CCFA Exam QuestionsBrowse all questions from this exam

CCFA Exam - Question 54

You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running

Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"

Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.

Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

Show Answer

Correct Answer: C

To ensure that the inappropriate hashes are not allowed to run in your environment using Falcon, you should utilize IOC Management. By gathering the list of SHA256 or MD5 hashes for each binary and uploading them, you can set these hashes to 'Block'. This method also requires that the prevention policy applied to the computers includes the 'Custom Blocking' option under Execution Blocking. This approach leverages Falcon's capabilities to block specific binaries based on their hashes effectively and manage the environment according to the company's requirements.

Discussion

3 comments

Jek88Option: C

Feb 17, 2023

C is the correct answer.

FerbOPOption: C

Apr 26, 2023

C is correct

sbag0024Option: C

Jun 14, 2023

C is correct