CrowdStrike Exam CCFA-200 Topic 2 Question 50 Discussion

Actual exam question for CrowdStrike's CCFA-200 exam

Question #: 50
Topic #: 2

You have a Windows host on your network in Reduced functionality mode (RFM). While the system is in RFM, which of the following is TRUE?

ASystem monitoring will be unavailable

BEvent reporting will be unavailable

CPrevention patterns will not be triggered

DSome detection patterns and preventions will not be triggered

Show Suggested Answer

Suggested Answer: D

The option that is true when a Windows host is in Reduced Functionality Mode (RFM) is that some detection patterns and preventions will not be triggered. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud. This means that some detection patterns and preventions that rely on telemetry, machine learning, or cloud analysis will not be triggered.

by Samira at Jan 13, 2025, 09:26 PM

Limited Time Offer

25%

13 days ago

Hmm, I think D is the correct answer. The reduced functionality mode definitely impacts some detection and prevention patterns, so that one makes the most sense.

upvoted 0 times

Gayla

3 days ago

User2: Yeah, that's true. It's important to be aware of the limitations in RFM.

upvoted 0 times

...

Bernardo

6 days ago

User1: I think D is correct too. RFM affects some detection and prevention patterns.

upvoted 0 times

...