5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Questions and Answers

 Live Response is a tool that allows administrators to remotely access and remediate endpoints in real time. With Live Response, administrators can block a new malicious process by killing it, deleting its files, and removing any persistence mechanisms. Live Response can also be used to collect forensic data, run scripts, and perform other actions on the endpoints. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 5.3: Live Response. [Link]

VMware Carbon Black Cloud Endpoint Standard is a next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution that protects against the full spectrum of modern cyber-attacks. It uses the VMware Carbon Black Cloud’s universal agent and console, the solution applies behavioral analytics to endpoint events to streamline detection, prevention, and response to cyber-attacks. One of the security benefits of Endpoint Standard is that it tags events and alerts with Carbon Black TTPs (tactics, techniques, and procedures) to provide context around attacks. Carbon Black TTPs are based on the MITRE ATT&CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. By tagging events and alerts with Carbon Black TTPs, Endpoint Standard helps security teams to understand the nature and scope of the attack, prioritize the most critical threats, and take appropriate actions to remediate them. References: Carbon Black Cloud Endpoint Standard - Technical Overview, VMware Carbon Black Cloud Endpoint Standard Datasheet, MITRE ATT&CK

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

• Search Syntax - VMware Docs, Wildcards section.

The reputation that was used by the sensor for the decision to terminate the process was the effective reputation. The effective reputation is the reputation that the sensor uses to evaluate and enforce policy rules on the endpoint. The effective reputation is determined by the following factors:

• The initial cloud reputation, which is the reputation that the Carbon Black Cloud assigns to the file based on its analysis and threat intelligence feeds.
• The actioned reputation, which is the reputation that the administrator assigns to the file through the Carbon Black Cloud console, such as approve, ban, or dismiss.
• The current cloud reputation, which is the reputation that the Carbon Black Cloud updates for the file based on new information or changes in the threat landscape.

The effective reputation is the highest priority reputation among these three factors. For example, if the initial cloud reputation is SUSPECT_MALWARE, the actioned reputation is APPROVED, and the current cloud reputation is KNOWN_MALWARE, the effective reputation will be APPROVED, because it has the highest priority. The sensor will use the effective reputation to apply the policy rules on the endpoint. In this case, the process will not be blocked by the rule [Suspected malware] [Invokes a command interpreter] [Terminate process], because the effective reputation is not SUSPECT_MALWARE.

In the question scenario, the effective reputation for the process was SUSPECT_MALWARE, which means that either the initial cloud reputation, the actioned reputation, or the current cloud reputation was SUSPECT_MALWARE, and there was no higher priority reputation that overrode it. Therefore, the sensor used the effective reputation to enforce the policy rule and terminate the process. References:

• Endpoint Standard: How to Confirm Applied … - VMware Carbon Black, Resolution section.

The sensor status details can be found in the Inventory > Endpoints tab of the VMware Carbon Black Cloud interface. This tab displays all the deployed sensors by default, and allows the administrator to filter them by various criteria, such as status, policy, group, OS, or device name. The status column indicates the state of a sensor and any administrator actions that have been taken on the sensor, such as bypass, quarantine, or deregister. The administrator can also view more details about a sensor by clicking on its name, such as the sensor version, last check-in time, device health score, and policy history. The administrator can also take actions on a sensor from this tab, such as updating, isolating, or uninstalling the sensor. References: Sensor Status and Details — Asset Groups, Carbon Black Cloud Endpoint Standard - Technical Overview

• The VMware Carbon Black Cloud integration that is supported for SIEM is the Splunk App. The Splunk App allows administrators to bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard1. The Splunk App also supports Splunk SOAR, which enables automated actions and workflows based on Carbon Black Cloud alerts2.
• The other options are not supported for SIEM integration with Carbon Black Cloud. SolarWinds, LogRhythm, and Datadog are not listed among the 140+ ecosystempartnerships and integrations that Carbon Black Cloud offers3. They are also not part of the Next-Gen SOC Alliance, which features Splunk, IBM Security, Google Cloud’s Chronicle, Exabeam, and Sumo Logic integrations with Carbon Black Cloud1. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.6: Integrations
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 12: Integrations
• Integrations and APIs - VMware
• Carbon Black Cloud - Cloud SIEM | Sumo Logic Docs
• VMware Launches Next-Gen SOC Alliance with Splunk, IBM … - VMware Blogs

