+34 900 840 407
support@cytomic.ai

How to create an image for Windows persistent and non-persistent environments (VDI) with products based on Advanced EPDR/EDR

Related Products_
  • Advanced EPDR
  • Advanced EDR
IMPORTANT INFORMATION YOU MUST READ BEFORE YOU START

It is critical that you follow this procedure step-by-step and that once you complete it, you verify that all cloned devices are displayed in the web UI.

ATTENTION!
Devices cloned incorrectly affect visibility of monitored actions, impact the reliability of the Advanced Protection and can compromise the security of your infrastructure.

If you only see a single device in the web UI, you must repeat the process, rebuild the gold image and deploy it again to the affected endpoints as soon as possible. For any questions, contact Advanced EPDR/EDR Support Services.

Introduction_

In large networks with many similar computers, you can automate the process to install the operating system and other software with a gold image. This is sometimes referred to as a master image, base image, or clone image. You then deploy the gold image to all computers on the network, which eliminates most of the manual work required to set up a new computer. To generate a gold image, install an up-to-date operating system with all the software that users might need, such as security tools, on a computer on your network.

This article offers a step-by-step walkthrough of how to install Advanced EPDR/EDR solutions on Advanced EPDR/EDR in persistent and non-persistent Virtual Desktop Infrastructure (VDI) environments. Due to their characteristics, virtual computers or instances require that a specific procedure be followed to ensure that the images or templates to be used in virtual environments are up to date, optimized, and don’t have a previously assigned machine ID so that, when a virtual computer is started, it is uniquely registered in the Web console.

The installation procedure requires that a template (for persistent environments) or a gold image (for non-persistent environments) be prepared that will be later deployed to the virtual computers on the network. It is very important to follow this procedure closely to:

  1. Ensure engine and knowledge updates.
  2. Optimize resource and bandwidth consumption in non-persistent environments.
  3. Ensure virtual instances are uniquely identified.
Prerequisites_
  • In persistent environments, computers must have fixed MAC addresses.
  • The computer used to generate the template or gold image must have an Internet connection.
Compatible Systems_

Generally, the procedure described in this document works* with the following types of virtual machines:

  • VMware Workstation
  • VMware Server
  • VMware ESX
  • VMware ESXi
  • Citrix XenDesktop
  • XenApp
  • XenServer
  • MS Virtual Desktop
  • MS Virtual Servers

*Bear in mind the considerations at the beginning of the article.

Procedure for Persistent Environments_

In a persistent VDI environment, the information stored on a computer hard disk persists between restarts. Therefore, to create a template you only have to configure updates of the Advanced EPDR/EDR Endpoint Security protection. After you install an updated version of the operating system and all programs that users need, create the template.

PHASE I - PREPARE THE MACHINE WHERE THE TEMPLATE IS CREATED

  1. Create a group to host the template and the virtual machines called Virtual machines group from Advanced EDR/EPDR. To do so, follow these steps:
    • From the top navigation bar, select Computers.
    • From the left pane, select My Organization.
    • Select Add Group.
  2. Create a settings profile with automatic Agent and Advanced EDR/EPDR updates. To do so, follow these steps:
    • From the top navigation bar, select Settings.
    • From the left pane, select Per-computer settings.
    • Click Add to create a settings profile and ensure the Automatic agent and Advanced EDR/EPDR updates toggles are enabled.
    • Assign these settings to the Virtual machines group you created earlier for the template.
  3. Now, create a settings profile with Automatic Knowledge Updates enabled. To do so, follow these steps:
    • From the top navigation bar, select Settings.
    • From the left pane, select Workstations and Servers.
    • Click Add to create a new profile and type a name and description if required.
    • Select General and enable the Automatic Knowledge Updates toggle.
    • Assign these settings to the Virtual machines group you created earlier for the template.
  4. Install the agent and the protection on the Virtual machines group. To do so, follow these steps:
    • From the top navigation bar, select Computers.
    • Select the Virtual machines template group.
    • Select Add computers. This will download the installer.
    • Install the agent on the template and wait for the progress window to finish.
      During that time, the protection will be automatically installed, configured and updated.
      After the installation is completed, the computer will appear on the list of protected computers in the Web UI, with a green icon. The computer’s protection and knowledge will be up-to-date.
  5. Run Endpoint Agent Tool (password panda) on the computer with the template. Follow these steps:
    • Select the Detections, Counters and Check commands options and click Send.
      Or else, right-click on the protection icon and select Synchronize.
    • Remove the machine ID:
      • If the computer is protected with Anti-Tamper, enter the password in the AntiTamper password field or else, leave it blank.
      • Then, click the Prepare image button, but make sure the Is a gold image option is unchecked.
        This removes the agent ID from the template, so that all virtual machines obtain their ID when they connect to Advanced EDR/EPDR for the first time.
  6. ATTENTION! Disable the Endpoint Agent service so the service does not start automatically before the template is created for your virtual instances.This step is critical to ensure that each virtual machine is uniquely identified in the Web UI.
  7. Access the virtual environment management tool and generate the template. If you have questions about this step, contact your vendor.

PHASE II - CHANGE THE PANDA SERVICE'S STARTUP TYPE

Once the custom template is ready, you can enable the Panda Endpoint Agent service, either with GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc. In this example, we explain how to change the Panda Endpoint Agent service’s startup type, using GPO. First, you must create a GPO. To do that, follow these steps:

  • In the GPO settings, go to the following path: Computer Configuration, Policies, Windows Settings, Security Settings, System Services, Panda Endpoint Agent. The service will be disabled.
  • Change the status to Automatic. The service will start automatically on the next reboot and will be integrated in the console.The Group Policy Management Editor screen looks like this:

Procedure for Non-Persistent VDI Environments

In a non-persistent VDI environment, you create two security settings profiles; one to update the gold image when you prepare it and for maintenance purposes, and one to disable updates when you run the gold image because it does not make sense to update Advanced EDR/EPDR if the computer storage system reverts to its original state with each restart.

PHASE I - PREPARE THE GOLD IMAGE

Before you create the gold image, you must prepare the machine:

  1. Install/Update the operating system with the customer’s applications.
  2. Create a group to host the gold image (‘Gold or template image‘ group), and another to host virtual machines (‘Virtual machines‘ group).
    • ‘Gold or template image’ group

      • Go to the Settings tab, click Per-computer settings and create a settings profile for future image updates.
      • Make sure Automatically update Panda All features on computers automatic updates of the protection engine are enabled.
      • Select the Automatic Restart both workstations and servers option to make sure the computer will be updated.
      • Assign these settings to the group you created for the gold image (‘Gold or template image‘ group).
      • Next, click the Settings tab, and select Workstations and servers from the Security section to create a settings profile for future image updates.
      • Make sure automatic knowledge updates are enabled.
      • Assign these settings to the group you created for the gold image (‘Gold or template image‘ group).
    • Virtual Machines‘ group
      Virtual instances are based on the updated gold image. To optimize the VDI server’s resources and reduce bandwidth usage, disable updates by following the steps below:

      • Create a Per-computer settings profile that has updates disabled, and assign it to the ‘Virtual Machines‘ group.
      • Go to Workstations and servers in the Security section of the Settings tab, disable knowledge updates, and assign those settings to the ‘Virtual Machines‘ group.
  3. Install the agent and the protection on the ‘Virtual Machines‘ group in order to generate the gold image:
    • Go to the Computers tab, select the gold image group (‘Virtual Machines‘ group), and click Add computers. This will download the installer.
    • Install the agent on the machine used to create the gold image and wait for the progress window to finish. During that time, the protection will be automatically installed and configured.
      After the installation is completed, the computer will appear on the list of protected computers in the Web UI.
  4. Move the machine with the gold image to its Gold or template image group so that it receives the settings with the option to update.
    We recommend that, from the computer, you right-click the protection icon in the notifications area of the taskbar, and force a synchronization. This will push the settings to the computer so that it will start updating.
  5. