VMware 5V0-93.22 Dumps

The correct statement regarding Blocking/Isolation rules and Permission rules is D. Blocking & Isolation rules are overridden by Permission Rules. This means that if a file or process matches both a Blocking/Isolation rule and a Permission rule, the action specified by the Permission rule will take precedence over the action specified by the Blocking/Isolation rule. For example, if a file has a reputation of SUSPECT_MALWARE and a Blocking/Isolation rule is set to terminate any SUSPECT_MALWARE file that runs, but a Permission rule is set to allow and log any file that runs from a specific path, the file will be allowed and logged if it runs from that path, regardless of its reputation. Permission rules are useful for tuning the behavior of VMware Carbon Black Cloud Endpoint Standard and preventing false positives or unnecessary blocks1.

The other statements are false or irrelevant. Blocking & Isolation rules are not overridden by Upload Rules. Upload Rules are rules that specify which files and metadata are uploaded to the Carbon Black Cloud for analysis and reputation. Upload Rules do not affect the prevention or detection capabilities of VMware Carbon Black Cloud Endpoint Standard2. Permission Rules are not overridden by Blocking & Isolation rules. As explained above, Permission Rules have a higher priority than Blocking & Isolation rules and can override their actions. Upload Rules are not overridden by Blocking & Isolation rules. Upload Rules and Blocking & Isolation rules are independent of each other and do not affect each other’s functionality. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.
• Upload Rules - VMware Docs, Overview section.

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result. This feature can help the administrator to confirm that the new rulewould have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule1.

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data. References:

• Endpoint Standard Rules - VMware Docs, Test Rule section.

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

• Search Syntax - VMware Docs, Wildcards section.

Placing the device in quarantine is the recommended immediate action to prevent further exfiltration of data by the malware. Quarantine is a feature of VMware Carbon Black Cloud Endpoint Standard that allows you to isolate a device from the network, preventing any communication with other devices or external servers. This can help contain an active threat and prevent further damage. You can quarantine a device from the Devices page or from the Device Summary page. You can also unquarantine a device when the threat is resolved. References:

• VMware Carbon Black Cloud Endpoint Standard - On Demand, Module 5: Responding to Threats, Lesson 2: Quarantine a Device, slide 5.
• VMware Carbon Black Cloud Endpoint Standard, page 11, Quarantine a Device.

 To prevent the use of unauthorized USB storage devices, the administrator needs to enable the USB Device Control feature in the VMware Carbon Black Cloud Endpoint Standard. This feature allows the administrator to approve or block specific USB devices based on their vendor ID, product ID, serial number, and device type. The administrator can also set a default action for unapproved USB devices, such as block, read-only, or allow. The administrator can manage the USB devices from the USB Devices page under the Settings menu. From this page, the administrator can view the list of USB devices that have been detected by the endpoints, and elect to approve only the allowed USB devices. The administrator can also export or import the list of approved USB devices for backup or replication purposes. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: USB Device Control, pages 4-1 to 4-9.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 11: USB Device Control, pages 147-152.

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

• EXE: Executable file
• DLL: Dynamic-link library file
• SYS: System file
• BAT: Batch file
• CMD: Command file
• VBS: Visual Basic Script file
• JS: JavaScript file
• PS1: PowerShell Script file
• HTA: HTML Application file
• MSI: Windows Installer file
• DOC: Microsoft Word document file
• XLS: Microsoft Excel spreadsheet file
• PPT: Microsoft PowerPoint presentation file
• PDF: Portable Document Format file
• SWF: Shockwave Flash file
• JAR: Java Archive file
• CLASS: Java class file
• PY: Python script file
• SH: Shell script file
• PL: Perl script file
• RB: Ruby script file
• PHP: PHP script file
• ASP: Active Server Pages file
• ASPX: Active Server Pages Extended file
• HTML: HyperText Markup Language file
• XML: Extensible Markup Language file
• DOCM: Microsoft Word document with macros file
• XLAM: Microsoft Excel add-in with macros file
• XLSM: Microsoft Excel spreadsheet with macros file
• XLTM: Microsoft Excel template with macros file
• PPTM: Microsoft PowerPoint presentation with macros file
• POTM: Microsoft PowerPoint template with macros file
• PPAM: Microsoft PowerPoint add-in with macros file
• EXCEL_VBA: Excel Visual Basic for Applications file
• WORD_VBA: Word Visual Basic for Applications file
• POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
• OUTLOOK_VBA: Outlook Visual Basic for Applications file
• ACCESS_VBA: Access Visual Basic for Applications file
• PROJECT_VBA: Project Visual Basic for Applications file
• VISIO_VBA: Visio Visual Basic for Applications file
• PUBLISHER_VBA: Publisher Visual Basic for Applications file
• INFOPATH_VBA: InfoPath Visual Basic for Applications file
• ONENOTE_VBA: OneNote Visual Basic for Applications file
• UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.

