Free Access VMware 5V0-93.22 New Release

The best way to proactively know that something may get blocked when putting a policy rule in the environment is to search the data using the test rule functionality in the VMware Carbon Black Cloud Endpoint Standard console. The test rule functionality allows the administrator to test a new rule’s settings before applying it in the environment. The system checks to see how the rule would have affected the organization over the last 30 days and displays the number of devices and events that would have been impacted by the rule. The administrator can use this data to confirm or modify the settings and avoid unnecessary blocks or false positives. The test rule functionality is available for both permission rules and blocking and isolation rules12.

The other options are not recommended or feasible for obtaining this information. Examining log files to see what would be impacted is not a reliable or efficient method, as it would require manually reviewing a large amount of data and correlating it with the rule settings. Putting the rules in and seeing what happens to the endpoints is a risky and reactive approach, as it could cause disruption or damage to the endpoints and the network. Determining what would happen based on previously used antivirus software is not a valid or accurate method, as different antivirus software may have different detection and prevention capabilities and configurations. References:

• Set Permission Policy Rules - VMware Docs, Procedure section, step 7.
• Set Blocking and Isolation Policy Rules - VMware Docs, Procedure section, step 7.

Placing the device in quarantine is the recommended immediate action to prevent further exfiltration of data by the malware. Quarantine is a feature of VMware Carbon Black Cloud Endpoint Standard that allows you to isolate a device from the network, preventing any communication with other devices or external servers. This can help contain an active threat and prevent further damage. You can quarantine a device from the Devices page or from the Device Summary page. You can also unquarantine a device when the threat is resolved. References:

• VMware Carbon Black Cloud Endpoint Standard - On Demand, Module 5: Responding to Threats, Lesson 2: Quarantine a Device, slide 5.
• VMware Carbon Black Cloud Endpoint Standard, page 11, Quarantine a Device.

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

• By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.
• By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List