• Home
  • Articles
  • Excellent 5V0-93.22 Updated 2024 Dumps With 100% Exam Passing Guarantee [Q22-Q39]

Excellent 5V0-93.22 Updated 2024 Dumps With 100% Exam Passing Guarantee [Q22-Q39]

Share

Excellent 5V0-93.22 Updated 2024 Dumps With 100% Exam Passing Guarantee

Best way to practice test for VMware 5V0-93.22


VMware 5V0-93.22 certification exam is intended for security professionals who want to demonstrate their expertise in endpoint security. VMware Carbon Black Cloud Endpoint Standard Skills certification is ideal for security analysts, security engineers, and security administrators who work with VMware Carbon Black Cloud Endpoint Standard. VMware Carbon Black Cloud Endpoint Standard Skills certification exam is also suitable for anyone who wants to validate their skills and knowledge in endpoint security.

 

NEW QUESTION # 22
An organization has found application.exe running on some machines in their Workstations policy.
Application.exe has a SUSPECT_MALWARE reputation and runs from C:\Program Files\IT\Tools. The Workstations policy has the following rules which could apply:
Blocking and Isolation Rule
Application on the company banned list > Runs or is running > Deny
Known malware > Runs or is running > Deny
Suspect malware > Runs or is running > Terminate
Permissions Rule
C:\Program Files\IT\Tools\* > Performs any operation > Bypass
Which action, if any, should an administrator take to ensure application.exe cannot run?

  • A. No action needs to be taken as the file will be blocked based on reputation alone.
  • B. Change the reputation to KNOWN MALWARE to a higher priority.
  • C. Add the hash to the company banned list at a higher priority.
  • D. Remove the Permissions rule for C:\Program FilesMTVToolsV.

Answer: D

Explanation:
Explanation
The action that an administrator should take to ensure application.exe cannot run is to remove the Permissions rule for C:\Program Files\IT\Tools*. This is because the Permissions rule has a higher priority than the Blocking and Isolation rule, and it allows any operation on any file in that path, including application.exe. By removing the Permissions rule, the Blocking and Isolation rule will apply and terminate application.exe based on its SUSPECT_MALWARE reputation. The other options are incorrect because they will not prevent application.exe from running. Option A is incorrect because changing the reputation to KNOWN MALWARE will not override the Permissions rule that allows any operation on the file. Option B is incorrect because the file will not be blocked based on reputation alone, as the Permissions rule will bypass the reputation check.
Option D is incorrect because adding the hash to the company banned list will not override the Permissions rule that allows any operation on the file. References: Precedence of Policy Rules, Set Permission Policy Rules, Set Blocking and Isolation Policy Rules


NEW QUESTION # 23
Which VMware Carbon Black Cloud process is responsible for uploading event reporting to VMware Carbon Black Cloud?

  • A. Sensor Service (RepMqr
  • B. Scanner Service (scanhost)
  • C. Sensor Service (RepUx
  • D. Scanner Service (Re

Answer: A


NEW QUESTION # 24
A security administrator needs to review the Live Response activities and commands that have been executed while performing a remediation process to the sensors.
Where can the administrator view this information in the console?

  • A. Audit Log
  • B. Inbox
  • C. Notifications
  • D. Users

Answer: A

Explanation:
Explanation
The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:
live-response
This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:
User: The name of the user who performed the action.
Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.
Object: The object that was affected by the action, such as policy, device, hash, and so on.
Date: The date and time range when the action was performed.
The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.
The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands.
Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:
Audit Logs - VMware Docs, Overview section.


NEW QUESTION # 25
Which statement accurately characterizes Alerts that are categorized as a "Threat" versus those categorized as
"Observed"?

  • A. "Threat" indicates a more likely malicious event. "Observed" are less likely to be malicious.
  • B. "Threat" indicates an ongoing attack. "Observed" indicates the attack is over and is being watched.
  • C. "Threat" indicates that no block (Deny or Terminate) has occurred. "Observed" indicates a block.
  • D. "Threat" indicates a block (Deny or Terminate) has occurred. "Observed" indicates that there is no block.

Answer: A


NEW QUESTION # 26
What is a security benefit of VMware Carbon Black Cloud Endpoint Standard?

  • A. Customized threat feeds can be combined with other outside threat intelligence sources.
  • B. Data leakage protection (DLP) is enforced on endpoints or subsets of endpoints.
  • C. Events and alerts are tagged with Carbon Black TTPs to provide context around attacks.
  • D. Firewall rule configuration are provided in the environment.

