5V0-93.22 Exam Dumps - VMware Certification Questions and Answers

The company banned list is a feature of VMware Carbon Black Cloud Endpoint Standard that allows administrators to prevent specific files from running on the endpoints by their hash values. The company banned list has a higher priority than the file reputation, so even if the file is not listed or unknown by Carbon Black, it will be blocked if its hash is in the company banned list. Adding the hash to the company banned list is the most effective and efficient way to prevent the file from executing on the endpoints. The other options are either not feasible or not scalable. Adding the hash to the malware list would not work, because the malware list is a global list maintained by Carbon Black, and administrators cannot add hashes to it. Using Live Response to kill the process or delete the file would only work for one endpoint at a time, and it would not prevent the file from running again if it is still present on the endpoint or downloaded from another source. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

The path that meets the criteria for allowing application.exe using wildcards is :\Users*\Temp\Allowed\application.exe. This path specifies that the executable file can run only from inside of the user’s Temp\Allowed directory, regardless of the drive letter or the user name. The wildcards used in this path are:

• *: Matches any single character or no character at all. For example, *:\ matches any drive letter, such as C:, D:, or E:.
• **: Matches a partial path across all subdirectory levels and is recursive. For example, \Users**\ matches any subdirectory under the Users directory, such as \Users\Lorie, \Users\John, or \Users\Alice\Documents.

The other paths do not meet the criteria for allowing application.exe using wildcards. A. C:\Users?\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it only matches a single character for the user name, which may not be sufficient. B. C:\Users*\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it may match more than one character for the user name, which may not be desired. D. *:\Users*\Temp\Allowed\application.exe allows running from any drive, but it may match more than one character for the user name, which may not be desired. References:

• Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table.

It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

• FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.
• FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.
• FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.
• FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console. References:

• Advanced Search Techniques - VMware Docs, Using Regular Expressions (regex) section, NOT Operator subsection.
• Carbon Black Cloud: Search for process_publisher_s… - Carbon Black …, The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.

The Process Analysis page in VMware Carbon Black Cloud Endpoint Standard is a graphical view of the event that shows the process tree, the event timeline, and the event details. The process tree displays the parent-child relationships of the processes involved in the event, as well as the actions taken by the policy, such as blocking or alerting. The event timeline shows the chronological sequence of the events, such as process executions, file modifications, network connections, and registry changes. The event details provide more information about the selected event, such as the process name, path, hash, command line, reputation, and Carbon Black TTPs. The Process Analysis page can help the security administrator to investigate the hash ban event and understand the context and impact of the blocked application. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

 The operation attempt that must use a Terminate Process action is Scrapes memory of another process. This is a policy rule in VMware Carbon Black Cloud Endpoint Standard that blocks and terminates any process that attempts to read the memory of another process. This is a common technique used by malware to steal sensitive information, such as passwords, encryption keys, or tokens, from legitimate applications. By using a Terminate Process action, the policy rule ensures that the malicious process is stopped and removed from the endpoint, preventing further damage or data exfiltration. The other operation attempts do not require a Terminate Process action, but they can use other actions, such as Alert, Deny, or Isolate Device, depending on the policy configuration and the security needs of the organization. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices: Endpoint Standard Blocking & Isolation Rules, Endpoint Standard: Deny/Terminate action taken on an Allowed Application

The most effective way to meet the goal of blocking ransomware in the organization is to turn on the performs ransomware-like behavior rule in the policies. This rule is a feature of VMware Carbon Black Cloud Endpoint Standard that uses behavioral analytics to detect and prevent actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. By turning on this rule, the administrator can block any application that attempts to perform ransomware-like behavior, regardless of its reputation or signature. This can protect the organization from new or unknown ransomware variants that may not be detected by other methods. The administrator can also customize the rule to apply different actions, such as alert, deny, or terminate, depending on the policy configuration and the security needs of the organization.

The other options are not as effective or appropriate for blocking ransomware in the organization. Option A is not proactive, but reactive, as it relies on looking at current attacks to see if the software that is running is vulnerable to potential ransomware attacks. This may not be sufficient to prevent future attacks that use different software or exploit different vulnerabilities. Option C is not accurate, as analytics alone cannot automatically block all the attacks that may occur. Analytics can help toidentify and prioritize the most critical threats, but the administrator still needs to configure the policies and rules to block the attacks. Option D is not recommended, as it exposes the organization to unnecessary risk. Starting in the monitored policy until it is clear that no attacks are happening means that the administrator is not taking any preventive actions, but only monitoring the endpoint activity and logging the events. This may not be enough to stop or mitigate the impact of a ransomware attack, which can cause irreversible damage or data loss in a short time. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices:

Event data is categorized and identified by a unique event ID in VMware Carbon Black Cloud. The sensor will upload all event data to the Investigate page of the Endpoint Standard Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor. Each event sent from the sensor to the Dashboard will be assigned a unique event ID. References: Endpoint Standard: How is event data categorized, and formed into an Alert1

 When an administrator places an endpoint into bypass mode, VMware Carbon Black Cloud Endpoint Standard will not provide any protection to the endpoint. Bypass mode is a feature that allows the administrator to disable all policy rule enforcement on the endpoint, which means that the endpoint is not actively protected by VMware Carbon Black Cloud Endpoint Standard. The sensor will ignore any malicious or suspicious activity on the endpoint and will not log any events or send any data to the Carbon Black Cloud console. The administrator can use bypass mode to troubleshoot application interoperability, bootup, or login issues on the endpoint, or to upgrade the operating system on the endpoint. The administrator can enable or disable bypass mode from the Carbon Black Cloud console, the sensor UI, or the command line. The administrator can also view the reason and duration of the bypass mode from the Carbon Black Cloud console12.

The other options are incorrect or irrelevant. VMware Carbon Black Cloud Endpoint Standard will not be uninstalled from the endpoint when it is placed into bypass mode. The sensor will still be running on the endpoint, but it will not enforce any policy rules. VMware Carbon Black Cloud Endpoint Standard will not place the machine in quarantine when it is placed into bypass mode. Quarantine is a different feature that allows the administrator to isolate the endpoint from the network, preventing any communication with other devices or external servers. VMware Carbon Black Cloud Endpoint Standard will not apply policy rules when the endpoint is placed into bypass mode. Policy rules are the settings that define how the sensor detects and prevents threats on the endpoint. Bypass mode disables all policy rule enforcement on the endpoint. References:

• Sensor Bypass Mode - VMware Docs, Overview section.
• Carbon Black Cloud: How to Get Started With Bypass Mode - Carbon Black Community, Objective section.

The Investigate page in VMware Carbon Black Cloud Endpoint Standard is where the administrator can fully analyze the relevant information of an event stored in the VMware Carbon Black Cloud. The Investigate page allows the administrator to search for events based on various criteria, such as process name, hash, device name, policy, alert, and Carbon Black TTPs. The administrator can also use the New Investigate Experience toggle to switch to the Observations view, which provides more granular and enriched data about the events. The Investigate page also provides access to the Process Analysis page, which is a graphical view of the event that shows the process tree, the event timeline, and the event details. The Process Analysis page can help the administrator to understand the context and impact of the event, as well as to take actions such as isolating the device, banningthe hash, or creating a watchlist. References: Carbon Black Cloud Endpoint Standard - Technical Overview, New Enriched Events Experience for Endpoint Standard Customers, Investigate Page

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Audit Logs - VMware Docs, Overview section.
• Cloud Analysis - VMware Docs, Overview section.