VMware Carbon Black Portfolio Skills (5V0-91.20) Free Practice Test

Question 1

An administrator receives an alert with the TTP DATA_TO_ENCRYPTION.
What is known about the alert based on this TTP even if other parts of the alert are unknown?

A. A process attempted to delete encrypted data on the disk.

B. A process attempted to transfer encrypted data on the disk over the network.

C. A process attempted to modify a monitored file written by the sensor.

D. A process attempted to write a file to the disk.

Correct Answer: D

Question 2

Which reputation is processed with the lowest priority for Endpoint Standard?

A. Trusted White

B. Known Malware

C. Common White

D. Local White

Correct Answer: B

Question 3

This search is entered into the process search page: notepad.exe
Which three statements about this query are true? (Choose three.)

A. The search will fail with an error.

B. Only processes named notepad.exe will be returned.

C. A field identifier is required for all criteria within a process search.

D. Processes with registry modifications containing notepad.exe would be retuned.

E. All processes containing the text notepad.exe in any default field.

F. Since a field name is not selected, query performance will be impacted.

Correct Answer: D,E,F

Question 4

When dismissing alerts, when should an administrator select "If alert occurs in the future, automatically dismiss it from all devices"?

A. When the administrator wishes to apply this action to all future alerts from the device

B. When the administrator wishes to be notified again to this behavior

C. When the administrator wishes to mark the alert instance as a false positive

D. When the administrator wishes to remove the alert

Correct Answer: A

Question 5

An analyst on the security team noticed that several alerts are false positives within Enterprise EDR. The analyst disables the IOC within the report from those alerts.
Which statement correctly explains what disabling the IOC will accomplish?

A. That specific IOC in the report will no longer generate hits or alerts on the device from the alert.

B. The report will no longer generate hits or alerts.

C. That specific IOC in the report will no longer generate hits or alerts.

D. The report will no longer generate hits or alerts on the device from the alert.

Correct Answer: C

Question 6

Which strategy is used to create an exclusion in Endpoint Standard for another AV/security product?

A. Bypass Mode

B. Isolation Rule

C. Approved List

D. Permission Rule

Correct Answer: C

Question 7

A process wrote an executable file as detailed in the following event:

Which rule type should be used to ensure that files of the same name and path, written by that process in the future, will not be blocked when they execute?

A. File Creation Control

B. Advances (Write-Ignore)

C. Trusted Path

D. Trusted Publisher

Correct Answer: A

Question 8

An administrator uses the following Enterprise EDR search query to show web browsers spawning nonbrowser child processes that connect over the network:
(parent_name:chrome.exe OR parent_name:iexplore.exe OR parent_name:firefox.exe) AND (NOT process_name:chrome.exe OR NOT process_name:iexplore.exe OR NOT process_name:firefox.exe) Which field can be added to this query to filter the results by signature status?

A. process_publisher

B. childproc_publisher_state

C. childproc_reputation

D. process_publisher_state

Correct Answer: C

Question 9

An administrator observes the following event detail in the Investigate tab for an application with an unknown reputation making network connections:

Upon further review of the event details returned, the reputation is observed as NOT_LISTED, and the applied (cloud) reputation is UNKNOWN.
Why is the applied (cloud) reputation UNKNOWN and not NOT_LISTED?

A. The sensor demoted the local reputation from UNKNOWN to NOT_LISTED based on the coud reputation.

B. NOT_LISTED was applied by the sensor after observing no cloud reputation, as evidenced by the applied cloud reputation UNKNOWN.

C. The sensor demoted the local reputation from NOT_LISTED to UNKNOWN based on the cloud reputation.

D. The application was UNKNOWN at the time of the event but then later determined to be NOT_LISTED.

Correct Answer: D

Question 10

Which actions are available for Permissions?

A. Performs any Operation, Runs or is running

B. Allow, Allow & Log, Bypass

C. Approve, Upload, No Upload

D. Deny Operation, Terminate Process

Correct Answer: B

Welcome to TestSimulate

VMware Carbon Black Portfolio Skills (5V0-91.20) Free Practice Test