Examice

Exam CCFA All QuestionsBrowse all questions from this exam

Question 17

Which of the following applies to Custom Blocking Prevention Policy settings?

Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy

Blocklisting applies to hashes, IP addresses, and domains

Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary

You can only blocklist hashes via the API

Correct Answer: A

Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy. Custom blocking in prevention policies refers to blocklisting hashes through the IOC Management, and hashes need to be added here first. There is no mention of blocklisting IP addresses and domains under custom blocking settings, nor the necessity for remediation after partial executions.

Discussion

3xploitOption: A

https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/ A for me

im2caOption: D

AUTO, N-1, N-2

Jek88Option: C

C is the correct answer.

testmailuc

https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/

kgbacOption: C

Prevention policies don't block custom IOC management you can add link to custom IOA rules. That mean C is the correct answer.

testmailuc

https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/

diegofretescOption: A

A is correct

ManuneethiOption: A

A is correct : Custom Blocking enables blocklisting by hash, via hashes you add to IOC Management with the option set to Block.

sbag0024Option: C

C? bad question imo.

MSKidOption: A

Sounds like A to me: Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to the Configuration App, Prevention hashes window, and click on “Upload Hashes” in the upper right-hand corner. Note that you can also automate the task of importing hashes with the CrowdStrike Falcon® API.

FerbOPOption: C

C is correct - Block processes matching hashes that you add to IOC Management with action Block

testmailucOption: A

Check here: https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/

ShuliAbbaOption: A

@plantvast - I think you might be wrong because you cannot block IPs and domains, only hashes in the IOC + as written in the policy section "Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".

plantvast

You can actually add hashes, domains and IP addresses on IOC management. Navigate to the page in Falcon and attempt to a new indicator and the options will appear.

ShuliAbba

you are right and wrong my friend, adding IPs and domains in the IOC is indeed possible, but not with "block" action on them - only "detect" or "no action".

ShuliAbba

from the "Custom Blocking" policy section - "Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".

plantvastOption: B

Custom blocking in prevention policies referes to hashes, ips, and domains added to IOC Management.