When an administrator dismisses a group of alerts and ticks the box for “Dismiss future instances of this alert on all devices in all policies”, the following happens:

• The alerts are moved to the Dismissed tab on the Alerts page, and the alert count is reduced accordingly.
• The alerts are no longer displayed on the Dashboard or the Device page.
• The alerts are no longer considered for the device health score or the policy health score.
• The alerts are no longer sent to any configured Notifications.

Therefore, if a new alert is added to the same group of alerts, it will also be dismissed automatically and follow the same rules as above. This means that the alert will show when the Dismissed filter is selected on Alerts page, but a Notification email will not be sent. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 6.2: Dismissing Alerts, Page 46.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

• FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.
• FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.
• FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.
• FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console. References:

• Advanced Search Techniques - VMware Docs, Using Regular Expressions (regex) section, NOT Operator subsection.
• Carbon Black Cloud: Search for process_publisher_s… - Carbon Black …, The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.

 These settings are part of the Prevention policy settings for Windows sensors, and they are not available for macOS or Linux sensors. These settings have the following functions:

• Delay execute for cloud scan: This setting allows the sensor to delay the execution of unknown files until the cloud scan result is returned. This setting can prevent potential malware from running before the cloud reputation is determined.
• Expedited background scan: This setting allows the sensor to perform a background scan of the endpoint as soon as possible after the sensor is installed or updated. This setting can help to identify and remediate any existing threats on the endpoint.
• Scan execute on network drives: This setting allows the sensor to scan files that are executed from network drives. This setting can help to protect the endpoint from network-based attacks.

The other settings are applicable to sensors on both Windows and non-Windows operating systems. B. Allow user to disable protection is a setting that allows the user to temporarily disable the sensor protection from the system tray icon. C. Submit unknown binaries for analysis is a setting that allows the sensor to upload unknown files to the cloud for analysis and reputation. F. Require code to uninstall sensor is a setting that requires the user to enter a code to uninstall the sensor from the endpoint. References:

• Prevention Policy Settings - VMware Docs, Windows Settings section.
• Prevention Policy Settings - VMware Docs, macOS and Linux Settings section.

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

• Search Syntax - VMware Docs, Wildcards section.

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads. References: VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

 The operation attempt that must use a Terminate Process action is Scrapes memory of another process. This is a policy rule in VMware Carbon Black Cloud Endpoint Standard that blocks and terminates any process that attempts to read the memory of another process. This is a common technique used by malware to steal sensitive information, such as passwords, encryption keys, or tokens, from legitimate applications. By using a Terminate Process action, the policy rule ensures that the malicious process is stopped and removed from the endpoint, preventing further damage or data exfiltration. The other operation attempts do not require a Terminate Process action, but they can use other actions, such as Alert, Deny, or Isolate Device, depending on the policy configuration and the security needs of the organization. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Best Practices: Endpoint Standard Blocking & Isolation Rules, Endpoint Standard: Deny/Terminate action taken on an Allowed Application