EMT Practice Test

1. Question Content...


Question List

Question1: Which VMware Carbon Black Cloud integration is supported for SIEM?

Question2: An administrator is tasked to create a reputation override for a company-critical application based on the highest available priority in the reputation list. The company-critical application is already known by VMware Carbon Black.
Which method of reputation override must the administrator use?

Question3: An administrator wants to prevent malicious code that has not been seen before from retrieving credentials from the Local Security Authority Subsystem Service, without causing otherwise good applications from being blocked.
Which rule should be used?

Question4: Which permission level is required when a user wants to install a sensor on a Windows endpoint?

Question5: A script-based attack has been identified that inflicted damage to the corporate systems. The security administrator found out that the malware was coded into Excel VBA and would like to perform a search to further inspect the incident.
Where in the VMware Carbon Black Cloud Endpoint Standard console can this action be completed?

Question6: An administrator needs to fully analyze the relevant information of an event stored in the VMware Carbon Black Cloud.
On which page can this information be found?

Question7: Which statement is true regarding Blocking/Isolation rules and Permission rules?

Question8: An administrator would like to proactively know that something may get blocked when putting a policy rule in the environment.
How can this information be obtained?

Question9: An organization has the following requirements for allowing application.exe:
Must not work for any user's D:\ drive
Must allow running only from inside of the user's Temp\Allowed directory Must not allow running from anywhere outside of Temp\Allowed For example, on one user's machine, the path is C:\Users\Lorie\Temp\Allowed\application.exe.
Which path meets this criteria using wildcards?

Question10: The use of leading wildcards in a query is not recommended unless absolutely necessary because they carry a significant performance penalty for the search.
What is an example of a leading wildcard?

Question11: An organization is implementing policy rules. The administrator mentions that one operation attempt must use a Terminate Process action.
Which operation attempt has this requirement?

Question12: Which scenario would qualify for the "Local White" Reputation?

Question13: An administrator wants to prevent ransomware that has not been seen before, without blocking other processes.
Which rule should be used?

Question14: An administrator needs to make sure all files are scanned locally upon execution.
Which setting is necessary to complete this task?

Question15: An administrator wants to block ransomware in the organization based on leadership's growing concern about ransomware attacks in their industry.
What is the most effective way to meet this goal?

Question16: What is a security benefit of VMware Carbon Black Cloud Endpoint Standard?

Question17: What is a capability of VMware Carbon Black Cloud?

Question18: An administrator has been tasked with preventing the use of unauthorized USB storage devices from being used in the environment.
Which item needs to be enabled in order to enforce this requirement?

Question19: The use of leading wildcards in a query is not recommended unless absolutely necessary because they carry a significant performance penalty for the search.
What is an example of a leading wildcard?

Question20: A user downloaded and executed malware on a system. The malware is actively exfiltrating data.
Which immediate action is recommended to prevent further exfiltration?

Question21: In which tab of the VMware Carbon Black Cloud interface can sensor status details be found?

Question22: Which statement accurately characterizes Alerts that are categorized as a "Threat" versus those categorized as
"Observed"?

Question23: An administrator is investigating an alert and reads a summary that says:
The application powershell.exe was leveraged to make a potentially malicious network connection.
Which action should the administrator take immediately to block that connection?

Question24: A security administrator is tasked to investigate an alert about a suspicious running process trying to modify a system registry.
Which components can be checked to further inspect the cause of the alert?

Question25: An administrator wants to find information about real-world prevention rules that can be used in VMware Carbon Black Cloud Endpoint Standard.
How can the administrator obtain this information?

Question26: The administrator has configured a permission rule with the following options selected:
Application at path: C:\Program Files\**
Operation Attempt: Performs any operation
Action: Bypass
What is the impact, if any, of using the wildcards in the application at path field?

Question27: Where can a user identify whether a sensor's signature pack is out-of-date in VMware Carbon Black Cloud?