Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CrowdStrike Exam CCFA-200 Topic 9 Question 34 Discussion

Actual exam question for CrowdStrike's CCFA-200 exam
Question #: 34
Topic #: 9
[All CCFA-200 Questions]

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

Show Suggested Answer Hide Answer
Suggested Answer: A

Turn on the Script-Based Execution Monitoring prevention policy setting to enable the 'Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts. This setting does not kill or block scripts.'

Scripting languages:

Excel 4.0 macros

JScript

VBA Macros

VBScript

The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform actions within the documents, but they can also be abused by attackers to deliver malware or execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks by monitoring the contents of VBA macros for execution of malicious content.


by Cordelia at Jun 01, 2024, 02:07 AM

Limited Time Offer

25%

Off

Get Premium CCFA-200 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Stevie
3 months ago
Ooh, this is a tricky one. I'm torn between B and C, but I think I'll go with C just to be extra cautious. Can't be too careful with these machine learning shenanigans, you know?
upvoted 0 times
...
Jacquline
3 months ago
Haha, I bet the vendor is secretly behind this whole thing, trying to get us to disable the detection. I'm going with C, just to be sure we don't fall for their tricks!
upvoted 0 times
Lorrie
1 months ago
User 3: Good call, let's block and hide that detection.
upvoted 0 times
...
Glory
1 months ago
User 2: Yeah, I agree. Let's go with option C to be safe.
upvoted 0 times
...
Ligia
2 months ago
User 1: I think the vendor might be up to something fishy.
upvoted 0 times
...
...
Tyra
3 months ago
D? Really? That's just asking for trouble. You'd be disabling the detection entirely, which is a big security risk. I'd definitely go with B or C.
upvoted 0 times
Sherita
2 months ago
I think we should definitely go with B or C to prevent any security risks.
upvoted 0 times
...
Darell
2 months ago
Yeah, disabling the detection completely is not a good idea. B or C would be more secure.
upvoted 0 times
...
Leonard
3 months ago
I agree, D seems like a risky choice. B or C would be a safer option.
upvoted 0 times
...
...
Jeanice
4 months ago
A seems like the easy way out, but I'm not sure the vendor will be willing to modify their settings just for us. I'd go with C to be on the safe side.
upvoted 0 times
Bernadine
2 months ago
Let's go with C to ensure we don't have to deal with these false positives again.
upvoted 0 times
...
Willetta
2 months ago
Adding the hash and setting the action to 'Block, hide detection' seems like a proactive approach.
upvoted 0 times
...
Ceola
2 months ago
C sounds like a good plan to prevent false positives in the future.
upvoted 0 times
...
Lettie
3 months ago
I agree, A might not be the most reliable option.
upvoted 0 times
...
...
Rebecka
4 months ago
Hmm, this is a tricky one. I think B might be the best option, as it allows us to whitelist the binary and prevent those annoying false positives without fully blocking the detection.
upvoted 0 times
Denna
3 months ago
User1: Let's go ahead and do that to avoid these false positives in the future
upvoted 0 times
...
Alease
3 months ago
User3: I agree, adding the hash to IOC Management with action set to 'Allow' seems like the best solution
upvoted 0 times
...
Benedict
3 months ago
User2: Yeah, that way we can prevent false positives without blocking the detection completely
upvoted 0 times
...
Ronna
3 months ago
User1: I think B is a good option too, it allows us to whitelist the binary
upvoted 0 times
...
...
Anjelica
4 months ago
I believe setting the action to 'Block, hide detection' in IOC Management is the way to go to prevent false positives.
upvoted 0 times
...
Nichelle
4 months ago
I disagree, adding the hash of the binary in IOC Management with 'Allow' action is more effective.
upvoted 0 times
...
Leota
4 months ago
I think the best way is to contact support and modify the Machine Learning settings.
upvoted 0 times
...

Save Cancel