VMware Carbon Black Portfolio Skills 5V0-91.20 Exam Questions

1. An administrator wants to query the status of the firewall for all endpoints. The administrator will query the registry key found here HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParameter sFirewallPolicy

StandardProfile.

To make the results easier to understand, the administrator wants to return either enabled or disabled for the results, rather than the value from the registry key.

Which SQL statement will rewrite the output based on a specific result set returned from the system?

2. An analyst navigates to the alerts page in Endpoint Standard and sees the following:

What does the yellow color represent on the left side of the row?

3. An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:

How can the administrator generate an alert for future hits against this watchlist?

4. An administrator runs multiple queries on tables and combines the results after the fact to correlate data. The administrator needs to combine rows from multiple tables based on data from a related column in each table.

Which SQL statement should be used to achieve this goal?

5. An administrator wants to allow files to run from a network share.

Which rule type should the administrator configure?

6. What are the three available methods in VMware Carbon Black App Control by which an endpoint (agent) can be assigned to a specific policy? (Choose three.)

7. Which Live Query statement is properly constructed?

8. An administrator has configured a policy to run a standard background scan.

How long does this one-time scan take to complete on endpoints assigned to that policy?

9. An analyst is investigating an alert within the Enterprise EDR console and needs to take action on it.

Which three actions are available to take on the alert? (Choose three.)

10. Review this EDR query:

childproc_name:whoami.exe AND childproc_name:hostname.exe AND childproc_name:tasklist.exe AND childproc_name:ipconfig.exe

Which process would show in the query results?

11. An administrator is searching for any child processes of email clients with this query in Carbon Black Enterprise EDR:

parent_name:outlook.exe OR parent_name:thunderbird.exe OR parent_name:eudora.exe

The administrator would like to modify this query to only show child processes that do not have a known reputation in the Carbon Black Cloud.

Which search field can be added to the query to show the desired results?

12. An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.

How can the analyst change the alert severity value, if this is possible?

13. How long will Live Queries in Carbon Black Audit and Remediation run before timing out?

14. Which reputation is processed with the lowest priority for Endpoint Standard?

15. Which value should an administrator use when reviewing an alert to determine the file reputation at the time the event occurred?

16. App Control System Health email alerts for excessive agent backlog are occurring hourly. This is overwhelming the analysts, and they would like to reduce the notifications.

How can the analyst reduce the unneeded alerts?

17. Which statement filters data to only return rows where the publisher of the software includes VMware anywhere in the name?

18. A company wants to implement the strictest security controls for computers on which the software seldom changes (i.e., servers or single-purpose systems).

Which Enforcement Level is the most fitting?

19. Review this result after executing a query in the Process Search page, noting the circled black dot:

What is the meaning of the black dot shown under Tags?

20. How often do watchlists run?

21. Which ID in Endpoint Standard is associated with one specific action, involves up to three different hashes (Parent, Process, Target), and occurs on a single device at a specific time?

22. There is a requirement to block ransomware when a sensor is offline.

Which blocking and isolation rule fulfills this requirement?

23. Carbon Black App Control maintains an inventory of all interesting (executable) files on endpoints where the agent is installed.

What is the initial inventory procedure called, and how can this process be triggered?

24. Review the following query:

path:c:program files (x86)microsoft

How would this query input term be interpreted?

25. Which action is only available for the “Performs any operation” and “Performs any API Operation” operation attempts?

26. An incorrectly constructed watchlist generates 10,000 incorrect alerts.

How should an administrator resolve this issue?

27. A process has created a number of interesting (executable) files in one sequence.

In addition to the event Subtype ‘New Unapproved File to Computer’, what other event subtype is likely to be associated with this sequence?

28. CORRECT TEXT

Why would a sensor have a status of "Inactive"?

29. An Endpoint Standard analyst runs the query in the graphic below:

Which three statements are true from the results shown? (Choose three.)

30. A process wrote an executable file as detailed in the following event:

Which rule type should be used to ensure that files of the same name and path, written by that process in the future, will not be blocked when they execute?

31. What is the meaning, if any, of the event Report write (removable media)?

32. Which statement is true when searching through the EDR server UI?

33. An organization leverages a commonly used software distribution tool to manage deployment of enterprise software and updates. Custom rules are a suitable option to ensure the approval of files delivered by this tool.

Which other trust mechanism could the organization configure for large-scale approval of these files?

34. An administrator receives an alert with the TTP DATA_TO_ENCRYPTION.

What is known about the alert based on this TTP even if other parts of the alert are unknown?

35. An administrator wants to find instances where the binary Is unsigned.

Which term will accomplish this search?

36. A Carbon Black administrator received an alert for an untrusted hash executing in the environment.

Which two information items are found in the alert pane? (Choose two.)

37. What is the maximum number of binaries (hashes) that can be banned using the web console?

38. Refer to the exhibit:

Which two logic statements correctly explain filtering within the UI? (Choose two.)

39. When executing a program in App Control, the notification message informs the user that the file is not approved with an option to request approval.

Which Enforcement level is currently enacted?

40. An alert for a device running a proprietary application is tied to a vital business operation.

Which action is appropriate to take?