 According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the threshold, in days, before a machine shows as inactive in the console is 7 days. An inactive device is a device that has not communicated with the Carbon Black Cloud console for more than 7 days. The console displays the last communication time for each device on the Endpoints page. The administrator can use the Inactive Devices filter to view all the inactive devices in the organization. The administrator can also use the Device Status widget on the Dashboard page to see the number and percentage of inactive devices in the organization. The administrator can take various actions to resolve the inactive device issue, such as:

• Check the network connectivity and firewall settings of the device
• Check the sensor status and version on the device
• Check the policy settings and rules applied to the device
• Reinstall the sensor on the device
• Delete the device from the console if it is no longer in use References:
• VMware Carbon Black Cloud Endpoint Standard User Guide, page 14, Inactive Devices section.

According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the Sensor Service (RepMqr) is the process that is responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepMqr) is one of the components of the VMware Carbon Black Cloud sensor, which is the software agent that runs on the endpoints and collects and sends data to the VMware Carbon Black Cloud console. The Sensor Service (RepMqr) is responsible for the following tasks:

• Collecting and compressing endpoint events
• Sending endpoint events to the VMware Carbon Black Cloud console
• Receiving and applying policy updates from the VMware Carbon Black Cloud console
• Performing actions requested by the VMware Carbon Black Cloud console, such as quarantine, unquarantine, or bypass

The other processes are not responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepUx) is the process that is responsible for uploading file metadata and content to VMware Carbon Black Cloud. The Scanner Service (scanhost) is the process that is responsible for scanning the endpoint for malicious files and activity. The Scanner Service (Re) is the process that is responsible for scanning the endpoint for reputation information. References:

• VMware Carbon Black Cloud Endpoint Standard User Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.

When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

The path that meets the criteria for allowing application.exe using wildcards is :\Users*\Temp\Allowed\application.exe. This path specifies that the executable file can run only from inside of the user’s Temp\Allowed directory, regardless of the drive letter or the user name. The wildcards used in this path are:

• *: Matches any single character or no character at all. For example, *:\ matches any drive letter, such as C:, D:, or E:.
• **: Matches a partial path across all subdirectory levels and is recursive. For example, \Users**\ matches any subdirectory under the Users directory, such as \Users\Lorie, \Users\John, or \Users\Alice\Documents.

The other paths do not meet the criteria for allowing application.exe using wildcards. A. C:\Users?\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it only matches a single character for the user name, which may not be sufficient. B. C:\Users*\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it may match more than one character for the user name, which may not be desired. D. *:\Users*\Temp\Allowed\application.exe allows running from any drive, but it may match more than one character for the user name, which may not be desired. References:

• Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table.

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

The reputation that was used by the sensor for the decision to terminate the process was the effective reputation. The effective reputation is the reputation that the sensor uses to evaluate and enforce policy rules on the endpoint. The effective reputation is determined by the following factors:

• The initial cloud reputation, which is the reputation that the Carbon Black Cloud assigns to the file based on its analysis and threat intelligence feeds.
• The actioned reputation, which is the reputation that the administrator assigns to the file through the Carbon Black Cloud console, such as approve, ban, or dismiss.
• The current cloud reputation, which is the reputation that the Carbon Black Cloud updates for the file based on new information or changes in the threat landscape.

The effective reputation is the highest priority reputation among these three factors. For example, if the initial cloud reputation is SUSPECT_MALWARE, the actioned reputation is APPROVED, and the current cloud reputation is KNOWN_MALWARE, the effective reputation will be APPROVED, because it has the highest priority. The sensor will use the effective reputation to apply the policy rules on the endpoint. In this case, the process will not be blocked by the rule [Suspected malware] [Invokes a command interpreter] [Terminate process], because the effective reputation is not SUSPECT_MALWARE.

In the question scenario, the effective reputation for the process was SUSPECT_MALWARE, which means that either the initial cloud reputation, the actioned reputation, or the current cloud reputation was SUSPECT_MALWARE, and there was no higher priority reputation that overrode it. Therefore, the sensor used the effective reputation to enforce the policy rule and terminate the process. References:

• Endpoint Standard: How to Confirm Applied … - VMware Carbon Black, Resolution section.

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

• User: The name of the user who performed the action.
• Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.
• Object: The object that was affected by the action, such as policy, device, hash, and so on.
• Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:

• Audit Logs - VMware Docs, Overview section.

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Audit Logs - VMware Docs, Overview section.
• Cloud Analysis - VMware Docs, Overview section.

• The connectivity that is required for VMware Carbon Black Cloud Endpoint Standard to perform Sensor Certificate Validation is TCP/443 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com). Sensor Certificate Validation is a feature that allows the Carbon Black Cloud agent to verify the authenticity and validity of the certificates used by the Carbon Black Cloud services. This feature enhances the security and trust of the communication between the agent and the cloud. To perform Sensor Certificate Validation, the agent needs to access the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services provided by GoDaddy, the certificate authority that issues the certificates for Carbon Black Cloud. These services use the HTTPS protocol, which runs on port 443. Therefore, the agent needs to have TCP/443 connectivity to the GoDaddy OCSP and CRL URLs, which are crl.godaddy.com and ocsp.godaddy.com12.
• The other options are incorrect because they do not specify the correct protocol, port, or URLs for Sensor Certificate Validation. TCP/80 is the port for HTTP, not HTTPS, and it is not used by the OCSP and CRL services. GoDaddy CRL URL is only one of the two URLs that the agent needs to access, the other one is GoDaddy OCSP URL. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 1: Introduction, page 1-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 2: Sensor Installation, page 17.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview