5V0-93.22 Questions and Answers

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

To create a search that excludes “system.exe”, the administrator needs to use the minus sign (-) as a negation operator in the search query. The negation operator excludes any events that match the specified field and value from the search results. For example, the query -process_name:system.exe will return all the events that do not have “system.exe” as the process name. The other options are incorrect because they do not use the negation operator. The hash sign (#) is used to search for exact matches, the asterisk (*) is used as a wildcard character, and the angle brackets (< >) are used to search for ranges of values. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 2: Search, pages 2-5 to 2-6.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Search, pages 83-84.

 The operation attempt that must use a Terminate Process action is Scrapes memory of another process. This is a policy rule in VMware Carbon Black Cloud Endpoint Standard that blocks and terminates any process that attempts to read the memory of another process. This is a common technique used by malware to steal sensitive information, such as passwords, encryption keys, or tokens, from legitimate applications. By using a Terminate Process action, the policy rule ensures that the malicious process is stopped and removed from the endpoint, preventing further damage or data exfiltration. The other operation attempts do not require a Terminate Process action, but they can use other actions, such as Alert, Deny, or Isolate Device, depending on the policy configuration and the security needs of the organization. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices: Endpoint Standard Blocking & Isolation Rules, Endpoint Standard: Deny/Terminate action taken on an Allowed Application

To make sure all files are scanned locally upon execution, the administrator needs to set the On-Access File Scan Mode to Aggressive. This setting will scan all files on execute, regardless of whether they are new or pre-existing on the device. The assigned reputation and policy rules will apply to the scanned files. The other options are incorrect because they are not necessary to complete this task. Option B is incorrect because the Signature Update frequency is not related to the local scanning of files upon execution. It is related to how often the sensor checks in for signature pack updates. Option C is incorrect because the Allow Signature Updates is not related to the local scanning of files upon execution. It is related to enabling or disabling signature updates for the scanner. Option D is incorrect because the Run Background Scan is not related to the local scanning of files upon execution. It is related to enabling or disabling a one-time background scan on any endpoint sensorassigned to a policy. References: Configure Local Scan Settings, Endpoint Standard: How To Configure Local AV Scan

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Audit Logs - VMware Docs, Overview section.
• Cloud Analysis - VMware Docs, Overview section.

The best rule to prevent a spreadsheet from being misused to run malicious code, while minimizing the risk of breaking normal operations of a spreadsheet, is B. **\excel.exe [Invokes a command interpreter] [Deny operation]. This rule will prevent any Excel process from invoking a command interpreter, such as cmd.exe or powershell.exe, which is a common technique used by malware to execute malicious commands or scripts. This rule will deny the operation but not terminate the process, which may allow the spreadsheet to continue functioning normally. This rule is more specific and effective than option A, which only applies to Microsoft Office applications that run external code, or option C, which applies to Excel applications that communicate over the network. Option D is incorrect because it is too vague and may not catch all the possible ways that a spreadsheet can run malware.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

Event data is categorized and identified by a unique event ID in VMware Carbon Black Cloud. The sensor will upload all event data to the Investigate page of the Endpoint Standard Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor. Each event sent from the sensor to the Dashboard will be assigned a unique event ID. References: Endpoint Standard: How is event data categorized, and formed into an Alert1

The action that an administrator should take to ensure application.exe cannot run is to remove the Permissions rule for C:\Program Files\IT\Tools*. This is because the Permissions rule has a higher priority than the Blocking and Isolation rule, and it allows any operation on any file in that path, including application.exe. By removing the Permissions rule, the Blocking and Isolation rule will apply and terminate application.exe based on its SUSPECT_MALWARE reputation. The other options are incorrect because they will not prevent application.exe from running. Option A is incorrect because changing the reputation to KNOWN MALWARE will not override the Permissions rule that allows any operation on the file. Option B is incorrect because the file will not be blocked based on reputation alone, as the Permissions rule will bypass the reputation check. Option D is incorrect because adding the hash to the company banned list will not override the Permissions rule that allows any operation on the file. References: Precedence of Policy Rules, Set Permission Policy Rules, Set Blocking and Isolation Policy Rules

• To block an application by its path instead of reputation, the administrator needs to follow these steps:
• The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:
• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

The most effective way to meet the goal of blocking ransomware in the organization is to turn on the performs ransomware-like behavior rule in the policies. This rule is a feature of VMware Carbon Black Cloud Endpoint Standard that uses behavioral analytics to detect and prevent actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. By turning on this rule, the administrator can block any application that attempts to perform ransomware-like behavior, regardless of its reputation or signature. This can protect the organization from new or unknown ransomware variants that may not be detected by other methods. The administrator can also customize the rule to apply different actions, such as alert, deny, or terminate, depending on the policy configuration and the security needs of the organization.

The other options are not as effective or appropriate for blocking ransomware in the organization. Option A is not proactive, but reactive, as it relies on looking at current attacks to see if the software that is running is vulnerable to potential ransomware attacks. This may not be sufficient to prevent future attacks that use different software or exploit different vulnerabilities. Option C is not accurate, as analytics alone cannot automatically block all the attacks that may occur. Analytics can help toidentify and prioritize the most critical threats, but the administrator still needs to configure the policies and rules to block the attacks. Option D is not recommended, as it exposes the organization to unnecessary risk. Starting in the monitored policy until it is clear that no attacks are happening means that the administrator is not taking any preventive actions, but only monitoring the endpoint activity and logging the events. This may not be enough to stop or mitigate the impact of a ransomware attack, which can cause irreversible damage or data loss in a short time. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices:

The company banned list is a feature of VMware Carbon Black Cloud Endpoint Standard that allows administrators to prevent specific files from running on the endpoints by their hash values. The company banned list has a higher priority than the file reputation, so even if the file is not listed or unknown by Carbon Black, it will be blocked if its hash is in the company banned list. Adding the hash to the company banned list is the most effective and efficient way to prevent the file from executing on the endpoints. The other options are either not feasible or not scalable. Adding the hash to the malware list would not work, because the malware list is a global list maintained by Carbon Black, and administrators cannot add hashes to it. Using Live Response to kill the process or delete the file would only work for one endpoint at a time, and it would not prevent the file from running again if it is still present on the endpoint or downloaded from another source. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

 According to the VMware Carbon Black Cloud User Guide, the reputation priority is in a descending order with 1 being the highest priority and 11 the lowest priority. The highest priority reputation is Ignore, which is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run. The lowest priority reputation is Unknown, which indicates that Carbon Black Cloud has not yet determined the reputation of the file. References:

• Reputation Assignment - VMware Docs, Reputation Priority table.