EMT Practice Test

1. Question Content...


Question List

Question1: An administrator is working in a development environment that has a policy rule applied and notices that there are too many blocks. The administrator takes action on the policy rule to troubleshoot the issue until the blocks are fixed.
Which action should the administrator take?

Question2: An administrator has just placed an endpoint into bypass.
What type of protection, if any, will VMware Carbon Black provide this device?

Question3: An administrator wants to block ransomware in the organization based on leadership's growing concern about ransomware attacks in their industry.
What is the most effective way to meet this goal?

Question4: An administrator has configured a terminate rule to prevent an application from running. The administrator wants to confirm that the new rule would have prevented a previous execution that had been observed.
Which feature should the administrator leverage for this purpose?

Question5: An administrator would like to proactively know that something may get blocked when putting a policy rule in the environment.
How can this information be obtained?

Question6: A recent application has been blocked using hash ban, which is an indicator that some users attempted an unexpected activity. Even though the activity was blocked, the security administrator wants to further investigate the attempt in VMware Carbon Black Cloud Endpoint Standard.
Which page should the administrator navigate to for a graphical view of the event?

Question7: An administrator is investigating an alert and reads a summary that says:
The application powershell.exe was leveraged to make a potentially malicious network connection.
Which action should the administrator take immediately to block that connection?

Question8: The use of leading wildcards in a query is not recommended unless absolutely necessary because they carry a significant performance penalty for the search.
What is an example of a leading wildcard?

Question9: What is a security benefit of VMware Carbon Black Cloud Endpoint Standard?

Question10: Where can a user identify whether a sensor's signature pack is out-of-date in VMware Carbon Black Cloud?

Question11: An administrator needs to fully analyze the relevant information of an event stored in the VMware Carbon Black Cloud.
On which page can this information be found?

Question12: Which statement is true regarding Blocking/Isolation rules and Permission rules?

Question13: A security administrator is tasked to investigate an alert about a suspicious running process trying to modify a system registry.
Which components can be checked to further inspect the cause of the alert?

Question14: An administrator wants to find information about real-world prevention rules that can be used in VMware Carbon Black Cloud Endpoint Standard.
How can the administrator obtain this information?

Question15: What are the highest and lowest file reputation priorities, respectively, in VMware Carbon Black Cloud?

Question16: An administrator needs to add an application to the Approved List in the VMware Carbon Black Cloud console.
Which two different methods may be used for this purpose? (Choose two.)

Question17: In which tab of the VMware Carbon Black Cloud interface can sensor status details be found?

Question18: Which port does the VMware Carbon Black sensor use to communicate to VMware Carbon Black Cloud?

Question19: The administrator has configured a permission rule with the following options selected:
Application at path: C:\Users\*\Downloads\**
Operation Attempt: Performs any operation
Action: Bypass
What is the impact, if any, of using the wildcards in the path for this rule?

Question20: An administrator is tasked to create a reputation override for a company-critical application based on the highest available priority in the reputation list. The company-critical application is already known by VMware Carbon Black.
Which method of reputation override must the administrator use?

Question21: An administrator is reviewing how event data is categorized and identified in VMware Carbon Black Cloud.
Which method is used?

Question22: An administrator needs to make sure all files are scanned locally upon execution.
Which setting is necessary to complete this task?

Question23: An administrator wants to prevent malicious code that has not been seen before from retrieving credentials from the Local Security Authority Subsystem Service, without causing otherwise good applications from being blocked.
Which rule should be used?

Question24: Is it possible to search for unsigned files in the console?

Question25: An administrator has determined that the following rule was the cause for an unexpected block:
[Suspected malware] [Invokes a command interpreter] [Terminate process] All reputations for the process which was blocked show SUSPECT_MALWARE.
Which reputation was used by the sensor for the decision to terminate the process?

Question26: An organization is implementing policy rules. The administrator mentions that one operation attempt must use a Terminate Process action.
Which operation attempt has this requirement?

Question27: What is a capability of VMware Carbon Black Cloud?