In virtual desktop infrastructure (VDI) environments, the VMware Carbon Black EDR sensor can be staged on your Gold Image to facilitate deployment and administration of EDR sensors across all related virtual machines.Please note: The following instructions are for first-time VDI deployments. If you have previously deployed the VMware CB EDR sensor in your environment, then please refer to our article on troubleshooting existing VDI deployments.
Installing VMware Carbon Black EDR sensor on virtual desktop infrastructure (VDI) systems
You can install a specially configured VMware Carbon Black EDR sensor on VDI systems to ensure each new VDI endpoint is uniquely identified within the Carbon Black server.
To install Carbon Black EDR on VDI systems:
- Enable VDI capabilities on the Carbon Black EDR Server.
- If Red Canary hosts your Carbon Black server, visit your Portal Help page and click Please enable VDI mode for my Carbon Black Response server.
- If Carbon Black hosts your Carbon Black server, please create a Red Canary support case and we will coordinate with Carbon Black’s support/ops team.
- If you host your Carbon Black server, please reference the correct Response Integration Guide on the Cb User Exchange for the necessary server-side configurations.
- Log into your Carbon Black console and click Sensors.
- Click Create Group to create a new sensor group where your VDI endpoints will reside.
- Mirror the settings from your Default Group to your new group, paying close attention to the Server URL and Advanced Options.
- Select VDI Behavior Enabled in the Advanced Options tab.
- Click Download Sensor Installer and download the Windows Standalone Executable.
Setting up Global VDI Support on Windows (7.2.1 or above):
- In the VMware Carbon Black EDR server on the Group setting set change the Tamper Protection Level to Detection or None.
- Ensure the master image, ‘gold disk’, template has a sensorID=0, and the events and binary data have been removed.
sc stop carbonblack
sc stop carbonblackk
regedit - Modify HKLM/software/carbonblack/config/SensorId to 0
del c:\windows\carbonblack\eventlogs\*
del c:\windows\carbonblack\store\MD5_*
Setting up Global VDI Support on Windows (7.2.0 or older):
Note that these steps must be performed each time the Gold Image is brought up for maintenance.
- Bring up your Gold Image system (in Private Mode if possible) and install the sensor as usual.
- Open an elevated command prompt and run the following commands:
sc stop carbonblackfltmc unload carbonblackkfor /d %G in ("%WINDIR%\CarbonBlack\store\MD5_*") do rd /s /q "%~G"del %WINDIR%\CarbonBlack\EventLogs\active-event.logdel %WINDIR%\CarbonBlack\EventLogs\eventlog_*.log.zipreg add HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config /t REG_SZ /v SensorId /d 0 /f
- Save and deploy your image.
Setting up Global VDI Support on macOS
- Stop the VMware Carbon Black EDR services on the endpoint:
- Open a terminal.
- Execute the following command:
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plistSet
- Set the Sensor ID by editing
/var/lib/cb/sensor.id
and replacing current id with 0. - Save the image and deploy.
Setting up Global VDI Support on Linux
- Stop the Linux sensor daemon:
systemctl stop cbdaemon
- Remove any stored binary or event data:
rm-rf /var/opt/carbonblack/response/store/*
rm-rf /var/opt/carbonblack/response/eventlogs/*
- Enable VDI in sensorsetting.ini:
Setsudo vim /var/opt/carbonblack/response/sensorsetting.ini
VdiEnabled=1
- Set the Sensor ID to 0:
Set the following values:sudo vim /var/opt/carbonblack/response/config.ini
SensorId=0
SensorIdforDisplay=0
- Start the cbdaemon in the primary image VM:
systemctl start cbdaemon
Comments
0 comments
Please sign in to leave a comment.