5V0-93.22 Exam Dumps - VMware Carbon Black Cloud Endpoint Standard Skills

The tool that the security administrator is using to remediate a security vulnerability that may affect the sensors is Live Response. Live Response is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. Live Response enables the administrator to interact with the sensors and access the endpoints in real time, using various commands and scripts. Live Response can also be used to upload or download files, execute processes, terminate processes, delete files, and more12.

The other tools are not relevant or applicable for this scenario. CBLauncher is a tool that allows the administrator to launch applications on the endpoint without triggering policy rules or alerts. CBLauncher is useful for troubleshooting application compatibility issues or testing new applications, but it does not provide interaction or remote access for further investigation3. PowerCLI is a tool that allows the administrator to automate and manage VMware products and services using PowerShell commands and scripts. PowerCLI is useful for administering VMware virtual machines, hosts, networks, storage, and more, but it does not provide interaction or remote access for further investigation4. IRepCLI is a tool that allows the administrator to generate and upload reputation information for files on the endpoint. IRepCLI is useful for enhancing the threat intelligence and detection capabilities of VMware Carbon Black Cloud, but it does not provide interaction or remote access for further investigation5. References:

• Use Live Response - VMware Docs, Overview section.
• CBLauncher - VMware Docs, Overview section.
• Live Response Commands - VMware Docs, Overview section.
• VMware PowerCLI Documentation, Overview section.
• IRepCLI - VMware Docs, Overview section.

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

The impact of using the wildcards in the path for this rule is C. Any executable in the downloads directory for any user on the system will be bypassed for inspection. This is because the permission rule has the following options selected:

• Application at path: C:\Users*\Downloads**
• Operation Attempt: Performs any operation
• Action: Bypass

The application at path field specifies the path of the executable file that the rule applies to. The * wildcard matches 0 or more consecutive characters up to a single subdirectory level. For example, C:\Users*\ matches any subdirectory under the Users directory, such as C:\Users\Lorie, C:\Users\John, or C:\Users\Alice. The ** wildcard matches a partial path across all subdirectory levels and is recursive. For example, \Downloads** matches any files in that directory and all subdirectories. Therefore, by using the wildcards in the application at path field, the permission rule covers any executable file in the downloads directory for any user on the system.

The operation attempt field specifies the type of operation that the executable file attempts to perform. The Performs any operation option means that the rule applies to any operation, such as creating a file, modifying a registry key, or executing a command.

The action field specifies the action that the VMware Carbon Black Cloud Endpoint Standard sensor takes when the rule is triggered. The Bypass option means that the sensor ignores the executable file and does not apply any blocking rules or log any events for it1.

Therefore, by using the wildcards in the path for this rule, the permission rule effectively bypasses any executable file in the downloads directory for any user on the system from the VMware Carbon Black Cloud Endpoint Standard sensor’s prevention and detection capabilities. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.

The best rule to prevent a spreadsheet from being misused to run malicious code, while minimizing the risk of breaking normal operations of a spreadsheet, is B. **\excel.exe [Invokes a command interpreter] [Deny operation]. This rule will prevent any Excel process from invoking a command interpreter, such as cmd.exe or powershell.exe, which is a common technique used by malware to execute malicious commands or scripts. This rule will deny the operation but not terminate the process, which may allow the spreadsheet to continue functioning normally. This rule is more specific and effective than option A, which only applies to Microsoft Office applications that run external code, or option C, which applies to Excel applications that communicate over the network. Option D is incorrect because it is too vague and may not catch all the possible ways that a spreadsheet can run malware.

VMware Carbon Black Cloud Endpoint Standard uses a hybrid approach to determine the reputation of files on the endpoints. It combines local scan, which uses signature-based detection to identify known malware, and cloud scan, which uses cloud-based analytics and machine learning to identify unknown or emerging threats. When a sensor’s local AV signatures are out-of-date, it means that the local scan cannot detect the latest malware variants that have been added to the signature database. However, this does not affect the cloud scan, which can still determine the reputation of newly discovered files based on their behavior, characteristics, and context. Therefore, the effect of having out-of-date local AV signatures is that the reputation is determined by cloud reputation, which is more accurate and up-to-date than signature-based detection. The other options are not correct, because the sensor does not prompt the end user, automatically block, or fail to block a new file based on the local AV signatures alone. References: Carbon Black Cloud Endpoint Standard - Technical Overview, View and Update Signature Versions, Endpoint Standard: How to verify AV Signatures are updating

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

The best rule to prevent ransomware that has not been seen before, without blocking other processes, is B. This rule uses the following criteria:

• Not listed application: This means that the application is not known by Carbon Black Cloud Endpoint Standard, and it has no reputation or signature. This can indicate a new or unknown malware that has not been detected by other methods.
• Performs ransomware-like behavior: This means that the application is performing actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. This can indicate a malicious intent and a high risk of data loss or damage.
• Terminate process: This means that the application is stopped and removed from the endpoint, preventing it from completing its malicious actions or spreading to other devices. This can mitigate the impact and severity of the attack.

The other rules are not as effective or appropriate for preventing ransomware that has not been seen before, without blocking other processes. Rule A would only block adware or potentially unwanted programs (PUPs) that scrape memory of another process, which is not necessarily related to ransomware. Rule C would block any unknown malware that runs or is running, which is too broad and could affect legitimate applications that are not listed by Carbon Black. Rule D would block any not listed application that runs or is running, which is also too broad and could affect legitimate applications that are not listed by Carbon Black. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices: Endpoint Standard Blocking & Isolation Rules, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

According to the VMware Carbon Black Cloud Sensor Installation Guide, the permission level that is required when a user wants to install a sensor on a Windows endpoint is Administrator. The usermust have local administrator privileges on the endpoint to install the sensor. The user can install the sensor by using one of the following methods:

• Method 1: Invite Users to Install Sensors on Endpoints: This method allows the user to install the sensor by using an installation code that is sent by email from the Carbon Black Cloud console. The user must run the installation code as an administrator on the endpoint.
• Method 2: Install the Sensor on the Endpoint by using the Command Line or Software Distribution Tools: This method allows the user to install the sensor by using the command line, or by using a scripted or automated method such as Group Policy or systems management tools. The user must run the installation command or script as an administrator on the endpoint.

The other permission levels are not sufficient or relevant for installing a sensor on a Windows endpoint. Everyone is a group that includes all users and groups on the endpoint, but it does not grant administrator privileges. Root is a user that has full access and control over a Linux or Unix system, but it is not applicable to a Windows endpoint. User is a general term that refers to any person who uses a computer or network service, but it does not imply administrator privileges. References:

• VMware Carbon Black Cloud Sensor Installation Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.
• Installing Windows Sensors on Endpoints - VMware Docs, Procedure section, step 1.

Event data is categorized and identified by a unique event ID in VMware Carbon Black Cloud. The sensor will upload all event data to the Investigate page of the Endpoint Standard Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor. Each event sent from the sensor to the Dashboard will be assigned a unique event ID. References: Endpoint Standard: How is event data categorized, and formed into an Alert1

To identify whether a sensor’s signature pack is out-of-date in VMware Carbon Black Cloud, the user can go to the Inventory page, select the Endpoints tab, and click on the device name of the endpointthey want to check. This will open the Endpoint Details page, where the user can see the Sensor Update Status, which shows the current version and date of the sensor’s signature pack, as well as the latest available version and date. If the current version is lower than the latest version, the sensor’s signature pack is out-of-date and needs to be updated. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.2.1: Monitor Sensor Health and Update Status, Page 25.

The Investigate page in VMware Carbon Black Cloud Endpoint Standard is where the administrator can fully analyze the relevant information of an event stored in the VMware Carbon Black Cloud. The Investigate page allows the administrator to search for events based on various criteria, such as process name, hash, device name, policy, alert, and Carbon Black TTPs. The administrator can also use the New Investigate Experience toggle to switch to the Observations view, which provides more granular and enriched data about the events. The Investigate page also provides access to the Process Analysis page, which is a graphical view of the event that shows the process tree, the event timeline, and the event details. The Process Analysis page can help the administrator to understand the context and impact of the event, as well as to take actions such as isolating the device, banningthe hash, or creating a watchlist. References: Carbon Black Cloud Endpoint Standard - Technical Overview, New Enriched Events Experience for Endpoint Standard Customers, Investigate Page

The reputation that was used by the sensor for the decision to terminate the process was the effective reputation. The effective reputation is the reputation that the sensor uses to evaluate and enforce policy rules on the endpoint. The effective reputation is determined by the following factors:

• The initial cloud reputation, which is the reputation that the Carbon Black Cloud assigns to the file based on its analysis and threat intelligence feeds.
• The actioned reputation, which is the reputation that the administrator assigns to the file through the Carbon Black Cloud console, such as approve, ban, or dismiss.
• The current cloud reputation, which is the reputation that the Carbon Black Cloud updates for the file based on new information or changes in the threat landscape.

The effective reputation is the highest priority reputation among these three factors. For example, if the initial cloud reputation is SUSPECT_MALWARE, the actioned reputation is APPROVED, and the current cloud reputation is KNOWN_MALWARE, the effective reputation will be APPROVED, because it has the highest priority. The sensor will use the effective reputation to apply the policy rules on the endpoint. In this case, the process will not be blocked by the rule [Suspected malware] [Invokes a command interpreter] [Terminate process], because the effective reputation is not SUSPECT_MALWARE.

In the question scenario, the effective reputation for the process was SUSPECT_MALWARE, which means that either the initial cloud reputation, the actioned reputation, or the current cloud reputation was SUSPECT_MALWARE, and there was no higher priority reputation that overrode it. Therefore, the sensor used the effective reputation to enforce the policy rule and terminate the process. References:

• Endpoint Standard: How to Confirm Applied … - VMware Carbon Black, Resolution section.

To make sure all files are scanned locally upon execution, the administrator needs to set the On-Access File Scan Mode to Aggressive. This setting will scan all files on execute, regardless of whether they are new or pre-existing on the device. The assigned reputation and policy rules will apply to the scanned files. The other options are incorrect because they are not necessary to complete this task. Option B is incorrect because the Signature Update frequency is not related to the local scanning of files upon execution. It is related to how often the sensor checks in for signature pack updates. Option C is incorrect because the Allow Signature Updates is not related to the local scanning of files upon execution. It is related to enabling or disabling signature updates for the scanner. Option D is incorrect because the Run Background Scan is not related to the local scanning of files upon execution. It is related to enabling or disabling a one-time background scan on any endpoint sensorassigned to a policy. References: Configure Local Scan Settings, Endpoint Standard: How To Configure Local AV Scan

VMware Carbon Black Cloud Endpoint Standard is a next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution that protects against the full spectrum of modern cyber-attacks. It uses the VMware Carbon Black Cloud’s universal agent and console, the solution applies behavioral analytics to endpoint events to streamline detection, prevention, and response to cyber-attacks. One of the security benefits of Endpoint Standard is that it tags events and alerts with Carbon Black TTPs (tactics, techniques, and procedures) to provide context around attacks. Carbon Black TTPs are based on the MITRE ATT&CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. By tagging events and alerts with Carbon Black TTPs, Endpoint Standard helps security teams to understand the nature and scope of the attack, prioritize the most critical threats, and take appropriate actions to remediate them. References: Carbon Black Cloud Endpoint Standard - Technical Overview, VMware Carbon Black Cloud Endpoint Standard Datasheet, MITRE ATT&CK