Free CCFA-200 Actual Exam Questions s - Question 4 Discussion
reduce the number of false positives reported for specific file hashes flagged as malicious. What is the
correct way to achieve this?
A/D? I’d go with A because exception rules usually prevent alerts altogether for those hashes, which cuts false positives better than just allowing them while still tracking in D.
It’s A, since exception rules specifically block detection on those hashes, cutting false positives.
A/D? I’m thinking D might be better here since adding hashes to Custom Indicators with "Allow" seems like a more targeted way to handle specific file hashes without turning off broader protections. Exception rules in Malware Protection (A) could be more general and might affect more than just the IOC hits. Also, disabling IOC-based detections entirely (C) seems too extreme if you just want to reduce false positives for certain hashes, and local exclusions (B) aren’t as scalable or centralized as using Falcon’s built-in options.
Makes sense to me that exception rules in Malware Protection would directly stop detections instead of just lowering alerts. I’d go with A on this one.
D imo, because adding hashes to Custom Indicators with the action "Allow" is specifically designed to tell Falcon to trust those files, effectively stopping alerts on them. Exception rules in Malware Protection (A) might still log something or could be more for blocking actions rather than suppressing alerts entirely. Plus, disabling IOC-based detections (C) is way too broad, and local exclusions (B) are not scalable or centralized, which defeats the purpose in a managed environment. So D seems cleaner for targeting specific false positives.
A/D? I think A is better because exception rules actively prevent detections, while D might just lower alert priority but not fully stop false positives. B sounds risky, and C seems too broad.
A/D? Exception rules (A) feel more surgical to reduce false positives without losing other IOC protections, while custom indicators set to "Allow" (D) might just suppress alerts for those hashes specifically.
A/D? I get why A is good since it targets specific hashes without losing all IOC detection, but D might also work if adding those hashes as custom indicators and setting them to "Allow" effectively tells the system to ignore them as threats. B seems weak because local exclusions aren't scalable and can be missed on some endpoints. C is too broad and risky since it disables an entire detection method. Between A and D, I’d pick A just because it aligns with how exception rules usually handle false positives more systematically.
A imo, because exception rules are more precise than blanket allows or local exclusions.
Maybe D works if you want to specifically allow known file hashes without blocking them.
Yeah, option B is not ideal since local exclusions don’t scale well across endpoints. Creating an exception in Malware Protection (A) targets the issue more precisely without turning off detection entirely. Paul Z.
Makes sense to rule out C because disabling IOC-based detections entirely seems too broad. D is about adding as custom indicators but setting to "Allow" might not reduce false positives properly. A looks best for targeted exceptions. So, A.
This one seems tricky but I think it’s about setting exception rules to reduce false alarms, so I’d go with A.