A security architect at a financial institution is designing a policy for VMware Carbon Black App Control to protect critical database servers. The primary goal is to prevent any unauthorized executables from running, while minimizing administrative overhead for patching cycles managed by an automated deployment tool. The deployment tool's agent is known to use dynamically named executables in temporary directories. Which enforcement level is the most appropriate for these servers?
A SOC analyst is using Carbon Black Cloud Enterprise EDR to investigate a sophisticated alert on a developer's workstation. The process chart shows that `powershell.exe` spawned `csc.exe` (C# compiler), which then wrote an unsigned executable to disk and established a network connection to a rare external IP. The analyst needs to create a watchlist to detect this specific sequence of behaviors across the entire enterprise. Which query would be most effective for this watchlist?
An administrator for a large retail company is using Carbon Black Cloud Audit and Remediation to verify PCI-DSS compliance. They need to generate a report of all local user accounts that have password last set dates older than 90 days on all Windows-based point-of-sale terminals. Which Live Query is correctly structured to retrieve this information efficiently?
A security team is migrating from a legacy AV solution to Carbon Black Cloud Endpoint Standard. They have a policy requirement to block the execution of all applications categorized as 'Riskware' but must allow a specific, internally developed tool that is sometimes flagged as such. The tool is signed with the company's code-signing certificate. Which two actions should be taken within the policy configuration to meet this requirement? (Select TWO)
During an incident response scenario using on-premises VMware Carbon Black EDR, an analyst needs to find all endpoints where a malicious binary, `evil.exe`, has been seen. The search must be as fast as possible to scope the incident quickly. The analyst only has the binary's SHA-256 hash. Which search method should the analyst use?
True or False: In VMware Carbon Black App Control, a rule set to 'Allow & Log' for an unapproved application will permit the application to execute but will not generate an event visible on the console.
An organization is using Carbon Black Cloud Endpoint Standard. A security administrator has configured a policy that places devices into quarantine upon detecting a high-severity threat. What is the effect of this quarantine action on the endpoint? ```mermaid graph TD subgraph Endpoint [Quarantined Endpoint] A[Sensor] --> B{CBC Cloud} C(Internal Network) -.-> D{No Connection} E(Internet) -.-> D end B -- Manages --> A A -. Blocks .-> C A -. Blocks .-> E ```
A SOC manager is reviewing the alert triage process for their team, who use Carbon Black Cloud Enterprise EDR. The manager wants to ensure analysts can quickly pivot from an alert to proactively hunt for related activity on other endpoints. Which three features, directly accessible from the alert triage page, facilitate this workflow? (Choose THREE)
A consultant is deploying on-premises Carbon Black EDR for a client with a large, geographically distributed network connected by high-latency WAN links. To optimize performance and reduce data transfer over the WAN, sensor data from remote sites should be processed locally before being forwarded to the central EDR cluster. Which EDR component should be deployed at the remote sites to achieve this?
An administrator needs to use Live Response to remove a persistence mechanism created by malware on a Windows endpoint. The malware created a scheduled task named `MicrosoftUpdater`. Which Live Response command should be used to delete this task?