Cyber Hero Test

Ace your homework & exams now with Quizwiz!

what are valid switches that can be used when deploying through command prompt with the stub installer?

group name, company and key

storage control policies and elevation control is not impacted by?

learning mode. elevation popups will still occur when you are in learning mode, for this reason you may want to disable elevation control during learning mode.

elevation control popups will still occur in ________ mode

learning mode. for this reason, you may want to disable elevation during this period

monitor only and learning mode do not apply to?

storage control and elevation

what correct locations will applications be learned in during realtime learning?

Program Files folder, app data, and in the Windows Directory

To view which policies are being used, click the ?

Update last match date" button at the top of the policies page

how does tl decide what to create policies for during the initial learning period?

advanced algorithms

if you are deploying tl via powershell script and AD, the identifier is inserted into the

company =" " field

uodates are made according to your ______ settings

computer group

where can you find an email link to install threatlocker?

computer groups, downloads button next to each group

storage control

create policies to protect from data theft

How long after you onboard should you review policies to remove unused policies?

After a month or 2

when threatlocker profiles drivers, it places them into an application called ?

$hostname\drivers. if threatlocker doesnt recognize a driver as a driver they get added to the $hostname\Windows folder. However, If the driver is located in the Windows\Drivers folder, tl will identify it as a driver.

during the initial baseline and learning period, tl places miscellaneous windows files in an application named?

$hostname\windows. also creates a policy with the same name

during the initial baseline and learning period, tl profiles the drivers running on each computer and places them into an application called?

$hotsname\drivers. tl also creates a policy with the same name

max time for login time ?

2 hrs

How long does it take majority learning mode to be completed?

5 days

how many built in applications does tl have?

500

Ringfencing

Allows you to create boundaries protecting your powerful administrative tools such as command prompt, powershell, run dll and regserv from compromised applications. It also enables you to block applications from accessing the internet entirely or or allow applications to only access certain sites.

Threatlocker does not automatically create certificate rules for applications in folders located at the root of ?

C:\ - any program located here that has a frequently changing hash will require a custom application and policy to be created manually to prevent future blocks when the hash changes. by viewing the view file history, you can identify files that change hash frequently

What folders will applications not be profiled during the automatic learning period unless tl is able to match them to an application name?

Documents foler, downloads folder, desktop folder, users folder, or a folder at the root of C:\

Policy Hierarchy

Global, global computer groups, entire org, individual groups, computer groups

For ringfencing to take effect, make sure to?

Make sure the application you are changing the policy for is shut down and restarted, and make sure to deploy policies

realtime learning goes further than the baseline, it learns and profiles applications running in the....

WinSxS folder and temporary folders that were not profiled in the baseline. realtime learning will also learn things on your network shares.

threatlockers 3 main components?

application control, storage control and elevation

some rmms offer continuous deployment, meaning?

as new computers are added, they will automatically get TL deployed

when elevating a policy, it is important to?

block interaction with all other applications unless they are explicitly required

to change the default learning mode duration, navigate to the computers page, then...

click on the pencil icon next to the group you wish to change (servers, workstations). you can hit the dropdown for Initial learning mode for new computers

what is a tag?

collection of ip addresses and domains

can change default learning mode period in

editing computer groups

if you are deploying with a script via rmm, the _____________ should match the name of your organization in your rmm

identifier (lms-mm)

deleting a computer

if computer checks in, it will reappear on the list. has to be permanently deleted. computer has to be offline for 15 minutes or inactive for 28 straight days before it can be deleted from the portal.

a ringfencing policy will take effect no matter maintenance mode if it is?

if the policy is set to secured

default learning mode is set to learn collectively, meaning?

if you have one computer in that group running Office, the policy created by learning will be shared across the computer group

by default, computers are initially placed into a _____ learning mode and they will learn ______

indefinite / collectively

by default, newly deployed computers are automatically placed into learning mode for how long?

indefinite duration

install key vs key

install key is tied to groups, key is unique identifier at the parent level. using the key, you will not need to specify the unique identifiers for each child account

the ____________ must remain in the file name of the msi for it to install

installkey

what percent cpu usage does tl agent use and how much mb of ram?

less than 1% cpu usage and less than 200 mb of ram. the policies are saved locally so even if it is offline the computer will be protected.

Fileless malware

malware that runs strictly in memory. it is often a powershell script that has been hidden in a legitimate-looking file, like a word document for example. if you were to receive a word document that tried to run on powershell to carry out malicious activity, it would not be able to access powershell because this ringfencing policy blocks office from interacting with powershell.

can you specify a port number with a tag?

no

every chat needs to be picked up within?

one minute

the moment a customer sends you a message, the timers starts. you have to send a response within?

one minute. not be typing it, but send it

to enable or disable a tl product, navigate to?

organizations page, product dropdown menu

how can you set a policy to observe what changes an application makes to the registry but not block any of those actions on endpoints that are in a secured state?

permit the application with ringfencing, set the status to monitor only, and then select the checkbox next to 'restrict these applications from making registry changes except for the rules below.

where can you add tags in a policy?

policy, internet, custom rules dropdown

Threatlocker recommends blocking interaction with the following windows tools

powershell, command prompt, rundll, regserv, regedit, cscript, psexec, windows scheduled tasks

which folder is automatically learned during baselining?

program files

the stub installer will always

push out the latest version of TL

new versions of TL are released by default, what channel is an org on?

regular update channel, inherited from the computer group

secured status on a ringfencing policy?

ringfencing will be enforced even if the computer is in learning mode

explicit deny policy

set to deny at all times, no matter what status the computer is in. there ar eno explicit deny policies by default

when you make a change to tag..

the changes will automatically be applied to all policies it applies to and no need to deploy policies

when tl profiles your drivers, it will profile them based on?

the hash of the file.

Lookback period

the period of time between the computers initial days of learning mode and the present. if your clients have been deployed for 7 days, the first 5 days are the learning period, which gives you a 2 day look back period.

threatlocker does not automatically create certificate rules for applications in folders located at ________

the root of C:\. Any program located here that has a frequently changing hash will require a custom application and policy to be created manually to prevent future blocks when the hash changes.

2 advantages of using tags

they can be shared across multiple organizations, and changes made are automatically made without deploying policies

do not automatically create policies

this would only scan the baseline and not create any policies, places computer into monitor only mode

ringfencing - while in automatic learning mode..

threatlocker will learn the ip addresses an application is communicating with and place them in the exclusions list

after baseline is updated...

tl will do its first learning based on what it finds

Remove Unused Policy button

when you click it, an option to select a date will drop down so you can choose to remove all policies that have not been matched since the date you select. we typically see about 500 policies created when a client onboards and only about a third are used.

Baseline

when you first deploy tl, it is going to scan and catalog the files, including drivers, that are already on your hard drive and create policies based on what is found. your baseline files will be sent up the unified audit.

restart service button

will be done silently without end user knowing, if you are updating, you will need tl sevice to be restarted for changes to take effect.

creating new admin vs inviting new admin

you set the password in create new admin


Related study sets

La Celestina Intro - Spanish 4 Honors

View Set

Talent Development Ch. 1 Questions

View Set

Auditing the Revenue Cycle Day 10

View Set

F2: Determine the need for Behavior-Analytic Services

View Set

Management Test 2 Answers answered incorrectly

View Set

Chapter 13- Cardiovascular System

View Set

(not mine) CFP Retirement Planning Final

View Set

Nuance Clintegrity Physician Query

View Set