Exam4Training

VMware 5V0-91.20 VMware Carbon Black Portfolio Skills Online Training

Question #1

An administrator wants to query the status of the firewall for all endpoints. The administrator will query the registry key found here HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParameter sFirewallPolicy

StandardProfile.

To make the results easier to understand, the administrator wants to return either enabled or disabled for the results, rather than the value from the registry key.

Which SQL statement will rewrite the output based on a specific result set returned from the system?

  • A . CASE
  • B . AS
  • C . ALTER
  • D . SELECT

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://www.carbonblack.com/blog/8-live-queries-that-will-speed-up-your-next-pci-audit/l

Question #2

An analyst navigates to the alerts page in Endpoint Standard and sees the following:

What does the yellow color represent on the left side of the row?

  • A . It is an alert from a watchlist rather than the analytics engine.
  • B . It is a threat alert and warrants immediate investigation.
  • C . It is an observed alert and may indicate suspicious behavior.
  • D . It is a dismissed alert within the user interface.

Reveal Solution Hide Solution

Correct Answer: A
Question #3

An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:

How can the administrator generate an alert for future hits against this watchlist?

  • A . select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to select Alert on hit for the report.
  • B . Select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to toggle Alert on hit to On.
  • C . Select the watchlist on the watchlists page and click on Alerts: Off to toggle the alerts to On.
  • D . Select the watchlist on the watchlists page, use Take Action to select Edit, and select Alert on hit.

Reveal Solution Hide Solution

Correct Answer: D
Question #4

An administrator runs multiple queries on tables and combines the results after the fact to correlate data. The administrator needs to combine rows from multiple tables based on data from a related column in each table.

Which SQL statement should be used to achieve this goal?

  • A . JOIN
  • B . WHERE
  • C . AS
  • D . COMBINE

Reveal Solution Hide Solution

Correct Answer: A
Question #5

An administrator wants to allow files to run from a network share.

Which rule type should the administrator configure?

  • A . Execute Prompt (Shared Path)
  • B . Trusted Path
  • C . Network Execute (Allow)
  • D . Write Approve (Network)

Reveal Solution Hide Solution

Correct Answer: A
Question #6

What are the three available methods in VMware Carbon Black App Control by which an endpoint (agent) can be assigned to a specific policy? (Choose three.)

  • A . By pushing the designated GPO script
  • B . Via DASCLI command
  • C . By installing the agent via SCCM
  • D . Manual policy assignment
  • E . By branded/policy-specific installer
  • F . By Active Directory Mapping

Reveal Solution Hide Solution

Correct Answer: C,D,F
Question #7

Which Live Query statement is properly constructed?

  • A . SELECT * FROM ‘users’
  • B . select * from *:
  • C . select from users;
  • D . SELECT * FROM users;

Reveal Solution Hide Solution

Correct Answer: D
Question #8

An administrator has configured a policy to run a standard background scan.

How long does this one-time scan take to complete on endpoints assigned to that policy?

  • A . 180 days
  • B . 30 days
  • C . 3-5 days
  • D . 1 day

Reveal Solution Hide Solution

Correct Answer: B
Question #9

An analyst is investigating an alert within the Enterprise EDR console and needs to take action on it.

Which three actions are available to take on the alert? (Choose three.)

  • A . Ignore alert
  • B . Dismiss
  • C . Dismiss on all devices if grouping is enabled
  • D . Edit watchlist
  • E . Save report
  • F . Notifications history

Reveal Solution Hide Solution

Correct Answer: B,C,E
B,C,E

Explanation:

Reference: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Dismiss-Alerts/ta-p/51766

Question #10

Review this EDR query:

childproc_name:whoami.exe AND childproc_name:hostname.exe AND childproc_name:tasklist.exe AND childproc_name:ipconfig.exe

Which process would show in the query results?

