VMware 5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Exam Practice Test

It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

• FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.
• FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.
• FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.
• FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console. References:

• Advanced Search Techniques - VMware Docs, Using Regular Expressions (regex) section, NOT Operator subsection.
• Carbon Black Cloud: Search for process_publisher_s… - Carbon Black …, The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.

According to the VMware Carbon Black Cloud Sensor Installation Guide, the permission level that is required when a user wants to install a sensor on a Windows endpoint is Administrator. The usermust have local administrator privileges on the endpoint to install the sensor. The user can install the sensor by using one of the following methods:

• Method 1: Invite Users to Install Sensors on Endpoints: This method allows the user to install the sensor by using an installation code that is sent by email from the Carbon Black Cloud console. The user must run the installation code as an administrator on the endpoint.
• Method 2: Install the Sensor on the Endpoint by using the Command Line or Software Distribution Tools: This method allows the user to install the sensor by using the command line, or by using a scripted or automated method such as Group Policy or systems management tools. The user must run the installation command or script as an administrator on the endpoint.

The other permission levels are not sufficient or relevant for installing a sensor on a Windows endpoint. Everyone is a group that includes all users and groups on the endpoint, but it does not grant administrator privileges. Root is a user that has full access and control over a Linux or Unix system, but it is not applicable to a Windows endpoint. User is a general term that refers to any person who uses a computer or network service, but it does not imply administrator privileges. References:

• VMware Carbon Black Cloud Sensor Installation Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.
• Installing Windows Sensors on Endpoints - VMware Docs, Procedure section, step 1.

The action that an administrator should take to ensure application.exe cannot run is to remove the Permissions rule for C:\Program Files\IT\Tools*. This is because the Permissions rule has a higher priority than the Blocking and Isolation rule, and it allows any operation on any file in that path, including application.exe. By removing the Permissions rule, the Blocking and Isolation rule will apply and terminate application.exe based on its SUSPECT_MALWARE reputation. The other options are incorrect because they will not prevent application.exe from running. Option A is incorrect because changing the reputation to KNOWN MALWARE will not override the Permissions rule that allows any operation on the file. Option B is incorrect because the file will not be blocked based on reputation alone, as the Permissions rule will bypass the reputation check. Option D is incorrect because adding the hash to the company banned list will not override the Permissions rule that allows any operation on the file. References: Precedence of Policy Rules, Set Permission Policy Rules, Set Blocking and Isolation Policy Rules

• To block an application by its path instead of reputation, the administrator needs to follow these steps:
• The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

The best rule to prevent a spreadsheet from being misused to run malicious code, while minimizing the risk of breaking normal operations of a spreadsheet, is B. **\excel.exe [Invokes a command interpreter] [Deny operation]. This rule will prevent any Excel process from invoking a command interpreter, such as cmd.exe or powershell.exe, which is a common technique used by malware to execute malicious commands or scripts. This rule will deny the operation but not terminate the process, which may allow the spreadsheet to continue functioning normally. This rule is more specific and effective than option A, which only applies to Microsoft Office applications that run external code, or option C, which applies to Excel applications that communicate over the network. Option D is incorrect because it is too vague and may not catch all the possible ways that a spreadsheet can run malware.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

The Local White reputation is assigned to files that are either pre-existing on the device before the sensor installation, or signed by a trusted certificate, or created by an IT tool. The file signature is verified by the sensor against a list of trusted certificates that are stored locally on the device. If the file is signed by a certificate that matches one of the trusted certificates, the sensor assigns the Local White reputation to the file. This reputation indicates that the file is trusted and allowed to run on the device. The other options are incorrect because they do not qualify for the Local White reputation. Option A is incorrect because adding a file as an IT tool does not automatically assign it the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option C is incorrect because the hash being not on any known good or bad lists is not relevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option D is incorrect because the hash being previously analyzed is notrelevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. References: Reputations Assignment for Pre-Existing Files, Reputation Assignment

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

• User: The name of the user who performed the action.
• Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.
• Object: The object that was affected by the action, such as policy, device, hash, and so on.
• Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:

• Audit Logs - VMware Docs, Overview section.

