VMware VMware Carbon Black Cloud Endpoint Standard Skills 5V0-93.22 Exam Dumps: Updated Questions & Answers (October 2025)

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

EXE: Executable file

DLL: Dynamic-link library file

SYS: System file

BAT: Batch file

CMD: Command file

VBS: Visual Basic Script file

JS: JavaScript file

PS1: PowerShell Script file

HTA: HTML Application file

MSI: Windows Installer file

DOC: Microsoft Word document file

XLS: Microsoft Excel spreadsheet file

PPT: Microsoft PowerPoint presentation file

PDF: Portable Document Format file

SWF: Shockwave Flash file

JAR: Java Archive file

CLASS: Java class file

PY: Python script file

SH: Shell script file

PL: Perl script file

RB: Ruby script file

PHP: PHP script file

ASP: Active Server Pages file

ASPX: Active Server Pages Extended file

HTML: HyperText Markup Language file

XML: Extensible Markup Language file

DOCM: Microsoft Word document with macros file

XLAM: Microsoft Excel add-in with macros file

XLSM: Microsoft Excel spreadsheet with macros file

XLTM: Microsoft Excel template with macros file

PPTM: Microsoft PowerPoint presentation with macros file

POTM: Microsoft PowerPoint template with macros file

PPAM: Microsoft PowerPoint add-in with macros file

EXCEL_VBA: Excel Visual Basic for Applications file

WORD_VBA: Word Visual Basic for Applications file

POWERPOINT_VBA: PowerPoint Visual Basic for Applications file

OUTLOOK_VBA: Outlook Visual Basic for Applications file

ACCESS_VBA: Access Visual Basic for Applications file

PROJECT_VBA: Project Visual Basic for Applications file

VISIO_VBA: Visio Visual Basic for Applications file

PUBLISHER_VBA: Publisher Visual Basic for Applications file

INFOPATH_VBA: InfoPath Visual Basic for Applications file

ONENOTE_VBA: OneNote Visual Basic for Applications file

UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

Investigate Endpoint Data - VMware Docs, Overview section.

Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.

To block an application by its path instead of reputation, the administrator needs to follow these steps:

Go to Enforce > Policies > Select the desired policy.

Scroll down to the Blocking and Isolation section.

Click Add application path.

Enter the path of the desired application, such as C:\Program Files\Example\example.exe.

Choose the action to take when the application is detected, such as Block or Allow.

Optionally, add a description for the application path rule.

Click Save to apply the changes to the policy.

The other options are incorrect because they do not specify the correct section, button, or field for blocking an application by its path. The Enforce section is for managing the policy assignments, not the policy rules. The Permissions section is for managing the application control rules, not the application blocking rules. The Edit (pencil icon) button is for modifying the existing reputation levels, not for adding a new application path rule. References:

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Application Control, pages 3-7 to 3-8.

VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 9: Application Control, pages 115-116.

The Process Analysis page in VMware Carbon Black Cloud Endpoint Standard is a graphical view of the event that shows the process tree, the event timeline, and the event details. The process tree displays the parent-child relationships of the processes involved in the event, as well as the actions taken by the policy, such as blocking or alerting. The event timeline shows the chronological sequence of the events, such as process executions, file modifications, network connections, and registry changes. The event details provide more information about the selected event, such as the process name, path, hash, command line, reputation, and Carbon Black TTPs. The Process Analysis page can help the security administrator to investigate the hash ban event and understand the context and impact of the blocked application. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

This rule will prevent any application that is not listed in the Carbon Black Cloud Endpoint Standard from scraping the memory of another process, which is a common technique used by malware to retrieve credentials from the Local Security Authority Subsystem Service (LSASS). This rule will terminate the process that attempts to perform this operation, thus blocking the credential theft. This rule is more specific and effective than option A, which only applies to unknown applications, or option B, which applies to all executable files regardless of their reputation. Option C is incorrect because it will only deny the operation but not terminate the process, which may allow the malware to continue running and try other methods of credential theft. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 4: Endpoint Standard Rules, Lesson 2: Rule Types and Actions, slide 12.

