a group that includes all users and groups on the endpoint, but it does not grant administrator privileges. Root is a user that has full access and control over a Linux or Unix system, but it is not applicable to a Windows endpoint. User is a general term that refers to any person who uses a computer or network service, but it does not imply administrator privileges. References:

• VMware Carbon Black Cloud Sensor Installation Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.
• Installing Windows Sensors on Endpoints - VMware Docs, Procedure section, step 1.

 Live Response is a tool that allows administrators to remotely access and remediate endpoints in real time. With Live Response, administrators can block a new malicious process by killing it, deleting its files, and removing any persistence mechanisms. Live Response can also be used to collect forensic data, run scripts, and perform other actions on the endpoints. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 5.3: Live Response. [Link]

• To block an application by its path instead of reputation, the administrator needs to follow these steps:
• The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview