Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

CrowdStrike Exam CCFA-200 Topic 9 Question 34 Discussion

Actual exam question for CrowdStrike's CCFA-200 exam
Question #: 34
Topic #: 9
[All CCFA-200 Questions]

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

Show Suggested Answer Hide Answer
Suggested Answer: A

Turn on the Script-Based Execution Monitoring prevention policy setting to enable the 'Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts. This setting does not kill or block scripts.'

Scripting languages:

Excel 4.0 macros

JScript

VBA Macros

VBScript

The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform actions within the documents, but they can also be abused by attackers to deliver malware or execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks by monitoring the contents of VBA macros for execution of malicious content.


by Cordelia at Jun 01, 2024, 02:07 AM

Limited Time Offer

25%

Off

Get Premium CCFA-200 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Stevie
1 months ago
Ooh, this is a tricky one. I'm torn between B and C, but I think I'll go with C just to be extra cautious. Can't be too careful with these machine learning shenanigans, you know?
upvoted 0 times
...
Jacquline
1 months ago
Haha, I bet the vendor is secretly behind this whole thing, trying to get us to disable the detection. I'm going with C, just to be sure we don't fall for their tricks!
upvoted 0 times
Ligia
2 days ago
User 1: I think the vendor might be up to something fishy.
upvoted 0 times
...
...
Tyra
2 months ago
D? Really? That's just asking for trouble. You'd be disabling the detection entirely, which is a big security risk. I'd definitely go with B or C.
upvoted 0 times
Darell
8 days ago
Yeah, disabling the detection completely is not a good idea. B or C would be more secure.
upvoted 0 times
...
Leonard
25 days ago
I agree, D seems like a risky choice. B or C would be a safer option.
upvoted 0 times
...
...
Jeanice
2 months ago
A seems like the easy way out, but I'm not sure the vendor will be willing to modify their settings just for us. I'd go with C to be on the safe side.
upvoted 0 times
Bernadine
4 days ago
Let's go with C to ensure we don't have to deal with these false positives again.
upvoted 0 times
...
Willetta
12 days ago
Adding the hash and setting the action to 'Block, hide detection' seems like a proactive approach.
upvoted 0 times
...
Ceola
13 days ago
C sounds like a good plan to prevent false positives in the future.
upvoted 0 times
...
Lettie
1 months ago
I agree, A might not be the most reliable option.
upvoted 0 times
...
...
Rebecka
2 months ago
Hmm, this is a tricky one. I think B might be the best option, as it allows us to whitelist the binary and prevent those annoying false positives without fully blocking the detection.
upvoted 0 times
Denna
1 months ago
User1: Let's go ahead and do that to avoid these false positives in the future
upvoted 0 times
...
Alease
1 months ago
User3: I agree, adding the hash to IOC Management with action set to 'Allow' seems like the best solution
upvoted 0 times
...
Benedict
2 months ago
User2: Yeah, that way we can prevent false positives without blocking the detection completely
upvoted 0 times
...
Ronna
2 months ago
User1: I think B is a good option too, it allows us to whitelist the binary
upvoted 0 times
...
...
Anjelica
2 months ago
I believe setting the action to 'Block, hide detection' in IOC Management is the way to go to prevent false positives.
upvoted 0 times
...
Nichelle
2 months ago
I disagree, adding the hash of the binary in IOC Management with 'Allow' action is more effective.
upvoted 0 times
...
Leota
2 months ago
I think the best way is to contact support and modify the Machine Learning settings.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77