Pass the VMware VMware Carbon Black Cloud Endpoint Standard Skills 2023 5V0-93.22 Questions and answers with CertsForce

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.

By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

Search Syntax - VMware Docs, Wildcards section.

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

User: The name of the user who performed the action.

Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.

Object: The object that was affected by the action, such as policy, device, hash, and so on.

Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:

Audit Logs - VMware Docs, Overview section.

Placing the device in quarantine is the recommended immediate action to prevent further exfiltration of data by the malware. Quarantine is a feature of VMware Carbon Black Cloud Endpoint Standard that allows you to isolate a device from the network, preventing any communication with other devices or external servers. This can help contain an active threat and prevent further damage. You can quarantine a device from the Devices page or from the Device Summary page. You can also unquarantine a device when the threat is resolved. References:

VMware Carbon Black Cloud Endpoint Standard - On Demand, Module 5: Responding to Threats, Lesson 2: Quarantine a Device, slide 5.

VMware Carbon Black Cloud Endpoint Standard, page 11, Quarantine a Device.

It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.

FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.

FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.

FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console. References:

Advanced Search Techniques - VMware Docs, Using Regular Expressions (regex) section, NOT Operator subsection.

Carbon Black Cloud: Search for process_publisher_s… - Carbon Black …, The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.

The company banned list is a feature of VMware Carbon Black Cloud Endpoint Standard that allows administrators to prevent specific files from running on the endpoints by their hash values. The company banned list has a higher priority than the file reputation, so even if the file is not listed or unknown by Carbon Black, it will be blocked if its hash is in the company banned list. Adding the hash to the company banned list is the most effective and efficient way to prevent the file from executing on the endpoints. The other options are either not feasible or not scalable. Adding the hash to the malware list would not work, because the malware list is a global list maintained by Carbon Black, and administrators cannot add hashes to it. Using Live Response to kill the process or delete the file would only work for one endpoint at a time, and it would not prevent the file from running again if it is still present on the endpoint or downloaded from another source. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

This rule will prevent any application that is not listed in the Carbon Black Cloud Endpoint Standard from scraping the memory of another process, which is a common technique used by malware to retrieve credentials from the Local Security Authority Subsystem Service (LSASS). This rule will terminate the process that attempts to perform this operation, thus blocking the credential theft. This rule is more specific and effective than option A, which only applies to unknown applications, or option B, which applies to all executable files regardless of their reputation. Option C is incorrect because it will only deny the operation but not terminate the process, which may allow the malware to continue running and try other methods of credential theft. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: Endpoint Standard Rules, Lesson 2: Rule Types and Actions, slide 12.

The path that meets the criteria for allowing application.exe using wildcards is :\Users*\Temp\Allowed\application.exe. This path specifies that the executable file can run only from inside of the user’s Temp\Allowed directory, regardless of the drive letter or the user name. The wildcards used in this path are:

*: Matches any single character or no character at all. For example, *:\ matches any drive letter, such as C:, D:, or E:.

**: Matches a partial path across all subdirectory levels and is recursive. For example, \Users**\ matches any subdirectory under the Users directory, such as \Users\Lorie, \Users\John, or \Users\Alice\Documents.

The other paths do not meet the criteria for allowing application.exe using wildcards. A. C:\Users?\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it only matches a single character for the user name, which may not be sufficient. B. C:\Users*\Temp\Allowed\application.exe does not allow running from any drive other than C:, and it may match more than one character for the user name, which may not be desired. D. *:\Users*\Temp\Allowed\application.exe allows running from any drive, but it may match more than one character for the user name, which may not be desired. References:

Carbon Black Cloud: How to Use Wildcards in Policy Rules - Carbon Black Community, Wildcard Description table.

The Local White reputation is assigned to files that are either pre-existing on the device before the sensor installation, or signed by a trusted certificate, or created by an IT tool. The file signature is verified by the sensor against a list of trusted certificates that are stored locally on the device. If the file is signed by a certificate that matches one of the trusted certificates, the sensor assigns the Local White reputation to the file. This reputation indicates that the file is trusted and allowed to run on the device. The other options are incorrect because they do not qualify for the Local White reputation. Option A is incorrect because adding a file as an IT tool does not automatically assign it the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option C is incorrect because the hash being not on any known good or bad lists is not relevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. Option D is incorrect because the hash being previously analyzed is notrelevant for the Local White reputation. The file must also be signed by a trusted certificate or pre-existing on the device. References: Reputations Assignment for Pre-Existing Files, Reputation Assignment

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

Investigate Endpoint Data - VMware Docs, Overview section.

Audit Logs - VMware Docs, Overview section.

Cloud Analysis - VMware Docs, Overview section.