Free Practice Questions for VMware 5V0-93.22 Exam

According to the VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, alerts are categorized as either “Threat” or “Observed” based on the severity and confidence of the event. “Threat” alerts indicate a high-severity and high-confidence event that is more likely to be malicious, such as a ransomware attack, a credential theft, or a network beacon. “Observed” alerts indicate a low-severity and low-confidence event that is less likely to be malicious, such as a suspicious registry modification, a fileless script execution, or a process injection. The categorization of alerts helps analysts prioritize their investigations and responses. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, page 14, section 2.3.1. Alert Categories. [Link]

 Live Response is a tool that allows administrators to remotely access and remediate endpoints in real time. With Live Response, administrators can block a new malicious process by killing it, deleting its files, and removing any persistence mechanisms. Live Response can also be used to collect forensic data, run scripts, and perform other actions on the endpoints. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 5.3: Live Response. [Link]

The company banned list is a feature of VMware Carbon Black Cloud Endpoint Standard that allows administrators to prevent specific files from running on the endpoints by their hash values. The company banned list has a higher priority than the file reputation, so even if the file is not listed or unknown by Carbon Black, it will be blocked if its hash is in the company banned list. Adding the hash to the company banned list is the most effective and efficient way to prevent the file from executing on the endpoints. The other options are either not feasible or not scalable. Adding the hash to the malware list would not work, because the malware list is a global list maintained by Carbon Black, and administrators cannot add hashes to it. Using Live Response to kill the process or delete the file would only work for one endpoint at a time, and it would not prevent the file from running again if it is still present on the endpoint or downloaded from another source. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the Sensor Service (RepMqr) is the process that is responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepMqr) is one of the components of the VMware Carbon Black Cloud sensor, which is the software agent that runs on the endpoints and collects and sends data to the VMware Carbon Black Cloud console. The Sensor Service (RepMqr) is responsible for the following tasks:

Collecting and compressing endpoint events

Sending endpoint events to the VMware Carbon Black Cloud console

Receiving and applying policy updates from the VMware Carbon Black Cloud console

Performing actions requested by the VMware Carbon Black Cloud console, such as quarantine, unquarantine, or bypass

The other processes are not responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepUx) is the process that is responsible for uploading file metadata and content to VMware Carbon Black Cloud. The Scanner Service (scanhost) is the process that is responsible for scanning the endpoint for malicious files and activity. The Scanner Service (Re) is the process that is responsible for scanning the endpoint for reputation information. References:

VMware Carbon Black Cloud Endpoint Standard User Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.

 A Watchlist is a collection of queries that run against the data in the VMware Carbon Black Cloud Endpoint Standard. Watchlists enable administrators to monitor the activity of endpoints for specific Tactics, Techniques, or Procedures (TTPs) that are of interest. Administrators can configure alerts for Watchlist hits, which will notify them when a particular TTP is observed on a managed endpoint. Alerts for Watchlist hits can be sent via email, syslog, or webhook. References:

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Threat Hunting, Lesson 3.2: Watchlists, page 3-10

VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Watchlists, page 115-116

The best way to proactively know that something may get blocked when putting a policy rule in the environment is to search the data using the test rule functionality in the VMware Carbon Black Cloud Endpoint Standard console. The test rule functionality allows the administrator to test a new rule’s settings before applying it in the environment. The system checks to see how the rule would have affected the organization over the last 30 days and displays the number of devices and events that would have been impacted by the rule. The administrator can use this data to confirm or modify the settings and avoid unnecessary blocks or false positives. The test rule functionality is available for both permission rules and blocking and isolation rules12.

The other options are not recommended or feasible for obtaining this information. Examining log files to see what would be impacted is not a reliable or efficient method, as it would require manually reviewing a large amount of data and correlating it with the rule settings. Putting the rules in and seeing what happens to the endpoints is a risky and reactive approach, as it could cause disruption or damage to the endpoints and the network. Determining what would happen based on previously used antivirus software is not a valid or accurate method, as different antivirus software may have different detection and prevention capabilities and configurations. References:

Set Permission Policy Rules - VMware Docs, Procedure section, step 7.

Set Blocking and Isolation Policy Rules - VMware Docs, Procedure section, step 7.

These components can provide more information about the suspicious running process and its behavior, such as:

Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.

Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.

TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.

The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.

The correct statement regarding Blocking/Isolation rules and Permission rules is D. Blocking & Isolation rules are overridden by Permission Rules. This means that if a file or process matches both a Blocking/Isolation rule and a Permission rule, the action specified by the Permission rule will take precedence over the action specified by the Blocking/Isolation rule. For example, if a file has a reputation of SUSPECT_MALWARE and a Blocking/Isolation rule is set to terminate any SUSPECT_MALWARE file that runs, but a Permission rule is set to allow and log any file that runs from a specific path, the file will be allowed and logged if it runs from that path, regardless of its reputation. Permission rules are useful for tuning the behavior of VMware Carbon Black Cloud Endpoint Standard and preventing false positives or unnecessary blocks1.

The other statements are false or irrelevant. Blocking & Isolation rules are not overridden by Upload Rules. Upload Rules are rules that specify which files and metadata are uploaded to the Carbon Black Cloud for analysis and reputation. Upload Rules do not affect the prevention or detection capabilities of VMware Carbon Black Cloud Endpoint Standard2. Permission Rules are not overridden by Blocking & Isolation rules. As explained above, Permission Rules have a higher priority than Blocking & Isolation rules and can override their actions. Upload Rules are not overridden by Blocking & Isolation rules. Upload Rules and Blocking & Isolation rules are independent of each other and do not affect each other’s functionality. References:

Prevention Policy Settings - VMware Docs, Permissions section, Action subsection.

Upload Rules - VMware Docs, Overview section.

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

EXE: Executable file

DLL: Dynamic-link library file

SYS: System file

BAT: Batch file

CMD: Command file

VBS: Visual Basic Script file

JS: JavaScript file

PS1: PowerShell Script file

HTA: HTML Application file

MSI: Windows Installer file

DOC: Microsoft Word document file

XLS: Microsoft Excel spreadsheet file

PPT: Microsoft PowerPoint presentation file

PDF: Portable Document Format file

SWF: Shockwave Flash file

JAR: Java Archive file

CLASS: Java class file

PY: Python script file

SH: Shell script file

PL: Perl script file

RB: Ruby script file

PHP: PHP script file

ASP: Active Server Pages file

ASPX: Active Server Pages Extended file

HTML: HyperText Markup Language file

XML: Extensible Markup Language file

DOCM: Microsoft Word document with macros file

XLAM: Microsoft Excel add-in with macros file

XLSM: Microsoft Excel spreadsheet with macros file

XLTM: Microsoft Excel template with macros file

PPTM: Microsoft PowerPoint presentation with macros file

POTM: Microsoft PowerPoint template with macros file

PPAM: Microsoft PowerPoint add-in with macros file

EXCEL_VBA: Excel Visual Basic for Applications file

WORD_VBA: Word Visual Basic for Applications file

POWERPOINT_VBA: PowerPoint Visual Basic for Applications file

OUTLOOK_VBA: Outlook Visual Basic for Applications file

ACCESS_VBA: Access Visual Basic for Applications file

PROJECT_VBA: Project Visual Basic for Applications file

VISIO_VBA: Visio Visual Basic for Applications file

PUBLISHER_VBA: Publisher Visual Basic for Applications file

INFOPATH_VBA: InfoPath Visual Basic for Applications file

ONENOTE_VBA: OneNote Visual Basic for Applications file

UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

Investigate Endpoint Data - VMware Docs, Overview section.

Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.