VMware 5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Exam Practice Test

• The connectivity that is required for VMware Carbon Black Cloud Endpoint Standard to perform Sensor Certificate Validation is TCP/443 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com). Sensor Certificate Validation is a feature that allows the Carbon Black Cloud agent to verify the authenticity and validity of the certificates used by the Carbon Black Cloud services. This feature enhances the security and trust of the communication between the agent and the cloud. To perform Sensor Certificate Validation, the agent needs to access the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services provided by GoDaddy, the certificate authority that issues the certificates for Carbon Black Cloud. These services use the HTTPS protocol, which runs on port 443. Therefore, the agent needs to have TCP/443 connectivity to the GoDaddy OCSP and CRL URLs, which are crl.godaddy.com and ocsp.godaddy.com12.
• The other options are incorrect because they do not specify the correct protocol, port, or URLs for Sensor Certificate Validation. TCP/80 is the port for HTTP, not HTTPS, and it is not used by the OCSP and CRL services. GoDaddy CRL URL is only one of the two URLs that the agent needs to access, the other one is GoDaddy OCSP URL. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 1: Introduction, page 1-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 2: Sensor Installation, page 17.

 To prevent the use of unauthorized USB storage devices, the administrator needs to enable the USB Device Control feature in the VMware Carbon Black Cloud Endpoint Standard. This feature allows the administrator to approve or block specific USB devices based on their vendor ID, product ID, serial number, and device type. The administrator can also set a default action for unapproved USB devices, such as block, read-only, or allow. The administrator can manage the USB devices from the USB Devices page under the Settings menu. From this page, the administrator can view the list of USB devices that have been detected by the endpoints, and elect to approve only the allowed USB devices. The administrator can also export or import the list of approved USB devices for backup or replication purposes. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: USB Device Control, pages 4-1 to 4-9.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 11: USB Device Control, pages 147-152.

The path that meets the criteria for allowing application.exe using wildcards is :\Users*\Temp\Allowed\application.exe. This path specifies that the executable file can run only from inside of the user’s Temp\Allowed directory, regardless of the drive letter or the user name. The wildcards used in this path are:

• *: Matches any single character or no character at all. For example, *:\ matches any drive letter, such as C:, D:, or E:.
• **: Matches a partial path across all subdirectory levels and is recursive. For example, \Users**\ matches any subdirectory under the Users directory, such as \Users\Lorie, \Users\John, or \Users\Alice\Documents.

The other paths do not meet the criteria for allowing application.exe using wildcards. A. C:\Users?\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it only matches a single character for the user name, which may not be sufficient. B. C:\Users*\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it may match more than one character for the user name, which may not be desired. D. *:\Users*\Temp\Allowed\application.exe allows running from any drive, but it may match more than one character for the user name, which may not be desired. References:

• Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table.

The correct answer is to click Drop Connection, which is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to immediately terminate a network connection that is deemed malicious or suspicious. This feature can be accessed from the Alert Details page, where the administrator can see the application, process, and destination IP address of the connection. By clicking Drop Connection, the administrator can block the connection without affecting the rest of the system or network. This is a quick and effective way to stop a potential threat from communicating with a remote server or exfiltrating data. References: = VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 4.3: Investigate Alerts, Subsection 4.3.2: Drop Connection.

To identify whether a sensor’s signature pack is out-of-date in VMware Carbon Black Cloud, the user can go to the Inventory page, select the Endpoints tab, and click on the device name of the endpointthey want to check. This will open the Endpoint Details page, where the user can see the Sensor Update Status, which shows the current version and date of the sensor’s signature pack, as well as the latest available version and date. If the current version is lower than the latest version, the sensor’s signature pack is out-of-date and needs to be updated. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.2.1: Monitor Sensor Health and Update Status, Page 25.

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

• By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.
• By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the Sensor Service (RepMqr) is the process that is responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepMqr) is one of the components of the VMware Carbon Black Cloud sensor, which is the software agent that runs on the endpoints and collects and sends data to the VMware Carbon Black Cloud console. The Sensor Service (RepMqr) is responsible for the following tasks:

• Collecting and compressing endpoint events
• Sending endpoint events to the VMware Carbon Black Cloud console
• Receiving and applying policy updates from the VMware Carbon Black Cloud console
• Performing actions requested by the VMware Carbon Black Cloud console, such as quarantine, unquarantine, or bypass

The other processes are not responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepUx) is the process that is responsible for uploading file metadata and content to VMware Carbon Black Cloud. The Scanner Service (scanhost) is the process that is responsible for scanning the endpoint for malicious files and activity. The Scanner Service (Re) is the process that is responsible for scanning the endpoint for reputation information. References:

• VMware Carbon Black Cloud Endpoint Standard User Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.

The impact of using the wildcards in the application at path field is that executable files in the “Program Files” directory and subdirectories will be ignored by the VMware Carbon Black Cloud Endpoint Standard sensor. This is because the permission rule has the following options selected:

• Application at path: C:\Program Files**
• Operation Attempt: Performs any operation
• Action: Bypass

The application at path field specifies the path of the executable file that the rule applies to. The ** wildcard matches a partial path across all subdirectory levels and is recursive. For example, C:\Program Files** matches any files in that directory and all subdirectories1.

The operation attempt field specifies the type of operation that the executable file attempts to perform. The Performs any operation option means that the rule applies to any operation, such as creating a file, modifying a registry key, or executing a command.

The action field specifies the action that the VMware Carbon Black Cloud Endpoint Standard sensor takes when the rule is triggered. The Bypass option means that the sensor ignores the executable file and does not apply any blocking rules or log any events for it2.