The impact of using the wildcards in the path for this rule is C. Any executable in the downloads directory for any user on the system will be bypassed for inspection. This is because the permission rule has the following options selected:

• Application at path: C:\Users*\Downloads**
• Operation Attempt: Performs any operation
• Action: Bypass

The application at path field specifies the path of the executable file that the rule applies to. The * wildcard matches 0 or more consecutive characters up to a single subdirectory level. For example, C:\Users*\ matches any subdirectory under the Users directory, such as C:\Users\Lorie, C:\Users\John, or C:\Users\Alice. The ** wildcard matches a partial path across all subdirectory levels and is recursive. For example, \Downloads** matches any files in that directory and all subdirectories. Therefore, by using the wildcards in the application at path field, the permission rule covers any executable file in the downloads directory for any user on the system.

The operation attempt field specifies the type of operation that the executable file attempts to perform. The Performs any operation option means that the rule applies to any operation, such as creating a file, modifying a registry key, or executing a command.

The action field specifies the action that the VMware Carbon Black Cloud Endpoint Standard sensor takes when the rule is triggered. The Bypass option means that the sensor ignores the executable file and does not apply any blocking rules or log any events for it1.

Therefore, by using the wildcards in the path for this rule, the permission rule effectively bypasses any executable file in the downloads directory for any user on the system from the VMware Carbon Black Cloud Endpoint Standard sensor’s prevention and detection capabilities. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.

To create a reputation override for a company-critical application based on the highest available priority in the reputation list, the administrator must use the IT Tool method of reputation override. The IT Tool method allows the administrator to specify a path to a known IT tool application, such as C:\Program Files\IT\Tools\application.exe, and assign it the Local Approved reputation. This reputation is the highest priority in the reputation list and overrides any other reputations assigned by VMware Carbon Black or other sources. The IT Tool method is useful for applications that are already known by VMware Carbon Black, but need to be allowed to run without interference from the sensor. The other options are incorrect because they are not the highest priority in the reputation list. Option A is incorrect because the Signing Certificate method assigns the Company Approved reputation, which is lower than the Local Approved reputation. Option B is incorrect because the Hash method assigns the Company Approved or Company Banned reputation, depending on the action selected, which are lower than the Local Approved reputation. Option C is incorrect because the Local Approved method is not a valid method of reputation override. It is a reputation level that can be assigned by the IT Tool method or by the sensor for pre-existing files or files signed by a trusted certificate. References: Manage Reputations, Reputation Assignment

According to the VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, alerts are categorized as either “Threat” or “Observed” based on the severity and confidence of the event. “Threat” alerts indicate a high-severity and high-confidence event that is more likely to be malicious, such as a ransomware attack, a credential theft, or a network beacon. “Observed” alerts indicate a low-severity and low-confidence event that is less likely to be malicious, such as a suspicious registry modification, a fileless script execution, or a process injection. The categorization of alerts helps analysts prioritize their investigations and responses. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, page 14, section 2.3.1. Alert Categories. [Link]

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result. This feature can help the administrator to confirm that the new rulewould have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule1.

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data. References:

• Endpoint Standard Rules - VMware Docs, Test Rule section.

The sensor status details can be found in the Inventory > Endpoints tab of the VMware Carbon Black Cloud interface. This tab displays all the deployed sensors by default, and allows the administrator to filter them by various criteria, such as status, policy, group, OS, or device name. The status column indicates the state of a sensor and any administrator actions that have been taken on the sensor, such as bypass, quarantine, or deregister. The administrator can also view more details about a sensor by clicking on its name, such as the sensor version, last check-in time, device health score, and policy history. The administrator can also take actions on a sensor from this tab, such as updating, isolating, or uninstalling the sensor. References: Sensor Status and Details — Asset Groups, Carbon Black Cloud Endpoint Standard - Technical Overview

The correct statement regarding Blocking/Isolation rules and Permission rules is D. Blocking & Isolation rules are overridden by Permission Rules. This means that if a file or process matches both a Blocking/Isolation rule and a Permission rule, the action specified by the Permission rule will take precedence over the action specified by the Blocking/Isolation rule. For example, if a file has a reputation of SUSPECT_MALWARE and a Blocking/Isolation rule is set to terminate any SUSPECT_MALWARE file that runs, but a Permission rule is set to allow and log any file that runs from a specific path, the file will be allowed and logged if it runs from that path, regardless of its reputation. Permission rules are useful for tuning the behavior of VMware Carbon Black Cloud Endpoint Standard and preventing false positives or unnecessary blocks1.

