5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Free Practice Exam Questions (2025 Updated)

This rule will prevent any application that is not listed in the Carbon Black Cloud Endpoint Standard from scraping the memory of another process, which is a common technique used by malware to retrieve credentials from the Local Security Authority Subsystem Service (LSASS). This rule will terminate the process that attempts to perform this operation, thus blocking the credential theft. This rule is more specific and effective than option A, which only applies to unknown applications, or option B, which applies to all executable files regardless of their reputation. Option C is incorrect because it will only deny the operation but not terminate the process, which may allow the malware to continue running and try other methods of credential theft. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: Endpoint Standard Rules, Lesson 2: Rule Types and Actions, slide 12.

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

The tool that the security administrator is using to remediate a security vulnerability that may affect the sensors is Live Response. Live Response is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface. Live Response enables the administrator to interact with the sensors and access the endpoints in real time, using various commands and scripts. Live Response can also be used to upload or download files, execute processes, terminate processes, delete files, and more12.

The other tools are not relevant or applicable for this scenario. CBLauncher is a tool that allows the administrator to launch applications on the endpoint without triggering policy rules or alerts. CBLauncher is useful for troubleshooting application compatibility issues or testing new applications, but it does not provide interaction or remote access for further investigation3. PowerCLI is a tool that allows the administrator to automate and manage VMware products and services using PowerShell commands and scripts. PowerCLI is useful for administering VMware virtual machines, hosts, networks, storage, and more, but it does not provide interaction or remote access for further investigation4. IRepCLI is a tool that allows the administrator to generate and upload reputation information for files on the endpoint. IRepCLI is useful for enhancing the threat intelligence and detection capabilities of VMware Carbon Black Cloud, but it does not provide interaction or remote access for further investigation5. References:

Use Live Response - VMware Docs, Overview section.

CBLauncher - VMware Docs, Overview section.

Live Response Commands - VMware Docs, Overview section.

VMware PowerCLI Documentation, Overview section.

IRepCLI - VMware Docs, Overview section.

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

User: The name of the user who performed the action.

Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.

Object: The object that was affected by the action, such as policy, device, hash, and so on.

Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine1.

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands. References:

Audit Logs - VMware Docs, Overview section.

According to the VMware Carbon Black Cloud Endpoint Standard User Guide, the Sensor Service (RepMqr) is the process that is responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepMqr) is one of the components of the VMware Carbon Black Cloud sensor, which is the software agent that runs on the endpoints and collects and sends data to the VMware Carbon Black Cloud console. The Sensor Service (RepMqr) is responsible for the following tasks:

Collecting and compressing endpoint events

Sending endpoint events to the VMware Carbon Black Cloud console

Receiving and applying policy updates from the VMware Carbon Black Cloud console

Performing actions requested by the VMware Carbon Black Cloud console, such as quarantine, unquarantine, or bypass

The other processes are not responsible for uploading event reporting to VMware Carbon Black Cloud. The Sensor Service (RepUx) is the process that is responsible for uploading file metadata and content to VMware Carbon Black Cloud. The Scanner Service (scanhost) is the process that is responsible for scanning the endpoint for malicious files and activity. The Scanner Service (Re) is the process that is responsible for scanning the endpoint for reputation information. References:

VMware Carbon Black Cloud Endpoint Standard User Guide, page 7, Sensor Components section, Sensor Service (RepMqr) subsection.

The VMware Carbon Black Cloud integration that is supported for SIEM is the Splunk App. The Splunk App allows administrators to bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard1. The Splunk App also supports Splunk SOAR, which enables automated actions and workflows based on Carbon Black Cloud alerts2.

The other options are not supported for SIEM integration with Carbon Black Cloud. SolarWinds, LogRhythm, and Datadog are not listed among the 140+ ecosystempartnerships and integrations that Carbon Black Cloud offers3. They are also not part of the Next-Gen SOC Alliance, which features Splunk, IBM Security, Google Cloud’s Chronicle, Exabeam, and Sumo Logic integrations with Carbon Black Cloud1. References:

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.6: Integrations

VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 12: Integrations

Integrations and APIs - VMware

Carbon Black Cloud - Cloud SIEM | Sumo Logic Docs

VMware Launches Next-Gen SOC Alliance with Splunk, IBM … - VMware Blogs

To block an application by its path instead of reputation, the administrator needs to follow these steps:

Go to Enforce > Policies > Select the desired policy.

Scroll down to the Blocking and Isolation section.

Click Add application path.

Enter the path of the desired application, such as C:\Program Files\Example\example.exe.

Choose the action to take when the application is detected, such as Block or Allow.

Optionally, add a description for the application path rule.

Click Save to apply the changes to the policy.

The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.

VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

Search Syntax - VMware Docs, Wildcards section.

 According to the VMware Carbon Black Cloud User Guide, the reputation priority is in a descending order with 1 being the highest priority and 11 the lowest priority. The highest priority reputation is Ignore, which is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run. The lowest priority reputation is Unknown, which indicates that Carbon Black Cloud has not yet determined the reputation of the file. References:

Reputation Assignment - VMware Docs, Reputation Priority table.

The command detach -q is used to immediately terminate a current Live Response session and return to the Carbon Black Cloud console. This command is useful when the user wants to end the session without waiting for the timeout or the confirmation prompt. The -q option stands for “quiet” and suppresses any output or feedback from the command. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Live Response Commands, page 11.

Event data is categorized and identified by a unique event ID in VMware Carbon Black Cloud. The sensor will upload all event data to the Investigate page of the Endpoint Standard Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor. Each event sent from the sensor to the Dashboard will be assigned a unique event ID. References: Endpoint Standard: How is event data categorized, and formed into an Alert1

The correct answer is to click Drop Connection, which is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to immediately terminate a network connection that is deemed malicious or suspicious. This feature can be accessed from the Alert Details page, where the administrator can see the application, process, and destination IP address of the connection. By clicking Drop Connection, the administrator can block the connection without affecting the rest of the system or network. This is a quick and effective way to stop a potential threat from communicating with a remote server or exfiltrating data. References: = VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 4.3: Investigate Alerts, Subsection 4.3.2: Drop Connection.

The Process Analysis page in VMware Carbon Black Cloud Endpoint Standard is a graphical view of the event that shows the process tree, the event timeline, and the event details. The process tree displays the parent-child relationships of the processes involved in the event, as well as the actions taken by the policy, such as blocking or alerting. The event timeline shows the chronological sequence of the events, such as process executions, file modifications, network connections, and registry changes. The event details provide more information about the selected event, such as the process name, path, hash, command line, reputation, and Carbon Black TTPs. The Process Analysis page can help the security administrator to investigate the hash ban event and understand the context and impact of the blocked application. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

These components can provide more information about the suspicious running process and its behavior, such as:

Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.

Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.

TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.

The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.

The best rule to prevent a spreadsheet from being misused to run malicious code, while minimizing the risk of breaking normal operations of a spreadsheet, is B. **\excel.exe [Invokes a command interpreter] [Deny operation]. This rule will prevent any Excel process from invoking a command interpreter, such as cmd.exe or powershell.exe, which is a common technique used by malware to execute malicious commands or scripts. This rule will deny the operation but not terminate the process, which may allow the spreadsheet to continue functioning normally. This rule is more specific and effective than option A, which only applies to Microsoft Office applications that run external code, or option C, which applies to Excel applications that communicate over the network. Option D is incorrect because it is too vague and may not catch all the possible ways that a spreadsheet can run malware.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result. This feature can help the administrator to confirm that the new rulewould have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule1.

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data. References:

Endpoint Standard Rules - VMware Docs, Test Rule section.