The VMware 5V0-93.22 Questions & Practice Test are Available On-Demand [Q26-Q44]

Q26. Which command is used to immediately terminate a current Live Response session?

kill

detach -q

delete

execfg

Q27. A script-based attack has been identified that inflicted damage to the corporate systems. The security administrator found out that the malware was coded into Excel VBA and would like to perform a search to further inspect the incident.
Where in the VMware Carbon Black Cloud Endpoint Standard console can this action be completed?

Endpoints

Settings

Investigate

Alerts

Q28. Which statement accurately characterizes Alerts that are categorized as a “Threat” versus those categorized as
“Observed”?

“Threat” indicates an ongoing attack. “Observed” indicates the attack is over and is being watched.

“Threat” indicates a more likely malicious event. “Observed” are less likely to be malicious.

“Threat” indicates a block (Deny or Terminate) has occurred. “Observed” indicates that there is no block.

“Threat” indicates that no block (Deny or Terminate) has occurred. “Observed” indicates a block.

Q29. An administrator notices that a sensor’s local AV signatures are out-of-date.
What effect does this have on newly discovered files?

The reputation is determined by cloud reputation.

The sensor prompts the end user to allow or deny the file.

The sensor automatically blocks the new file.

The sensor is unable to block a malicious file.

Q30. An organization has the following requirements for allowing application.exe:
Must not work for any user’s D: drive
Must allow running only from inside of the user’s TempAllowed directory Must not allow running from anywhere outside of TempAllowed For example, on one user’s machine, the path is C:UsersLorieTempAllowedapplication.exe.
Which path meets this criteria using wildcards?

C:Users?TempAllowedapplication.exe

C:Users*TempAllowedapplication.exe

*:Users**TempAllowedapplication.exe

*:Users*TempAllowedapplication.exe

Q31. An administrator wants to be notified when particular Tactics, Techniques, or Procedures (TTPs) are observed on a managed endpoint.
Which notification option must the administrator configure to receive this notification?

Alert that crosses a threshold with the “observed” option selected

Alert that includes specific TTPs

Alert for a Watchlist hit

Policy action that is enforced with the “deny” opt ion selected

Q32. An administrator wants to block an application by its path instead of reputation. The following steps have already been taken:
Go to Enforce > Policies > Select the desired policy >
Which additional steps must be taken to complete the task?

Click Enforce > Add application path name

Scroll down to the Permissions section > Click Add application path > Enter the path of the desired application

Scroll down to the Blocking and Isolation section > Click Edit (pencil icon) for the desired Reputation

Scroll down to the Blocking and Isolation section > Click Add application path > Enter the path of the desired application

Q33. An administrator wants to be notified when particular Tactics, Techniques, or Procedures (TTPs) are observed on a managed endpoint.
Which notification option must the administrator configure to receive this notification?

Alert that crosses a threshold with the “observed” option selected

Alert that includes specific TTPs

Alert for a Watchlist hit

Policy action that is enforced with the “deny” opt ion selected

Q34. An administrator needs to use an ID to search and investigate security incidents in Carbon Black Cloud.
Which three IDs may be used for this purpose? (Choose three.)

Threat

Hash

Sensor

Event

User

Alert

Q35. The use of leading wildcards in a query is not recommended unless absolutely necessary because they carry a significant performance penalty for the search.
What is an example of a leading wildcard?

filemod:system32/ntdll.dll

filemod:system32/*ntdll.dll

filemod:*/system32/ntdll.dll

filemod:system32/ntdll.dll*

Q36. An administrator would like to proactively know that something may get blocked when putting a policy rule in the environment.
How can this information be obtained?

Search the data using the test rule functionality.
B Examine log files to see what would be impacted

Put the rules in and see what happens to the endpoints.
D Determine what would happen based on previously used antivirus software

Q37. What is a security benefit of VMware Carbon Black Cloud Endpoint Standard?

A flexible query scheduler that can be used to gather information about the environment

Visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems

Customizable threat feeds that plug into a single agent and single console

Policy rules that can be tested by selecting test rule next to the desired operation attempt

Q38. An administrator needs to configure a policy for macOS and Linux Sensors, not enabling settings which are only applicable to Windows.
Which three settings are only applicable to Sensors on the Windows operating system? (Choose three.)

Delay execute for cloud scan

Allow user to disable protection

Submit unknown binaries for analysis

Expedited background scan

Scan execute on network drives
F Require code to uninstall sensor

Q39. An administrator is tasked to create a reputation override for a company-critical application based on the highest available priority in the reputation list. The company-critical application is already known by VMware Carbon Black.
Which method of reputation override must the administrator use?

Signing Certificate

Hash

Local Approved

IT Tool

Q40. Which port does the VMware Carbon Black sensor use to communicate to VMware Carbon Black Cloud?

443

80

8443

22

Q41. An administrator needs to fully analyze the relevant information of an event stored in the VMware Carbon Black Cloud.
On which page can this information be found?

Enforce

Investigate

Live Query

Inventory

Q42. An administrator has determined that the following rule was the cause for an unexpected block:
[Suspected malware] [Invokes a command interpreter] [Terminate process] All reputations for the process which was blocked show SUSPECT_MALWARE.
Which reputation was used by the sensor for the decision to terminate the process?

Initial Cloud reputation

Actioned reputation

Current Cloud reputation

Effective reputation

Q43. An administrator has dismissed a group of alerts and ticked the box for “Dismiss future instances of this alert on all devices in all policies”. There is also a Notification configured to email the administrator whenever an alert of the same Severity occurs. The following day, a new alert is added to the same group of alerts.
How will this alert be handled?

The alert will show when the Dismissed filter is selected on the Alerts page, and a Notification email will be sent.

The alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent.

The alert will show when the Not Dismissed filter is selected on Alerts page, and a Notification email will be sent.

The alert will show when Not Dismissed filter is selected on Alerts page, but a Notification email will not be sent.

Q44. An administrator needs to add an application to the Approved List in the VMware Carbon Black Cloud console.
Which two different methods may be used for this purpose? (Choose two.)

MD5 Hash

Signing Certificate

Application Path

Application Name

IT Tool

Explanation
The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.
By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths.
However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.
By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes.
Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.
The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

Leave a Reply Cancel reply