Free Practice Questions for CrowdStrike CCFA-200b Exam

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

In addition to host group assignment, prevention policies can have Custom IOA Rule Groups assigned to them. This is how custom IOA rules become active for hosts covered by a prevention policy. Host groups determine which endpoints receive the policy, while assigned Custom IOA Rule Groups determine which custom behavioral detections are included in that policy. Operating System Groups and Machine Learning Groups are not assignable group objects in this context. Custom IOC Groups are not the policy-assignment mechanism described here; custom IOCs are managed through IOC Management with actions such as detect, allow, or block. The CCFA rule configuration model requires administrators to understand that custom IOA rule groups are attached to prevention policies before they can trigger detections.

The Machine-Learning Prevention report is used to evaluate what Falcon would have blocked under different machine-learning prevention levels. The official reporting guidance describes Machine Learning Prevention as a report that lets administrators “view malware that would have been blocked in your environment during the last 30 days based on different Machine Learning Prevention settings,” including Cautious, Moderate, or Aggressive levels. This makes option C the precise answer. The report is not the quarantine management dashboard; quarantined files are reviewed and released from the Quarantined Files area. It is also not primarily a spike-analysis dashboard for active attacks, although unusual volume may support investigation. Option D is close in theme but inaccurate because the purpose is not to summarize aggressiveness settings and actual quarantine totals; it is to model prevention impact across ML settings. Reference topics: Dashboards and Reports, Machine Learning Prevention report, prevention policy tuning, ML prevention levels.

A custom IOA rule is not fully functional until its rule group is assigned to a prevention policy . Custom IOAs are created inside rule groups, and those groups must be enabled. However, Falcon applies custom IOA rule groups to endpoints through prevention policies. If the rule and rule group are enabled but not assigned to a prevention policy that applies to the target hosts, the rule will not trigger detections. There is no requirement to manually trigger the rule, and hosts are not individually selected as the primary application method. Host targeting occurs through prevention policy assignment to host groups. The CCFA guide explicitly states that rule and group enablement alone is insufficient without prevention policy assignment.

On Microsoft Windows, the supported command to verify that the Falcon Sensor is running is sc.exe query csagent. This command queries the Windows service control manager for the Falcon sensor service driver named csagent. When the sensor is running correctly, the output shows SERVICE_NAME: csagent and a running state, specifically STATE : 4 RUNNING. This is the direct operational validation method documented for Windows sensor troubleshooting. cswindiag.exe is used to collect diagnostic information, but it is not the standard command for confirming the running state of the sensor. netstat.exe -f displays network connections and DNS names, not Falcon sensor service status. sc.exe query falcon is incorrect because the Windows service name is not falcon; it is csagent. Reference topics: Windows Sensor Deployment, Verify Sensor Status, Sensor Troubleshooting, Host Setup and Management.

Prevention policies are assigned through host group membership. Falcon uses host groups as the scalable policy-targeting mechanism for prevention, sensor update, response, containment-adjacent workflows, and other policy families. Administrators assign one or more host groups to a policy; hosts inherit the applicable policy according to group membership and policy precedence. Direct per-host policy assignment is not the normal Falcon model because it does not scale and bypasses group-based governance. IP ranges can be used as dynamic group criteria in some contexts, but the policy itself is still assigned to a host group, not directly to the IP range. Manual configuration on each endpoint is not used for Falcon cloud-managed prevention policy enforcement.

A sensor with no applicable custom host group assignment receives the Default policy . Sensor update policies follow the same basic host group and precedence pattern used throughout Falcon policy management. If a host is included in a group assigned to a higher-precedence sensor update policy, that policy applies. If it does not match any assigned custom policy, Falcon falls back to the default sensor update policy. The top-precedence policy only applies when the host belongs to a host group assigned to that policy. Auto N-1 is a possible version-selection strategy within a policy, not the automatic fallback policy assignment. This is why the course emphasizes reviewing default policy settings carefully before broad deployment.

Custom IOA rules are designed to detect behavior, not simply static files. Falcon’s core prevention model distinguishes between Indicators of Compromise, which are often file/hash/domain/IP based, and Indicators of Attack, which describe behavioral patterns associated with suspicious or malicious activity. Custom IOAs allow administrators to define organization-specific behavioral detections, such as process creation, file creation, network connection, or command-line behavior. They are especially useful when the activity may not be universally malicious but is unwanted or suspicious in a specific environment. Blocking known malware is more closely aligned with IOC management or machine-learning prevention. System updates and network settings are unrelated to custom IOA rule intent. The course guide describes custom IOAs as a way to gain visibility into activity Falcon does not otherwise detect and optionally block or kill that behavior.

The correct action is to temporarily disable detections for the server in Host Management and re-enable them after the penetration test is complete. Falcon’s Disable Detections function is specifically useful for test hosts when administrators want to prevent test detections from cluttering the Endpoint detections console. When detections are disabled, detections for that host are removed from the console immediately, and no new detections from that host display until detections are enabled again. This does not uninstall the sensor, and the sensor continues to operate normally with prevention policies, custom IOA rules, exclusion rules, and other controls still processed. Creating a workflow to email the SOC would increase noise rather than reduce it. Permanently disabling detections creates unnecessary long-term blind spots. Deleting detections and containing the server is also inappropriate because the activity is authorized testing, not necessarily an incident requiring containment. Reference topics: Host Management, Disable Detections, endpoint detection suppression, penetration test handling.