Answer: C


NEW QUESTION # 27
An organization has found application.exe running on some machines in their Workstations policy.
Application.exe has a SUSPECT_MALWARE reputation and runs from C:\Program Files\IT\Tools. The Workstations policy has the following rules which could apply:
Blocking and Isolation Rule
Application on the company banned list > Runs or is running > Deny
Known malware > Runs or is running > Deny
Suspect malware > Runs or is running > Terminate
Permissions Rule
C:\Program Files\IT\Tools\* > Performs any operation > Bypass
Which action, if any, should an administrator take to ensure application.exe cannot run?

  • A. No action needs to be taken as the file will be blocked based on reputation alone.
  • B. Change the reputation to KNOWN MALWARE to a higher priority.
  • C. Add the hash to the company banned list at a higher priority.
  • D. Remove the Permissions rule for C:\Program FilesMTVToolsV.

Answer: D


NEW QUESTION # 28
A security administrator is tasked to enable Live Response on all endpoints in a specific policy.
What is the correct path to configure the required sensor policy setting?

  • A. Policies > Enforce > Policy > Sensor
  • B. Enforce > Policy > Policies > Sensor
  • C. Enforce > Policies > Policy > Sensor
  • D. Policies > Policy > Sensor > Enforce

Answer: C

Explanation:
Explanation
To enable Live Response on all endpoints in a specific policy, the security administrator needs to follow the correct path to configure the required sensor policy setting. The correct path is Enforce > Policies > Policy > Sensor. This path allows the administrator to select a policy group, then click on the Sensor tab, where they can select or deselect the Enable Live Response checkbox as applicable, and then click Save. This will enable or disable Live Response for all endpoints that are assigned to that policy group. The other options are incorrect because they do not match the correctpath to configure the sensor policy setting for Live Response. References: Use Live Response, Use Live Response for VM Workloads


NEW QUESTION # 29
An administrator wants to prevent malicious code that has not been seen before from retrieving credentials from the Local Security Authority Subsystem Service, without causing otherwise good applications from being blocked.
Which rule should be used?

  • A. [**/*.exe] [Scrapes memory of another process] [Terminate process]
  • B. [Not listed application] [Scrapes memory of another process] [Terminate process]
  • C. [Unknown application] [Retrieves credentials] [Terminate process]
  • D. [**\lsass.exe] [Scrapes memory of another process] [Deny operation]

Answer: B


NEW QUESTION # 30
An administrator needs to create a search, but it must exclude "system.exe".
How should this task be completed?

  • A. #process_name:system.exe
  • B. <process_name:system.exe>
  • C. -process_name:system.exe
  • D. *process_name:system.exe

Answer: C

Explanation:
Explanation
To create a search that excludes "system.exe", the administrator needs to use the minus sign (-) as a negation operator in the search query. The negation operator excludes any events that match the specified field and value from the search results. For example, the query -process_name:system.exe will return all the events that do not have "system.exe" as the process name. The other options are incorrect because they do not use the negation operator. The hash sign (#) is used to search for exact matches, the asterisk (*) is used as a wildcard character, and the angle brackets (< >) are used to search for ranges of values. References:
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 2: Search, pages
2-5 to 2-6.
VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Search, pages 83-84.


NEW QUESTION # 31
A script-based attack has been identified that inflicted damage to the corporate systems. The security administrator found out that the malware was coded into Excel VBA and would like to perform a search to further inspect the incident.
Where in the VMware Carbon Black Cloud Endpoint Standard console can this action be completed?

  • A. Alerts
  • B. Endpoints
  • C. Investigate
  • D. Settings

Answer: C

Explanation:
Explanation
The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA.
The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:
file_type:EXCEL_VBA
This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:
EXE: Executable file
DLL: Dynamic-link library file
SYS: System file
BAT: Batch file
CMD: Command file
VBS: Visual Basic Script file
JS: JavaScript file
PS1: PowerShell Script file
HTA: HTML Application file
MSI: Windows Installer file
DOC: Microsoft Word document file
XLS: Microsoft Excel spreadsheet file
PPT: Microsoft PowerPoint presentation file
PDF: Portable Document Format file
SWF: Shockwave Flash file
JAR: Java Archive file
CLASS: Java class file
PY: Python script file
SH: Shell script file
PL: Perl script file
RB: Ruby script file
PHP: PHP script file
ASP: Active Server Pages file
ASPX: Active Server Pages Extended file
HTML: HyperText Markup Language file
XML: Extensible Markup Language file
DOCM: Microsoft Word document with macros file
XLAM: Microsoft Excel add-in with macros file
XLSM: Microsoft Excel spreadsheet with macros file
XLTM: Microsoft Excel template with macros file
PPTM: Microsoft PowerPoint presentation with macros file
POTM: Microsoft PowerPoint template with macros file
PPAM: Microsoft PowerPoint add-in with macros file
EXCEL_VBA: Excel Visual Basic for Applications file
WORD_VBA: Word Visual Basic for Applications file
POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
OUTLOOK_VBA: Outlook Visual Basic for Applications file
ACCESS_VBA: Access Visual Basic for Applications file
PROJECT_VBA: Project Visual Basic for Applications file
VISIO_VBA: Visio Visual Basic for Applications file
PUBLISHER_VBA: Publisher Visual Basic for Applications file
INFOPATH_VBA: InfoPath Visual Basic for Applications file
ONENOTE_VBA: OneNote Visual Basic for Applications file
UNKNOWN: Unknown file type
Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:
Investigate Endpoint Data - VMware Docs, Overview section.
Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.


