5V0-91.20 Exam Questions

An analyst is investigating a specific alert in Endpoint Standard. The analyst sees the investigate button from the alert triage page and sees the following: [IMAGE CONTENT] Which...

Examine the following EDR query: file_desc:"Windows Command Processor" AND -process_name:cmd.exe Which process will show in the query results?

Carbon Black App Control maintains an inventory of all interesting (executable) files on endpoints where the agent is installed. What is the initial inventory procedure called, and...

This search is entered into the process search page: notepad.exe Which three statements about this query are true? (Choose three.)

A company wants to implement the strictest security controls for computers on which the software seldom changes (i.e., servers or single-purpose systems). Which Enforcement Level i...

What does the Aggressive setting do when configured in Local Scan Settings?

Review the following search: childproc_name:"rundll32.exe" AND -digsig_result:"Signed" AND path:c:\windows\* What is this search looking for?

Which reputation is processed with the lowest priority for Endpoint Standard?

Which statement is true about Carbon Black Live Response (CBLR)?

Management has directed that the SOC team be enabled to create global file bans via the App Control API. How would this be configured in the App Control Console?

An administrator is creating a query per policy for Audit and Remediation. The administrator ran several recommended queries already but notices they are unable to run the same rec...

An Endpoint Standard administrator finds a binary in the environment and decides to manually add the file hash to the Banned List. Which reputation does the file now have?

Given an event rule: Approve nVidia Drivers, changes the local state to Approved for file writes or execution blocks when the publisher is NVIDIA Corporation. How is an alert creat...

An Endpoint Standard analyst runs the following query in the graphic below: Which three statements are true from the results shown? (Choose three.)

An administrator receives an alert with the TTP_DATA_TO_ENCRYPTION. What is known about the alert based on this TTP even if other parts of the alert are unknown?

How can an analyst disregard alerts on multiple devices with the least amount of administrative effort?

What is the meaning, if any, of the Event Report write (removable media)?

Which action is only available for the "Performs any operation" and "Performs any API Operation" operation attempts?

Review this EDR query: childproc_name:whoami.exe AND childproc_name:hostname.exe AND childproc_name:tasklist.exe AND childproc_name:ipconfig.exe Which process would show in the que...

A Carbon Black Cloud analyst needs to identify the Internet Explorer extensions installed on Windows endpoints. Which Live Query statement will successfully query these items?

Which statement is true about configuring VMware Carbon Black Application Control for use on non-persistent virtual machines (VM's)?

An administrator uses the following Enterprise EDR search query to show web browsers spawning nonbrowser child processes that connect over the network: (parent_name:chrome.exe OR p...

Given the following query: SELECT * FROM users WHERE UID >= 500; Which statement is correct?

What is the maximum number of binaries (hashes) that can be banned using the web console?

An administrator wants to allow files to run from a network share. Which rule type should the administrator configure?

An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating. How can the analyst change the alert severity valu...

What information does the Alert Details panel provide on the Alert Triage page in Endpoint Standard?

An analyst on the security team noticed that several alerts are false positives within Enterprise EDR. The analyst disables the IOC within the report from those alerts. Which state...

Which identifier is shared by all events when an alert is investigated?

An Enterprise EDR administrator wants to use Watchlists curated by VMware Carbon Black and other threat intelligence specialists. How should the administrator add these curated Wat...

An incorrectly constructed watchlist generates 10,000 incorrect alerts. How should an administrator resolve this issue?

Which list below captures all Enforcement Levels for App Control policies?

A company uses Audit and Remediation to check configurations and adhere to compliance regulations. The regulations require monthly reporting and twelve months of data retained. How...

An administrator needs to query all endpoints in the HR group for instances of an obfuscated copy of cmd.exe. Given this Enterprise EDR query: process_name:cmd.exe AND device_group...

App Control System Health email alerts for excessive agent backlog are occurring hourly. This is overwhelming the security analysts, and they would like to reduce the notifications...

An analyst wants to block an application's specific behavior but does not want to kill the process entirely as it is heavily used on workstations. The analyst needs to use a Blocki...

An administrator wants to query the status of the firewall for all endpoints. The administrator will query the registry key found here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S...

An organization leverages a commonly used software distribution tool to manage deployment of enterprise software and updates. Custom rules are a suitable option to ensure the appro...

How often do watchlists run?

Which statement should be used when constructing queries in Carbon Black Audit and Remediation, Live Query?

Which wildcard configuration applies a policy to all files and subfolders in a specific folder in Endpoint Standard?

An alert for a device running a proprietary application is tied to a vital business operation. Which action is appropriate to take?

An administrator needs to check configurations using Audit across several policies and locations within the organization. How can the administrator run the query to only these spec...

A process wrote an executable file as detailed in the following event: Timestamp: Jan 15, 2020 16:00:32 Source: USWIN-MGMT1 Subtype: New Unapproved File To Command: File Path: c:\w...

Which enforcement level does not block unapproved files but will block files that have been specifically banned?

An administrator has updated a Threat Intelligence Report by turning it into a watchlist and needs to disable (Ignore) the old Threat Intelligence Report. Where in the UI is this a...

An analyst navigates to the alerts page in Endpoint Standard and sees the following: [Image of a table with alerts] What does the yellow color represent on the left side of the row...

An administrator is concerned that someone may be using unauthorized commands from cmd.exe. These commands are not considered suspicious or malicious, and there is no policy based...

An analyst has investigated multiple alerts on a number of HR workstations and found that java.exe is attempting to PowerShell. Of the Windows workstations in question, the analyst...

Review the following query: path:c:\program\ files\ (x86)\microsoft How would this query input term be interpreted?