  • A . Any process invoked by whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe
  • B . Any process invoked by whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe
  • C . Any process invoking whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe
  • D . Any process invoking whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe

Reveal Solution Hide Solution

Correct Answer: D

Question #11

An administrator is searching for any child processes of email clients with this query in Carbon Black Enterprise EDR:

parent_name:outlook.exe OR parent_name:thunderbird.exe OR parent_name:eudora.exe

The administrator would like to modify this query to only show child processes that do not have a known reputation in the Carbon Black Cloud.

Which search field can be added to the query to show the desired results?

  • A . process_integrity_level
  • B . process_reputation
  • C . process_privileges
  • D . process_cloud_reputation

Reveal Solution Hide Solution

Correct Answer: B
Question #12

An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.

How can the analyst change the alert severity value, if this is possible?

  • A . The alert severity is assigned by the backend analytics.
  • B . The alert severity is not configurable.
  • C . Change the alert severity on the watchlist.
  • D . Change the alert severity on the report.

Reveal Solution Hide Solution

Correct Answer: C
Question #13

How long will Live Queries in Carbon Black Audit and Remediation run before timing out?

  • A . 30 days
  • B . 14 days
  • C . 180 days
  • D . 7 days

Reveal Solution Hide Solution

Correct Answer: D
Question #14

Which reputation is processed with the lowest priority for Endpoint Standard?

  • A . Local White
  • B . Known Malware
  • C . Trusted White
  • D . Common White

Reveal Solution Hide Solution

Correct Answer: B
Question #15

Which value should an administrator use when reviewing an alert to determine the file reputation at the time the event occurred?

  • A . Cloud Reputation (Initial)
  • B . Effective Reputation
  • C . Local Reputation
  • D . Cloud Reputation (Current)

Reveal Solution Hide Solution

Correct Answer: A
Question #16

App Control System Health email alerts for excessive agent backlog are occurring hourly. This is overwhelming the analysts, and they would like to reduce the notifications.

How can the analyst reduce the unneeded alerts?

  • A . Set the email address for subscribers to an invalid email.
  • B . Change reminder email to daily or disabled.
  • C . Disable the alert.
  • D . Delete the alert.

Reveal Solution Hide Solution

Correct Answer: B
Question #17

Which statement filters data to only return rows where the publisher of the software includes VMware anywhere in the name?

  • A . WHERE publisher = "%VMware%"
  • B . WHERE publisher = "%VMware"
  • C . WHERE publisher LIKE "VMware%"
  • D . WHERE publisher LIKE "%VMware%"

Reveal Solution Hide Solution

Correct Answer: D
Question #18

A company wants to implement the strictest security controls for computers on which the software seldom changes (i.e., servers or single-purpose systems).

Which Enforcement Level is the most fitting?

  • A . Low Enforcement
  • B . Medium Enforcement
  • C . High Enforcement
  • D . None (Visibility)

Reveal Solution Hide Solution

Correct Answer: C
Question #19

Review this result after executing a query in the Process Search page, noting the circled black dot:

What is the meaning of the black dot shown under Tags?

  • A . The execution of the process resulted in watchlist hits.
  • B . The events for the process were tagged in an investigation.
  • C . The events for the process were also sent to the Syslog Server.
  • D . The execution of the process resulted in feed hits.

Reveal Solution Hide Solution

Correct Answer: D
Question #20

How often do watchlists run?

  • A . Every 10 minutes
  • B . Every 5 minutes
  • C . Watchlists can be configured to run at scheduled intervals
  • D . Every 30 minutes

Reveal Solution Hide Solution

Correct Answer: C

Question #21

Which ID in Endpoint Standard is associated with one specific action, involves up to three different hashes (Parent, Process, Target), and occurs on a single device at a specific time?

  • A . Threat ID
  • B . Process ID
  • C . Alert ID
  • D . Event ID

Reveal Solution Hide Solution

Correct Answer: D
Question #22

There is a requirement to block ransomware when a sensor is offline.

Which blocking and isolation rule fulfills this requirement?

