An administrator wants to allow files to run from a network share.
Which rule type should the administrator configure?
A. Execute Prompt (Shared Path)
B. Trusted Path
C. Network Execute (Allow)
D. Write Approve (Network)
A watchlist generates a false positive on the Triage Alerts page, so the watchlist must be updated. How should this task be accomplished?
A. One can update watchlists directly on the Triage Alerts Page using the pencil icon.
B. One can update watchlists from the Process Search Page.
C. Open the process analysis page and select the Add Watchlist Exclusion option from the Actions menu.
D. Open the Watchlist Page and click the pencil button associated with the watchlist.
An active compromise is detected on an endpoint. Due to current policies, the compromise was detected but not terminated.
What would be an appropriate action to end the current communication between the device and the attacker?
A. Uninstall the sensor
B. Place the system into bypass mode
C. Place the system into Quarantine D. Remotely scan the endpoint
In which two ways can the tamper protection on an App Control agent be disabled when diagnosing agent issues or removing the agent? (Choose two.)
A. From the Computer Details page on the web console
B. From the Files on Computers page on the web console
C. Run authenticated DasCLI on Windows command prompt
D. Run RepCLI on Windows command prompt
E. From the File Catalog page on the web console
An analyst has investigated multiple alerts on a number of HR workstations and found that java.exe is
attempting to PowerShell. Of the Windows workstations in question, the analyst has also found that Java is
installed in multiple locations.
The analyst needs to block java.exe from this type of operation.
Which rule meets this need?
A. **/java.exe --> Invokes an untrusted process --> Terminate process
B. **/Program Files/*/java.exe--> Invokes an untrusted process --> Deny operation
C. **\Program Files\*\java.exe --> Invokes a command interpreter --> Terminate process
D. **\java.exe --> Invokes a command interpreter --> Deny operation
How is a new Alert of type Event Alert created whenever an endpoint is added or deleted and send emails for the App Control admin whenever these events occur?
A. Add filter in Event Properties for Subtype Endpoint added and Endpoint deleted. Click Create and add the App Control admin email, and then click Create and. Exit.
B. Add filter in Event Properties for Subtype Computer added and Computer deleted. Add the App Control admin email, and then click Create and Exit.
C. Add filter in Event Properties for Subtype Computer added and Computer deleted. Click Create and add the App Control admin email, and then click Create and Exit.
D. Add filter in Event Properties for Subtype Computer modified. Add the App Control admin email, and then click Create and Exit.
An administrator runs the following query in Audit and Remediation:
SELECT *
FROM users
WHERE UID >= 500;
How long will this query stay active and accept data from the sensors?
A. 1 day
B. 7 days
C. 14 days
D. 30 days
An administrator needs to query all endpoints in the HR group for instances of an obfuscated copy of
cmd.exe.
Given this Enterprise EDR query:
process_name:cmd.exe AND device_group:HR AND NOT enriched:true
Which example could be added to the query to provide the desired results?
A. NOT process_name:cmd.exe
B. NOT process_original_filename:cmd.exe
C. NOT process_company_name:cmd.exe
D. NOT process_internal_name:cmd.exe
Which statement should be used when constructing queries in Carbon Black Audit and Remediation, Live Query?
A. ALTER
B. UPDATE
C. REMOVE
D. SELECT
An administrator viewed and filtered the results of a completed query within the User Interface for Audit and Remediation. The administrator exported the results to create charts and other visuals for reporting. When viewing the exported results, the administrator noticed some results were missing from the data set.
Why did the administrator not have the full data set from the query?
A. Export applies to the data visible in the UI; filtering will impact the viewable data.
B. Export pulls all results; the query must not have covered all data required.
C. Export is limited to the first hundred rows, and the query had more rows than supported.
D. Export was used prior to the query completing, and some data is missing.