 Live Response is a tool that allows administrators to remotely access and remediate endpoints in real time. With Live Response, administrators can block a new malicious process by killing it, deleting its files, and removing any persistence mechanisms. Live Response can also be used to collect forensic data, run scripts, and perform other actions on the endpoints. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 5.3: Live Response. [Link]

The sensor status details can be found in the Inventory > Endpoints tab of the VMware Carbon Black Cloud interface. This tab displays all the deployed sensors by default, and allows the administrator to filter them by various criteria, such as status, policy, group, OS, or device name. The status column indicates the state of a sensor and any administrator actions that have been taken on the sensor, such as bypass, quarantine, or deregister. The administrator can also view more details about a sensor by clicking on its name, such as the sensor version, last check-in time, device health score, and policy history. The administrator can also take actions on a sensor from this tab, such as updating, isolating, or uninstalling the sensor. References: Sensor Status and Details — Asset Groups, Carbon Black Cloud Endpoint Standard - Technical Overview

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will notmonitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis. References: Carbon Black Cloud: How to Use Wildcards in Policy Rules, Set Permission Policy Rules

 These settings are part of the Prevention policy settings for Windows sensors, and they are not available for macOS or Linux sensors. These settings have the following functions:

Delay execute for cloud scan: This setting allows the sensor to delay the execution of unknown files until the cloud scan result is returned. This setting can prevent potential malware from running before the cloud reputation is determined.

Expedited background scan: This setting allows the sensor to perform a background scan of the endpoint as soon as possible after the sensor is installed or updated. This setting can help to identify and remediate any existing threats on the endpoint.

Scan execute on network drives: This setting allows the sensor to scan files that are executed from network drives. This setting can help to protect the endpoint from network-based attacks.

The other settings are applicable to sensors on both Windows and non-Windows operating systems. B. Allow user to disable protection is a setting that allows the user to temporarily disable the sensor protection from the system tray icon. C. Submit unknown binaries for analysis is a setting that allows the sensor to upload unknown files to the cloud for analysis and reputation. F. Require code to uninstall sensor is a setting that requires the user to enter a code to uninstall the sensor from the endpoint. References:

Prevention Policy Settings - VMware Docs, Windows Settings section.

Prevention Policy Settings - VMware Docs, macOS and Linux Settings section.

The company banned list is a feature of VMware Carbon Black Cloud Endpoint Standard that allows administrators to prevent specific files from running on the endpoints by their hash values. The company banned list has a higher priority than the file reputation, so even if the file is not listed or unknown by Carbon Black, it will be blocked if its hash is in the company banned list. Adding the hash to the company banned list is the most effective and efficient way to prevent the file from executing on the endpoints. The other options are either not feasible or not scalable. Adding the hash to the malware list would not work, because the malware list is a global list maintained by Carbon Black, and administrators cannot add hashes to it. Using Live Response to kill the process or delete the file would only work for one endpoint at a time, and it would not prevent the file from running again if it is still present on the endpoint or downloaded from another source. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

 When an administrator places an endpoint into bypass mode, VMware Carbon Black Cloud Endpoint Standard will not provide any protection to the endpoint. Bypass mode is a feature that allows the administrator to disable all policy rule enforcement on the endpoint, which means that the endpoint is not actively protected by VMware Carbon Black Cloud Endpoint Standard. The sensor will ignore any malicious or suspicious activity on the endpoint and will not log any events or send any data to the Carbon Black Cloud console. The administrator can use bypass mode to troubleshoot application interoperability, bootup, or login issues on the endpoint, or to upgrade the operating system on the endpoint. The administrator can enable or disable bypass mode from the Carbon Black Cloud console, the sensor UI, or the command line. The administrator can also view the reason and duration of the bypass mode from the Carbon Black Cloud console12.

The other options are incorrect or irrelevant. VMware Carbon Black Cloud Endpoint Standard will not be uninstalled from the endpoint when it is placed into bypass mode. The sensor will still be running on the endpoint, but it will not enforce any policy rules. VMware Carbon Black Cloud Endpoint Standard will not place the machine in quarantine when it is placed into bypass mode. Quarantine is a different feature that allows the administrator to isolate the endpoint from the network, preventing any communication with other devices or external servers. VMware Carbon Black Cloud Endpoint Standard will not apply policy rules when the endpoint is placed into bypass mode. Policy rules are the settings that define how the sensor detects and prevents threats on the endpoint. Bypass mode disables all policy rule enforcement on the endpoint. References:

Sensor Bypass Mode - VMware Docs, Overview section.

Carbon Black Cloud: How to Get Started With Bypass Mode - Carbon Black Community, Objective section.