  • A . Known Malware ―> Performs ransomware-like behavior ―> Terminate process
  • B . Not Listed Application ―> Performs ransomware-like behavior ―> Deny operation
  • C . Suspect Malware ―> Performs ransomware-like behavior ―> Deny operation
  • D . Unknown Application ―> Performs ransomware-like behavior ―> Terminate process

Reveal Solution Hide Solution

Correct Answer: A
Question #23

Carbon Black App Control maintains an inventory of all interesting (executable) files on endpoints where the agent is installed.

What is the initial inventory procedure called, and how can this process be triggered?

  • A . Inventorying; enable Discovery mode
  • B . Baselining; install the agent
  • C . Discovery; place agent into Disabled mode
  • D . Initialization; move agent out of Disabled mode

Reveal Solution Hide Solution

Correct Answer: A
Question #24

Review the following query:

path:c:program files (x86)microsoft

How would this query input term be interpreted?

  • A . c:program files x86microsoft
  • B . c:rogram files (x86)icrosoft
  • C . c:rogramfilesx86icrosoft
  • D . c:program files (x86)microsoft

Reveal Solution Hide Solution

Correct Answer: D
Question #25

Which action is only available for the “Performs any operation” and “Performs any API Operation” operation attempts?

  • A . Bypass
  • B . Allow & Log
  • C . Runs or is Running
  • D . Allow

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjClN7SwoXvAhViqnEKHbXpChUQFjAAegQIARAD&url=https%3A%2F%2Fcommunity.carbonblack.com%2Fgbouw27325%2Fattachments%2Fgbouw27325%2Fproduct-docs-news%2F1413%2F3%2Fcbd-userguide.pdf&usg=AOvVaw1CU0_RmjfwbwAh68IuEKAd(90)

Question #26

An incorrectly constructed watchlist generates 10,000 incorrect alerts.

How should an administrator resolve this issue?

  • A . Delete the watchlist to automatically clear the alerts, and then create a new watchlist with the correct criteria.
  • B . From the Triage Alerts Page, use the facets to select the watchlist, click the Wrench button to “Mark all as Resolved False Positive”, and then update the watchlist with the correct criteria.
  • C . Update the Triage Alerts Page to show 200 alerts, click the Select All Checkbox, click the “Dismiss Alert(s)” button for each page, and then update the watchlist with the correct criteria.
  • D . From the Watchlists Page, select the offending watchlist, click “Clear Alerts” from the Action menu, and then update the watchlist with the correct criteria.

Reveal Solution Hide Solution

Correct Answer: B
Question #27

A process has created a number of interesting (executable) files in one sequence.

In addition to the event Subtype ‘New Unapproved File to Computer’, what other event subtype is likely to be associated with this sequence?

  • A . File Upload Completed
  • B . New File Discovered on Startup
  • C . File Group Created
  • D . File Properties Modified

Reveal Solution Hide Solution

Correct Answer: B
Question #28

CORRECT TEXT

Why would a sensor have a status of "Inactive"?

  • A . The sensor has not checked in within the last 30 days.
  • B . The sensor has been uninstalled from the endpoint for more than 30 days.
  • C . The device has been put in bypass for the last 30 days.
  • D . The sensor has been in disabled mode for more than 30 days.

Reveal Solution Hide Solution

Correct Answer: A
Question #29

An Endpoint Standard analyst runs the query in the graphic below:

Which three statements are true from the results shown? (Choose three.)

  • A . The process is a PowerShell process running a script with a .ps1 extension.
  • B . The process has a threat score greater than 4.
  • C . The process made a network connection to another system.
  • D . The process had a NOT_LISTED reputation at the time the event occurred.
  • E . The process was run under the NT_AUTHORITYSYSTEM user context.
  • F . The process was able to inject code into another process.

Reveal Solution Hide Solution

Correct Answer: A,D,F
Question #30

A process wrote an executable file as detailed in the following event:

Which rule type should be used to ensure that files of the same name and path, written by that process in the future, will not be blocked when they execute?