NEW QUESTION # 32
An administrator wants to prevent ransomware that has not been seen before, without blocking other processes.
Which rule should be used?

  • A. [Not listed application] [Performs ransomware-like behavior] [Terminate process
  • B. [Adware or PUP] [Scrapes memory of another process] [Deny operation]
  • C. [Unknown malware] [Runs or is running] [Terminate process]
  • D. [Not listed application] [Runs or is running] [Terminate process]

Answer: A


NEW QUESTION # 33
An administrator wants to prevent a spreadsheet from being misused to run malicious code, while minimizing the risk of breaking normal operations of a spreadsheet.
Which rule should be used?

  • A. **\Microsoft Office\** [Runs external code] [Terminate process]
  • B. **\excel.exe [Runs malware] [Deny operation]
  • C. **\excel.exe [Invokes a command interpreter] [Deny operation]
  • D. **/Microsoft Excel.app/** [Communicates over the network] [Terminate process]

Answer: C


NEW QUESTION # 34
A VMware Carbon Black managed endpoint is showing up as an inactive device in the console.
What is the threshold, in days, before a machine shows as inactive?

  • A. 7 days
  • B. 90 days
  • C. 60 days
  • D. 30 days

Answer: D


NEW QUESTION # 35
What connectivity is required for VMware Carbon Black Cloud Endpoint Standard to perform Sensor Certificate Validation?

  • A. TCP/443 to GoDaddy CRL URL (crl.godaddy.com and ocsp.godaddy.com)
  • B. TCP/443 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com)
  • C. TCP/80 to GoDaddy CRL URL (crl.godaddy.com and ocsp.godaddy.com)
  • D. TCP/80 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com)

Answer: B

Explanation:
The connectivity that is required for VMware Carbon Black Cloud Endpoint Standard to perform Sensor Certificate Validation is TCP/443 to GoDaddy OCSP and CRL URLs (crl.godaddy.com and ocsp.godaddy.com). Sensor Certificate Validation is a feature that allows the Carbon Black Cloud agent to verify the authenticity and validity of the certificates used by the Carbon Black Cloud services. This feature enhances the security and trust of the communication between the agent and the cloud. To perform Sensor Certificate Validation, the agent needs to access the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services provided by GoDaddy, the certificate authority that issues the certificates for Carbon Black Cloud. These services use the HTTPS protocol, which runs on port 443. Therefore, the agent needs to have TCP/443 connectivity to the GoDaddy OCSP and CRL URLs, which are crl.godaddy.com and ocsp.godaddy.com12.
The other options are incorrect because they do not specify the correct protocol, port, or URLs for Sensor Certificate Validation. TCP/80 is the port for HTTP, not HTTPS, and it is not used by the OCSP and CRL services. GoDaddy CRL URL is only one of the two URLs that the agent needs to access, the other one is GoDaddy OCSP URL. References:
VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 1: Introduction, page 1-8.
VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 2: Sensor Installation, page 17.


NEW QUESTION # 36
Which command is used to immediately terminate a current Live Response session?

  • A. delete
  • B. kill
  • C. detach -q
  • D. execfg

Answer: C


NEW QUESTION # 37
Which port does the VMware Carbon Black sensor use to communicate to VMware Carbon Black Cloud?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: B


NEW QUESTION # 38
An administrator has configured a terminate rule to prevent an application from running. The administrator wants to confirm that the new rule would have prevented a previous execution that had been observed.
Which feature should the administrator leverage for this purpose?

  • A. Utilize the Test rule link from within the rule.
  • B. Setup a notification based on a policy action, and then select Terminate.
  • C. Configure the rule to deny operation of the process.
  • D. Configure the rule to terminate the process.

Answer: A


NEW QUESTION # 39
......

VMware Carbon Black Cloud Endpoint Standard Skills Certification Sample Questions and Practice Exam: https://lead2pass.real4prep.com/5V0-93.22-exam.html

Related Articles

more
VMware 5V0-93.22 Certification Practice Exam