Free VMware Carbon Black Portfolio Skills Exam 5V0-91.20 Exam Practice Test

Which strategy should be used to purge inactive bans from the web console?

• Schedule an add-hoc cron job to remove
• Use a pre-configured system cron job daily to remove them
• Run the cbbannlng script on the EDR server
• Go to the hashes page on the web console and remove them

What are the three available methods in VMware Carbon Black App Control by which an endpoint (agent) can be assigned to a specific policy? (Choose three.)

• By pushing the designated GPO script
• Via DASCLI command
• By installing the agent via SCCM
• Manual policy assignment
• By branded/policy-specific installer
• By Active Directory Mapping

An administrator needs to query all endpoints in the HR group for instances of an obfuscated copy of cmd.exe.Given this Enterprise EDR query:process_name:cmd.exe AND device_group:HR AND NOT enriched:trueWhich example could be added to the query to provide the desired results?

• NOT process_name:cmd.exe
• NOT process_original_filename:cmd.exe
• NOT process_company_name:cmd.exe
• NOT process_internal_name:cmd.exe

An analyst has investigated multiple alerts on a number of HR workstations and found that java.exe is attempting to PowerShell. Of the Windows workstations in question, the analyst has also found that Java is installed in multiple locations. The analyst needs to block java.exe from this type of operation.Which rule meets this need?

• **/java.exe ---> Invokes an untrusted process ---> Terminate process
• **/Program Files/*/java.exe---> Invokes an untrusted process ---> Deny operation
• **\Program Files\*\java.exe ---> Invokes a command interpreter ---> Terminate process
• **\java.exe ---> Invokes a command interpreter ---> Deny operation

What does the Aggressive setting do when configured in Local Scan Settings?

• It adds a temporary reputation.
• It scans all files on execution.
• It scans new files on first execution.
• It enables signature updates for the scanner.

Which enforcement level does not block unapproved files but will block files that have been specifically banned?

• Medium Enforcement
• Disabled
• Visibility
• Low Enforcement The protection level applied to computers running the App Control Agent. A range of levels from High (Block Unapproved) to None (Disabled) enable you to specify the level of file blocking required.

A Carbon Black Cloud Endpoint Standard analyst is testing different search operator combinations.Which two queries produce the same result? (Choose two.)

• process_name:chrome.exe OR NOT netconn_domain:google.com
• process_name:chrome.exe OR netconn_domain:google.com
• process_name:chrome.exe AND NOT netconn_domain:google.com
• process_name:chrome.exe netconn_domain:google.com
• process_narne:chrome.exe NOT netconn_domain:google.com

An analyst is investigating an alert within the Enterprise EDR console and needs to take action on it.Which three actions are available to take on the alert? (Choose three.)

• Ignore alert
• Dismiss
• Dismiss on all devices if grouping is enabled
• Edit watchlist
• Save report
• Notifications history

Given an event rule: Approve nVidia Drivers, changes the local state to Approved for file writes or execution blocks when the publisher is NVIDIA Corporation.How is an alert created that is triggered whenever an nVidia driver is approved by the event rule?

• Add a new Alert of type Event Alert. Set Subtype to New unapproved file to computer and Execution block (unapproved file) and Publisher to NVIDIA Corporation. Click Create and add email recipients.
• Click Create Alert on the event rule Approve nVidia Drivers details page. Click Create and add email recipients. Create and Exit.
• Click Create Alert on the event rule Approve nVidia Drivers details page. Add email recipients. Create and Exit.
• Create a custom rule name Approve nVidia that approves writes or blocks when the publisher is NVIDIA Corporation. Create an alert for rule name Approve nVidia. Click Create and add email recipients.

An Enterprise EDR administrator is reviewing the Investigate page and believes they are receiving false positive hits from specific watchlist.Which three options reduce future false positive hits from this watchlist? (Choose three.)

• Disable/remove the IOC associated with the false positives.
• Disable/remove the report associated with the false positives.
• Dismiss the watchlist hit.
• Select edit watchlist and uncheck alert on hits.
• Modify policy rules to exclude the false positive directory.
• Disable the watchlist associated with the false positives.