5V0-91.20 Exam Questions

An Endpoint Standard administrator is working with an IT team to explicitly permit specific applications from the environment using both the IT Tools and Certs Approved List featur...

Which strategy should be used to purge inactive bans from the web console?

An administrator runs the following query in Audit and Remediation: SELECT * FROM users WHERE UID >= 500; How long will this query stay active and accept data from the sensors?

After an emergency, what does the Restore computer button do on the App Control Home page?

What occurs when an administrator selects "Enable private logging level" in Sensor Settings under Policy?

The security operations group is complaining that they are getting multiple App Control alerts for specific malicious files after they have banned the file. Which step is necessary...

Review this result after executing a query in the Process Search page, noting the circled black dot: What is the meaning of the black dot shown under Tags?

While an administrator is reviewing an alert, the device is observed becoming to an unknown destination. Which action should be taken to stop this behavior?

A process is writing numerous interesting files that never actually execute Which rule type can the administrator define that will prevent reporting these file creations?

When executing a program in App Control, the notification message informs the user that the file is not approved with an option to request approval. Which enforcement level is curr...

Given the following query SELECT hostname, cpu_type, cpu_brand, cpu_physical_cores, cpu_logical_cores, cpu_microcode, (1.0 * physical_memory / (1000*1000*1000)) AS physical_mem_gb,...

Which two statements are true about Carbo Black alerts? (Choose two.)

Why would a sensor have a status of "Inactive"?

Which statement is true when searching through the EDR server UI?

Which ID in Endpoint St standard is associated with one specific action, involves up to three different hashes (Parent, Process, Target), and occurs on a single device at a specifi...

An analyst is investigating an alert within Enterprise EDR. The alert is tied to an unusual process name. When navigating to the binary details page for the binary used in the aler...

What are the three available methods in VMware Carbon Black App Control by which an endpoint (agent) can be assigned to a specific policy? (Choose three.)

Review the following EDR query: parent_name:outlook.exe AND -alliance_score_srstrust:* AND -digsig_result: "Signed" Which process would show in the query results?

Review the following EDR query: (parent_name:powershell.exe OR parent_name:cmd.exe) AND netconn_co_nt [] TO *] Which process would show in the query results?

An administrator viewed and filtered the results of a completed query within the User Interface for Audit and Remediation. The administrator exported the results to create charts a...

An analyst is investigating an alert within Enterprise EDR on the process analysis page. The process tree can be seen below: Which statement accurately characterizes this situation...

When dismissing alerts, when should an administrator select If alert occurs in the future, automatically dismiss it from all devices'?

Which value should an administrator use when reviewing an alert to determine the file reputation at the time the event occurred?

There is a requirement to block ransomware when a sensor is offline. Which blocking and isolation rule fulfills this requirement?

An active compromise is detected on an endpoint. Due to current policies, the compromise was detected but not terminated. What would be an appropriate action to end the current com...

How is a new Alert of type Event Alert created whenever an endpoint is added or deleted and send emails for the App Control admin whenever these events occur?

An administrator is reviewing an alert about a known and required application in the environment. The application has been given the reputation of PUP, with the alert reason being...

How long will Live Queries in Carbon Black Audit and Remediation run before timing out?

Which Live Query statement is properly constructed?

A watchlist generates a false positive on the Triage Alerts page, so the watchlist must be updated. How should this task be accomplished?

Refer to the exhibit. Which statement is true in regards to communication between the sensor and server?

An administrator runs multiple queries on tables and combines the results after the fact to correlate data. The administrator needs to combine rows from multiple tables based on da...

An administrator wants to find instances where the binary is unsigned. Which term will accomplish this search?

An administrator has configured a policy to run a standard background scan. How long does this one-time scan take to complete on endpoints assigned to that policy?

Which strategy is used to create an exclusion in Endpoint Standard for another AV/security product?

An administrator is interested in upgrading endpoints to the latest release in VMware Carbon Black App Control (v8.1.4+). Which is the first step to make a new agent available for...

Which statement correctly defines the results of ignoring a feed report?

An administrator is searching for any child processes of email clients with this query in Carbon Black Enterprise EDR: parent_name:outlook.exe OR parent_name:thunderbird.exe OR par...

A process has created a number of interesting (executable) files in one sequence. In addition to the event subtype 'New Unapproved File to Computer', what other event subtype is li...

An administrator is troubleshooting App Control agent issues. When navigating to the Computer Details page, the administrator sees the following: What is the status of the WINDOWS-...

There is a need to ignore all activity at an application path. Which rule definition should be used to address this need?

An analyst is investigating an alert within the Enterprise ED console and needs to take action on it. Which three actions are available to take on the alert? (Choose three.)

An administrator needs to manage a group of sensors from within the console. Which three actions are available for sensors within the Sensor Group? (Choose three.)

An analyst has investigated two alerts on two separate HR workstations and found that notepad.exe has established communication to another IP address. Which rule will kill notepad....

A Carbon Black administrator received an alert for an untrusted hash executing in the environment. Which two information items are found in the alert pane? (Choose two.)

An administrator observes the following event detail in the Investigate tab for an application with an unknown reputation making network connections: Process name: tutor.exe Proces...

In which two ways can the tamper protection on an App Control agent be disabled when diagnosing agent issues or removing the agent? (Choose two.)

Which Sensor Status under Endpoint Health indicates that a system's policy enforcement is disabled, and the sensor is not sending security event data to the cloud?

An Enterprise EDR administrator has created a custom Watchlist and wants to add a custom query to a report in the custom Watchlist. From which page can the administrator add this c...

A security policy states to enable Live Response by default across the enterprise. However the team identified critical systems which should not support Live Response due to risk....