Question 4 - CCFA-200 Real Exam Questions [Jan 2026 Update]s

Q: 4

You are configuring a prevention policy in CrowdStrike Falcon for endpoints in a highly secure environment. Which of the following settings is the most appropriate to block unknown executables while minimizing false positives?

Options

Correct Answer:

Explanation

For a highly secure environment, the goal is to prevent unknown threats without causing excessive operational disruption from false positives. The "Moderate" machine learning aggressiveness level provides a strong security posture by balancing robust detection capabilities with a lower risk of false positives compared to higher settings. Enabling "Quarantine Mode" is essential; this setting ensures that when an unknown executable is deemed malicious by the machine learning engine, it is actively blocked from executing and moved to a secure location, thereby fulfilling the requirement to "block" the threat.

Why Incorrect

A. Disabling "Quarantine Mode" would result in detection-only, meaning the unknown executable would be flagged but not blocked from running, failing the primary security objective.

C. While "High" aggressiveness offers more protection, it significantly increases the likelihood of false positives, which contradicts the requirement to minimize them.

D. "Low" aggressiveness is not suitable for a "highly secure environment" as it prioritizes avoiding false positives over security. Disabling quarantine also fails to block threats.

References

1. CrowdStrike. (2023). Falcon Prevent™: Prevention Policy Settings Guide. CrowdStrike Official Documentation.

Section: Machine Learning > Prevention > Executables. This section details the different aggressiveness levels. It specifies that "Moderate" is the recommended setting for most corporate environments as it "balances protection and false positives." It also notes that "Aggressive" (High) "favors protection over avoiding false positives

" making it less suitable when minimizing false positives is a stated goal.

2. CrowdStrike. (2023). Falcon Prevent™: Prevention Policy Settings Guide. CrowdStrike Official Documentation.

Section: Quarantine. This documentation clarifies that for a file to be prevented from executing

a prevention action such as "Quarantine" or "Delete" must be enabled for the relevant detection category. Without an active prevention setting

the sensor operates in a detection-only mode.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE