5V0-93.22 Exam Dumps : VMware Carbon Black Cloud Endpoint Standard Skills

The reputation that was used by the sensor for the decision to terminate the process was the effective reputation. The effective reputation is the reputation that the sensor uses to evaluate and enforce policy rules on the endpoint. The effective reputation is determined by the following factors:

• The initial cloud reputation, which is the reputation that the Carbon Black Cloud assigns to the file based on its analysis and threat intelligence feeds.
• The actioned reputation, which is the reputation that the administrator assigns to the file through the Carbon Black Cloud console, such as approve, ban, or dismiss.
• The current cloud reputation, which is the reputation that the Carbon Black Cloud updates for the file based on new information or changes in the threat landscape.

The effective reputation is the highest priority reputation among these three factors. For example, if the initial cloud reputation is SUSPECT_MALWARE, the actioned reputation is APPROVED, and the current cloud reputation is KNOWN_MALWARE, the effective reputation will be APPROVED, because it has the highest priority. The sensor will use the effective reputation to apply the policy rules on the endpoint. In this case, the process will not be blocked by the rule [Suspected malware] [Invokes a command interpreter] [Terminate process], because the effective reputation is not SUSPECT_MALWARE.

In the question scenario, the effective reputation for the process was SUSPECT_MALWARE, which means that either the initial cloud reputation, the actioned reputation, or the current cloud reputation was SUSPECT_MALWARE, and there was no higher priority reputation that overrode it. Therefore, the sensor used the effective reputation to enforce the policy rule and terminate the process. References:

• Endpoint Standard: How to Confirm Applied … - VMware Carbon Black, Resolution section.

When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

• User: The name of the user who performed the action.
• Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.
• Object: The object that was affected by the action, such as policy, device, hash, and so on.
• Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:

• Audit Logs - VMware Docs, Overview section.