VMware Updated 5V0-93.22 Exam Questions and Answers by finnley

To create a search that excludes “system.exe”, the administrator needs to use the minus sign (-) as a negation operator in the search query. The negation operator excludes any events that match the specified field and value from the search results. For example, the query -process_name:system.exe will return all the events that do not have “system.exe” as the process name. The other options are incorrect because they do not use the negation operator. The hash sign (#) is used to search for exact matches, the asterisk (*) is used as a wildcard character, and the angle brackets (< >) are used to search for ranges of values. References:

• VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 2: Search, pages 2-5 to 2-6.
• VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Search, pages 83-84.

The best rule to prevent ransomware that has not been seen before, without blocking other processes, is B. This rule uses the following criteria:

• Not listed application: This means that the application is not known by Carbon Black Cloud Endpoint Standard, and it has no reputation or signature. This can indicate a new or unknown malware that has not been detected by other methods.
• Performs ransomware-like behavior: This means that the application is performing actions that are typical of ransomware, such as encrypting files, deleting backups, or displaying ransom notes. This can indicate a malicious intent and a high risk of data loss or damage.
• Terminate process: This means that the application is stopped and removed from the endpoint, preventing it from completing its malicious actions or spreading to other devices. This can mitigate the impact and severity of the attack.

The other rules are not as effective or appropriate for preventing ransomware that has not been seen before, without blocking other processes. Rule A would only block adware or potentially unwanted programs (PUPs) that scrape memory of another process, which is not necessarily related to ransomware. Rule C would block any unknown malware that runs or is running, which is too broad and could affect legitimate applications that are not listed by Carbon Black. Rule D would block any not listed application that runs or is running, which is also too broad and could affect legitimate applications that are not listed by Carbon Black. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices: Endpoint Standard Blocking & Isolation Rules, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List

The company banned list is a feature of VMware Carbon Black Cloud Endpoint Standard that allows administrators to prevent specific files from running on the endpoints by their hash values. The company banned list has a higher priority than the file reputation, so even if the file is not listed or unknown by Carbon Black, it will be blocked if its hash is in the company banned list. Adding the hash to the company banned list is the most effective and efficient way to prevent the file from executing on the endpoints. The other options are either not feasible or not scalable. Adding the hash to the malware list would not work, because the malware list is a global list maintained by Carbon Black, and administrators cannot add hashes to it. Using Live Response to kill the process or delete the file would only work for one endpoint at a time, and it would not prevent the file from running again if it is still present on the endpoint or downloaded from another source. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

The command detach -q is used to immediately terminate a current Live Response session and return to the Carbon Black Cloud console. This command is useful when the user wants to end the session without waiting for the timeout or the confirmation prompt. The -q option stands for “quiet” and suppresses any output or feedback from the command. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Live Response Commands, page 11.