A security architect is designing a Carbon Black Cloud policy for a fleet of developer workstations. The developers frequently use unsigned, internally-developed command-line tools. The security team requires that all known malware is blocked, but wants to avoid disrupting development workflows. Which Reputation Priority configuration within the policy best balances these requirements?
During an incident investigation, a SOC analyst needs to find all network connections made by the process `svchost.exe` that did NOT go to a specific internal domain `corp.local`. Which search query would accomplish this?
A system administrator notices that the Carbon Black sensor is causing high CPU utilization on a critical database server. The high CPU usage correlates with frequent write operations to a specific log directory, `D:\AppLogs\`. The security team has confirmed these write operations are benign and part of the application's normal function. What is the most precise and efficient way to resolve the performance issue without weakening the server's overall security posture?
An incident responder is using Live Response to investigate a compromised Windows endpoint. They need to retrieve a suspicious file named `update.dll` from the user's temporary directory for offline analysis. Which sequence of commands should be used?
A security policy is configured with a rule to block the execution of `powershell.exe`. A separate, lower-precedence rule in the same policy adds a permission for a digitally signed PowerShell script, `C:\scripts\admin_tool.ps1`. When a user attempts to run this signed script, what is the expected outcome?
True or False: The Carbon Black Cloud sensor on a macOS endpoint can function and apply prevention policies even when it cannot communicate with the Carbon Black Cloud backend.
A security analyst receives a high-severity alert for `lsass.exe` being accessed by a non-system process on a domain controller. This is a strong indicator of a credential dumping attack. According to best practices, what are the most critical initial response actions to take directly from the Carbon Black Cloud console? (Select TWO)
A financial services company is deploying Carbon Black Cloud Endpoint Standard. Due to regulatory compliance, they must prevent any process from writing files with the extension `.dat` to any external USB storage device. Which type of rule should an administrator create to enforce this specific requirement?
While reviewing the sensor status on the Endpoints page, an administrator sees a device with the status 'Deregistered'. What does this status indicate about the sensor and the device?
A company has a custom-built legacy application that is unsigned and frequently flagged as 'SUSPICIOUS' by Carbon Black Cloud, causing business interruptions. The application is known to be safe. The security team wants to ensure this specific application can always run without being blocked, across all policies, without affecting the reputation evaluation of any other applications. What is the most appropriate global override to apply?