CrowdStrike Certified Falcon Administrator (CCFA) — Question 70

You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

Answer options

• A. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running
• B. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"
• C. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
• D. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

Correct answer: C

Explanation

The correct answer is C because using IOC Management allows you to upload multiple hashes and set them to 'Block', which directly prevents execution of the inappropriate binaries. Option A relies on support intervention, which is slower and less direct, while B only creates an alert without blocking execution. Option D uses the API but does not mention configuring the necessary prevention policy that enables 'Custom Blocking'.