5V0-93.22 Exam Dumps : VMware Carbon Black Cloud Endpoint Standard Skills

 To prevent the use of unauthorized USB storage devices, the administrator needs to enable the USB Device Control feature in the VMware Carbon Black Cloud Endpoint Standard. This feature allows the administrator to approve or block specific USB devices based on their vendor ID, product ID, serial number, and device type. The administrator can also set a default action for unapproved USB devices, such as block, read-only, or allow. The administrator can manage the USB devices from the USB Devices page under the Settings menu. From this page, the administrator can view the list of USB devices that have been detected by the endpoints, and elect to approve only the allowed USB devices. The administrator can also export or import the list of approved USB devices for backup or replication purposes. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: USB Device Control, pages 4-1 to 4-9.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 11: USB Device Control, pages 147-152.

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result. This feature can help the administrator to confirm that the new rulewould have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule1.

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data. References:

• Endpoint Standard Rules - VMware Docs, Test Rule section.

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

• EXE: Executable file
• DLL: Dynamic-link library file
• SYS: System file
• BAT: Batch file
• CMD: Command file
• VBS: Visual Basic Script file
• JS: JavaScript file
• PS1: PowerShell Script file
• HTA: HTML Application file
• MSI: Windows Installer file
• DOC: Microsoft Word document file
• XLS: Microsoft Excel spreadsheet file
• PPT: Microsoft PowerPoint presentation file
• PDF: Portable Document Format file
• SWF: Shockwave Flash file
• JAR: Java Archive file
• CLASS: Java class file
• PY: Python script file
• SH: Shell script file
• PL: Perl script file
• RB: Ruby script file
• PHP: PHP script file
• ASP: Active Server Pages file
• ASPX: Active Server Pages Extended file
• HTML: HyperText Markup Language file
• XML: Extensible Markup Language file
• DOCM: Microsoft Word document with macros file
• XLAM: Microsoft Excel add-in with macros file
• XLSM: Microsoft Excel spreadsheet with macros file
• XLTM: Microsoft Excel template with macros file
• PPTM: Microsoft PowerPoint presentation with macros file
• POTM: Microsoft PowerPoint template with macros file
• PPAM: Microsoft PowerPoint add-in with macros file
• EXCEL_VBA: Excel Visual Basic for Applications file
• WORD_VBA: Word Visual Basic for Applications file
• POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
• OUTLOOK_VBA: Outlook Visual Basic for Applications file
• ACCESS_VBA: Access Visual Basic for Applications file
• PROJECT_VBA: Project Visual Basic for Applications file
• VISIO_VBA: Visio Visual Basic for Applications file
• PUBLISHER_VBA: Publisher Visual Basic for Applications file
• INFOPATH_VBA: InfoPath Visual Basic for Applications file
• ONENOTE_VBA: OneNote Visual Basic for Applications file
• UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.