An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after how many days?
Correct Answer: D
Explanation An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive host from the Trash page if it becomes active again within 90 days1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 62
What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?
Correct Answer: D
Question 63
What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)?
Correct Answer: B
Explanation The likely reason your Windows host would be in Reduced Functionality Mode (RFM) is that the host lost internet connectivity. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1. Losing internet connectivity is a common cause of RFM, as it prevents the sensor from communicating with the Falcon cloud. A misconfiguration in your prevention policy or sensor update policy will not cause RFM, as these policies are applied by the Falcon cloud and do not affect the sensor's license, network, or certificate status. Microsoft updates altering the kernel may cause compatibility issues with the sensor, but not RFM3. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 64
On a Windows host, what is the best command to determine if the sensor is currently running?
Correct Answer: A
Question 65
Which of the following best describes the Default Sensor Update policy?
Correct Answer: C
Explanation The Default Sensor Update policy is a "catch-all" policy. This means that any host that is not assigned to a specific sensor update policy will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is enabled by default and has the "Uninstall and maintenance protection" feature turned on. You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it2. References: 2: Cybersecurity Resources | CrowdStrike
