Free Practice Questions for Palo Alto Networks XDR-Analyst Exam

Answer : B

File Search and Destroy is a feature of Cortex XDR that allows you to search for and remove malicious files from endpoints. You can use this feature to find files by their hash, full path, or partial path using regex parameters. You can then select the files from the search results and destroy them by hash or by path. When you destroy a file by hash, all the file instances on the endpoint are removed. File Search and Destroy is useful for quickly responding to threats and preventing further damage.Reference:

Search and Destroy Malicious Files

Cortex XDR Pro Administrator Guide

Answer : C

An example of an attack vector for ransomware is phishing emails containing malicious attachments. Phishing is a technique that involves sending fraudulent emails that appear to come from a legitimate source, such as a bank, a company, or a government agency. The emails typically contain a malicious attachment, such as a PDF document, a ZIP archive, or a Microsoft Office document, that contains ransomware or a ransomware downloader. When the recipient opens or downloads the attachment, the ransomware is executed and encrypts the files or data on the victim's system. The attacker then demands a ransom for the decryption key, usually in cryptocurrency.

Phishing emails are one of the most common and effective ways of delivering ransomware, as they can bypass security measures such as firewalls, antivirus software, or URL filtering. Phishing emails can also exploit the human factor, as they can trick the recipient into opening the attachment by using social engineering techniques, such as impersonating a trusted sender, creating a sense of urgency, or appealing to curiosity or greed. Phishing emails can also target specific individuals or organizations, such as executives, employees, or customers, in a technique called spear phishing, which increases the chances of success.

According to various sources, phishing emails are the main vector of ransomware attacks, accounting for more than 90% of all ransomware infections12.Some of the most notorious ransomware campaigns, such as CryptoLocker, Locky, and WannaCry, have used phishing emails as their primary delivery method3. Therefore, it is essential to educate users on how to recognize and avoid phishing emails, as well as to implement security solutions that can detect and block malicious attachments.Reference:

Top 7 Ransomware Attack Vectors & How to Avoid Becoming a Victim - Bitsight

What Is the Main Vector of Ransomware Attacks? A Definitive Guide

CryptoLocker Ransomware Information Guide and FAQ

[Locky Ransomware Information, Help Guide, and FAQ]

[WannaCry ransomware attack]

Answer : A

The Windows Registry is a hierarchical database that stores settings for the operating system and for applications that run on Windows. The registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. The registry is organized into five main sections, called hives, each of which contains keys, subkeys, and values. The Cortex XDR agent uses the registry to store its configuration, status, and logs, as well as to monitor and control the endpoint's security features. The Cortex XDR agent also allows you to run scripts that can read, write, or delete registry keys and values on the endpoint.Reference:

Windows Registry - Wikipedia

Registry Operations

Answer : B

A false positive is a situation where a file or activity is incorrectly identified as malicious by a security tool, when in fact it is benign or harmless. A false positive can cause unnecessary alerts, disruptions, or remediation actions, and reduce the confidence and efficiency of the security system. In this question, a file is identified as malware by the Local Analysis module, whereas WildFire verdict is Benign, assuming WildFire is accurate. This means that the Local Analysis module has made a mistake and flagged a legitimate file as malicious, while WildFire has correctly determined that the file is safe. Therefore, this is an example of a false positive. The Local Analysis module is a feature of the Cortex XDR agent that uses a static set of pattern-matching rules and a statistical model to determine if an unknown file is likely to be malware. The Local Analysis module can provide a fast and offline verdict for files that are not yet analyzed by WildFire, but it is not as accurate or comprehensive as WildFire, which uses dynamic analysis and machine learning to examine the behavior and characteristics of files in a sandbox environment. WildFire verdicts are considered more reliable and authoritative than Local Analysis verdicts, and can override them in case of a discrepancy.Therefore, if a file is identified as malware by the Local Analysis module, but as Benign by WildFire, the WildFire verdict should be trusted and the Local Analysis verdict should be disregarded123

False positive (security) - Wikipedia

Local Analysis

WildFire Overview

Answer : B

The Broker VM is a virtual machine that you can deploy in your network to provide various services and functionalities to the Cortex XDR agents. One of the services that the Broker VM offers is the Local Agent Settings applet, which allows you to configure the agent proxy, agent installer, and content caching settings for the agents. The Local Agent Settings applet can support a maximum number of10,000 agentsper Broker VM. If you have more than 10,000 agents in your network, you need to deploy additional Broker VMs and distribute the load among them.Reference:

Broker VM Overview: This document provides an overview of the Broker VM and its features, requirements, and deployment options.

Configure the Broker VM: This document explains how to install, set up, and configure the Broker VM in an ESXi environment.

Manage Broker VM from the Cortex XDR Management Console: This document describes how to activate and manage the Broker VM applets from the Cortex XDR management console.