Therefore, by using the wildcards in the application at path field, the permission rule effectively excludes any executable files in the “Program Files” directory and subdirectories from the VMware Carbon Black Cloud Endpoint Standard sensor’s prevention and detection capabilities. References:

• Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.
• Set Permission Policy Rules - VMware Docs, Procedure section, step 4.
• Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table, ** row.

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

• Search Syntax - VMware Docs, Wildcards section.

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

The Local White reputation is assigned to files that are either pre-existing on the device before the sensor installation, or signed by a trusted certificate, or created by an IT tool. The file signature is verified by the sensor against a list of trusted certificates that are stored locally on the device. If the file is signed by a certificate that matches one of the trusted certificates, the sensor assigns the Local White reputation to the file. This reputation indicates that the file is trusted and allowed to run on the device. The other options are incorrect because they do not qualify for the Local White reputation. Option A is incorrect because adding a file as an IT tool does not automatically assign it the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option C is incorrect because the hash being not on any known good or bad lists is not relevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option D is incorrect because the hash being previously analyzed is notrelevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. References: Reputations Assignment for Pre-Existing Files, Reputation Assignment

 According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the threshold, in days, before a machine shows as inactive in the console is 7 days. An inactive device is a device that has not communicated with the Carbon Black Cloud console for more than 7 days. The console displays the last communication time for each device on the Endpoints page. The administrator can use the Inactive Devices filter to view all the inactive devices in the organization. The administrator can also use the Device Status widget on the Dashboard page to see the number and percentage of inactive devices in the organization. The administrator can take various actions to resolve the inactive device issue, such as:

• Check the network connectivity and firewall settings of the device
• Check the sensor status and version on the device
• Check the policy settings and rules applied to the device
• Reinstall the sensor on the device
• Delete the device from the console if it is no longer in use References:
• VMware Carbon Black Cloud Endpoint Standard User Guide, page 14, Inactive Devices section.

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Audit Logs - VMware Docs, Overview section.
• Cloud Analysis - VMware Docs, Overview section.

 A Watchlist is a collection of queries that run against the data in the VMware Carbon Black Cloud Endpoint Standard. Watchlists enable administrators to monitor the activity of endpoints for specific Tactics, Techniques, or Procedures (TTPs) that are of interest. Administrators can configure alerts for Watchlist hits, which will notify them when a particular TTP is observed on a managed endpoint. Alerts for Watchlist hits can be sent via email, syslog, or webhook. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Threat Hunting, Lesson 3.2: Watchlists, page 3-10
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Watchlists, page 115-116

The action that an administrator should take to ensure application.exe cannot run is to remove the Permissions rule for C:\Program Files\IT\Tools*. This is because the Permissions rule has a higher priority than the Blocking and Isolation rule, and it allows any operation on any file in that path, including application.exe. By removing the Permissions rule, the Blocking and Isolation rule will apply and terminate application.exe based on its SUSPECT_MALWARE reputation. The other options are incorrect because they will not prevent application.exe from running. Option A is incorrect because changing the reputation to KNOWN MALWARE will not override the Permissions rule that allows any operation on the file. Option B is incorrect because the file will not be blocked based on reputation alone, as the Permissions rule will bypass the reputation check. Option D is incorrect because adding the hash to the company banned list will not override the Permissions rule that allows any operation on the file. References: Precedence of Policy Rules, Set Permission Policy Rules, Set Blocking and Isolation Policy Rules

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

• EXE: Executable file
• DLL: Dynamic-link library file
• SYS: System file
• BAT: Batch file
• CMD: Command file
• VBS: Visual Basic Script file
• JS: JavaScript file
• PS1: PowerShell Script file
• HTA: HTML Application file
• MSI: Windows Installer file
• DOC: Microsoft Word document file
• XLS: Microsoft Excel spreadsheet file
• PPT: Microsoft PowerPoint presentation file
• PDF: Portable Document Format file
• SWF: Shockwave Flash file
• JAR: Java Archive file
• CLASS: Java class file
• PY: Python script file
• SH: Shell script file
• PL: Perl script file
• RB: Ruby script file
• PHP: PHP script file
• ASP: Active Server Pages file
• ASPX: Active Server Pages Extended file
• HTML: HyperText Markup Language file
• XML: Extensible Markup Language file
• DOCM: Microsoft Word document with macros file
• XLAM: Microsoft Excel add-in with macros file
• XLSM: Microsoft Excel spreadsheet with macros file
• XLTM: Microsoft Excel template with macros file
• PPTM: Microsoft PowerPoint presentation with macros file
• POTM: Microsoft PowerPoint template with macros file
• PPAM: Microsoft PowerPoint add-in with macros file
• EXCEL_VBA: Excel Visual Basic for Applications file
• WORD_VBA: Word Visual Basic for Applications file
• POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
• OUTLOOK_VBA: Outlook Visual Basic for Applications file
• ACCESS_VBA: Access Visual Basic for Applications file
• PROJECT_VBA: Project Visual Basic for Applications file
• VISIO_VBA: Visio Visual Basic for Applications file
• PUBLISHER_VBA: Publisher Visual Basic for Applications file
• INFOPATH_VBA: InfoPath Visual Basic for Applications file
• ONENOTE_VBA: OneNote Visual Basic for Applications file
• UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.

These components can provide more information about the suspicious running process and its behavior, such as:

• Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.
• Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.
• TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.

The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.

 Unenforcing a policy rule means that the rule will still be evaluated, but the actions will not be taken. This allows the administrator to troubleshoot the issue without affecting the endpoints or generating alerts. Disabling, recalling, or deleting a policy rule will remove it from the evaluation process and may affect the security posture of the organization. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide1, VMware Carbon Black Cloud Endpoint Standard - On Demand Course