The other statements are false or irrelevant. Blocking & Isolation rules are not overridden by Upload Rules. Upload Rules are rules that specify which files and metadata are uploaded to the Carbon Black Cloud for analysis and reputation. Upload Rules do not affect the prevention or detection capabilities of VMware Carbon Black Cloud Endpoint Standard2. Permission Rules are not overridden by Blocking & Isolation rules. As explained above, Permission Rules have a higher priority than Blocking & Isolation rules and can override their actions. Upload Rules are not overridden by Blocking & Isolation rules. Upload Rules and Blocking & Isolation rules are independent of each other and do not affect each other’s functionality. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.
• Upload Rules - VMware Docs, Overview section.

To make sure all files are scanned locally upon execution, the administrator needs to set the On-Access File Scan Mode to Aggressive. This setting will scan all files on execute, regardless of whether they are new or pre-existing on the device. The assigned reputation and policy rules will apply to the scanned files. The other options are incorrect because they are not necessary to complete this task. Option B is incorrect because the Signature Update frequency is not related to the local scanning of files upon execution. It is related to how often the sensor checks in for signature pack updates. Option C is incorrect because the Allow Signature Updates is not related to the local scanning of files upon execution. It is related to enabling or disabling signature updates for the scanner. Option D is incorrect because the Run Background Scan is not related to the local scanning of files upon execution. It is related to enabling or disabling a one-time background scan on any endpoint sensorassigned to a policy. References: Configure Local Scan Settings, Endpoint Standard: How To Configure Local AV Scan

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

• EXE: Executable file
• DLL: Dynamic-link library file
• SYS: System file
• BAT: Batch file
• CMD: Command file
• VBS: Visual Basic Script file
• JS: JavaScript file
• PS1: PowerShell Script file
• HTA: HTML Application file
• MSI: Windows Installer file
• DOC: Microsoft Word document file
• XLS: Microsoft Excel spreadsheet file
• PPT: Microsoft PowerPoint presentation file
• PDF: Portable Document Format file
• SWF: Shockwave Flash file
• JAR: Java Archive file
• CLASS: Java class file
• PY: Python script file
• SH: Shell script file
• PL: Perl script file
• RB: Ruby script file
• PHP: PHP script file
• ASP: Active Server Pages file
• ASPX: Active Server Pages Extended file
• HTML: HyperText Markup Language file
• XML: Extensible Markup Language file
• DOCM: Microsoft Word document with macros file
• XLAM: Microsoft Excel add-in with macros file
• XLSM: Microsoft Excel spreadsheet with macros file
• XLTM: Microsoft Excel template with macros file
• PPTM: Microsoft PowerPoint presentation with macros file
• POTM: Microsoft PowerPoint template with macros file
• PPAM: Microsoft PowerPoint add-in with macros file
• EXCEL_VBA: Excel Visual Basic for Applications file
• WORD_VBA: Word Visual Basic for Applications file
• POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
• OUTLOOK_VBA: Outlook Visual Basic for Applications file
• ACCESS_VBA: Access Visual Basic for Applications file
• PROJECT_VBA: Project Visual Basic for Applications file
• VISIO_VBA: Visio Visual Basic for Applications file
• PUBLISHER_VBA: Publisher Visual Basic for Applications file
• INFOPATH_VBA: InfoPath Visual Basic for Applications file
• ONENOTE_VBA: OneNote Visual Basic for Applications file
• UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.

The correct answer is to click Drop Connection, which is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to immediately terminate a network connection that is deemed malicious or suspicious. This feature can be accessed from the Alert Details page, where the administrator can see the application, process, and destination IP address of the connection. By clicking Drop Connection, the administrator can block the connection without affecting the rest of the system or network. This is a quick and effective way to stop a potential threat from communicating with a remote server or exfiltrating data. References: = VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 4.3: Investigate Alerts, Subsection 4.3.2: Drop Connection.