When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

 According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the threshold, in days, before a machine shows as inactive in the console is 7 days. An inactive device is a device that has not communicated with the Carbon Black Cloud console for more than 7 days. The console displays the last communication time for each device on the Endpoints page. The administrator can use the Inactive Devices filter to view all the inactive devices in the organization. The administrator can also use the Device Status widget on the Dashboard page to see the number and percentage of inactive devices in the organization. The administrator can take various actions to resolve the inactive device issue, such as:

• Check the network connectivity and firewall settings of the device
• Check the sensor status and version on the device
• Check the policy settings and rules applied to the device
• Reinstall the sensor on the device
• Delete the device from the console if it is no longer in use References:
• VMware Carbon Black Cloud Endpoint Standard User Guide, page 14, Inactive Devices section.

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

• By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.
• By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

Placing the device in quarantine is the recommended immediate action to prevent further exfiltration of data by the malware. Quarantine is a feature of VMware Carbon Black Cloud Endpoint Standard that allows you to isolate a device from the network, preventing any communication with other devices or external servers. This can help contain an active threat and prevent further damage. You can quarantine a device from the Devices page or from the Device Summary page. You can also unquarantine a device when the threat is resolved. References:

• VMware Carbon Black Cloud Endpoint Standard - On Demand, Module 5: Responding to Threats, Lesson 2: Quarantine a Device, slide 5.
• VMware Carbon Black Cloud Endpoint Standard, page 11, Quarantine a Device.

• To block an application by its path instead of reputation, the administrator needs to follow these steps:
• The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

 When an administrator places an endpoint into bypass mode, VMware Carbon Black Cloud Endpoint Standard will not provide any protection to the endpoint. Bypass mode is a feature that allows the administrator to disable all policy rule enforcement on the endpoint, which means that the endpoint is not actively protected by VMware Carbon Black Cloud Endpoint Standard. The sensor will ignore any malicious or suspicious activity on the endpoint and will not log any events or send any data to the Carbon Black Cloud console. The administrator can use bypass mode to troubleshoot application interoperability, bootup, or login issues on the endpoint, or to upgrade the operating system on the endpoint. The administrator can enable or disable bypass mode from the Carbon Black Cloud console, the sensor UI, or the command line. The administrator can also view the reason and duration of the bypass mode from the Carbon Black Cloud console12.

The other options are incorrect or irrelevant. VMware Carbon Black Cloud Endpoint Standard will not be uninstalled from the endpoint when it is placed into bypass mode. The sensor will still be running on the endpoint, but it will not enforce any policy rules. VMware Carbon Black Cloud Endpoint Standard will not place the machine in quarantine when it is placed into bypass mode. Quarantine is a different feature that allows the administrator to isolate the endpoint from the network, preventing any communication with other devices or external servers. VMware Carbon Black Cloud Endpoint Standard will not apply policy rules when the endpoint is placed into bypass mode. Policy rules are the settings that define how the sensor detects and prevents threats on the endpoint. Bypass mode disables all policy rule enforcement on the endpoint. References:

• Sensor Bypass Mode - VMware Docs, Overview section.
• Carbon Black Cloud: How to Get Started With Bypass Mode - Carbon Black Community, Objective section.

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

• FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.
• FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.
• FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.
• FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console. References:

• Advanced Search Techniques - VMware Docs, Using Regular Expressions (regex) section, NOT Operator subsection.
• Carbon Black Cloud: Search for process_publisher_s… - Carbon Black …, The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.