Cb Protection (Bit9)
The ports the CbP agent will communicate over by default.
What are 41002 and 443?
the amount of times that cb response completes a background scan
what is zero, or none?
a keyword that you can search for when troubleshooting potential interoperability/blocks of other applications (name 3)
what is werfault
what is blocked
what is denied
what is terminated
what is failed
a place that you can search to find information on sensor installation issues (name 2 - looking for resources, not local to the endpoint with the issue)
What is salesforce
What is beehive
What is Uex
What is google
The name of a space where customers, carbon black employees, and partners all communicate.
what is the user exchange?
the [action you take], and the number of days prior to a kick off call you carry out aforementioned action, and rationale behind said action.
what is email [action] your tester 3 days before the kickoff [timing] to make sure that they have the server provisioned and can login to the CbP console [rationale]
the page in the UI that shows information on a particular file in question, such as; the "digital signature" information, and how many endpoint the file was "seen on".
what is the "binary details" page?
what is the part of the Cb Defense policy that supersedes all others?
what are permissions
the log you look for when trouble-shooting a failed install, and location/where to search
what is the confer-temp.log, and either C:\ or C:\temp?
the name of the tool used to intercept wifi traffic for fruitful hacking.
What is a wi-fi pineapple?
The way to make .dat files exist, and then the subsequent rule to track them.
What are script rules, and FIM rules?
The feed containing the high-confidence MITRE TIDs
What is Cb Advanced Threat?
Takes precedence over only NOT_LISTED rules
What are Cert whitelisting & IT Tools? (Would also accept Adaptive and Local White)
This is the OS query Schema version CbLO currently leverages on the 3.4 sensor.
the type of attack where attackers install a rootkit or hardware-based spying components. (hint. the stuxnet virus and target breach fall into this category)
what is a supply chain attack
A rule commonly applied on SQL Server.
What are Performance Optimization rules?
Are the 3 thematically correlated Cb feeds in Cb Response (i.e. related to one another A --> B --> C)
What are Early Access, Suspicious Indicators, Advanced Threat?
The highest priority reputation assigned by Cb Defense to a file/application in the sensors order of operations (i.e. NOT score)
what is ignore/full bypass
This is required when JOINing 2 tables in a query via CbLO.
What is a common field?
What is the oxford comma, and when should it be used? (yes, I know thats not in proper Jeopardy format, and the answer wont be in a question this time, grow up)
The comma before an "and" in a list of 3 or greater - and it should always be used.
Are ALL of the activities you will go through, and at least 2 optional use-cases, during a CbP POC.
What are:
Reputation approvals
Publisher approvals
FIC/FIM Vbs script in LE
Move to HE --> Block new Vbs script --> approval request
(optional) Trusted path
(optional) Device control
(optional) Reports/Portlets
The 3 components comprising the Cb Response sensor.
What are a kernel-level filter driver capturing network activity, a kernel-level filter driver capturing all other events, and a user-space service to communicate back?
the max timeout, in miliseconds (would also accept seconds), for the local scan engine AND the delay execute for cloud scan, and subsequent reputation applied when both occur.
What are:
Local scan: 5000
Cloud scan: 15000
Rep: Unknown
The engineer who has worked on the original Bit9 (Parity), Carbon Black, and the PSC.
Who is Bobby Speaker?
These are Nick's top 2 favorite Disney movies, and the 3rd is debatably in the top 3, but was mentioned in a previous training exercise. (aka name 3)
What are Hercules, Mulan, and Moana?