  • A . Trusted Path
  • B . File Creation Control
  • C . Advances (Write-Ignore)
  • D . Trusted Publisher

Reveal Solution Hide Solution

Correct Answer: B

Question #31

What is the meaning, if any, of the event Report write (removable media)?

  • A . This event would never occur. App Control does not report activity on removable media.
  • B . A Policy’s device control setting ‘Block writes to unapproved removable media’ is set to Report Only. The event details show the process, file name, and hash modified or deleted on the removable media.
  • C . A Policy’s device control setting ‘Block writes to unapproved removable media’ is set to Report Only. The event details show the process and file name modified or deleted on the unapproved removable media.
  • D . A Policy’s device control setting ‘Block writes to unapproved removable media’ is set to Enabled. The event details show the process, file name, and hash modified or deleted on the removable media.

Reveal Solution Hide Solution

Correct Answer: C
Question #32

Which statement is true when searching through the EDR server UI?

  • A . The backslash is the character to escape characters.
  • B . Whitespaces between search terms imply the OR operator.
  • C . The percent symbol % is the character to represent a wildcard.
  • D . The exclamation point ! is the character to represent negation.

Reveal Solution Hide Solution

Correct Answer: C
Question #33

An organization leverages a commonly used software distribution tool to manage deployment of enterprise software and updates. Custom rules are a suitable option to ensure the approval of files delivered by this tool.

Which other trust mechanism could the organization configure for large-scale approval of these files?

  • A . Windows Update
  • B . Trusted Distributor
  • C . Local Approval Mode
  • D . Rapid Config

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://uit.stanford.edu/service/cbprotect/approval-mechanisms

Question #34

An administrator receives an alert with the TTP DATA_TO_ENCRYPTION.

What is known about the alert based on this TTP even if other parts of the alert are unknown?

  • A . A process attempted to delete encrypted data on the disk.
  • B . A process attempted to write a file to the disk.
  • C . A process attempted to modify a monitored file written by the sensor.
  • D . A process attempted to transfer encrypted data on the disk over the network.

Reveal Solution Hide Solution

Correct Answer: B
Question #35

An administrator wants to find instances where the binary Is unsigned.

Which term will accomplish this search?

  • A . NOT process_publisher:FILE_SIGNATURE_STATE_SIGNED
  • B . NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED
  • C . process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED
  • D . process_publisher:FILE_SIGNATURE_STATE_NOT_SIGNED

Reveal Solution Hide Solution

Correct Answer: B
Question #36

A Carbon Black administrator received an alert for an untrusted hash executing in the environment.

Which two information items are found in the alert pane? (Choose two.)

  • A . Launch Live Query
  • B . Launch process analysis
  • C . User quarantine
  • D . Add hash to banned list
  • E . IOC short name

Reveal Solution Hide Solution

Correct Answer: A,B
Question #37

What is the maximum number of binaries (hashes) that can be banned using the web console?

  • A . 500
  • B . 600
  • C . 300
  • D . 400

Reveal Solution Hide Solution

Correct Answer: C
Question #38

Refer to the exhibit:

Which two logic statements correctly explain filtering within the UI? (Choose two.)

  • A . Filtering between fields is a logical OR
  • B . Filtering within the same field is a logical AND
  • C . Filtering between fields is a logical AND
  • D . Filtering between fields is a logical XOR
  • E . Filtering within the same field is a logical OR

Reveal Solution Hide Solution

Correct Answer: A,D
Question #39

When executing a program in App Control, the notification message informs the user that the file is not approved with an option to request approval.

Which Enforcement level is currently enacted?

  • A . High
  • B . Low
  • C . Medium
  • D . Default

Reveal Solution Hide Solution

Correct Answer: D
Question #40

An alert for a device running a proprietary application is tied to a vital business operation.

Which action is appropriate to take?

  • A . Add the application to the Approved List.
  • B . Terminate the process.
  • C . Deny the operation.
  • D . Quarantine the device.

Reveal Solution Hide Solution

Correct Answer: A
Exit mobile version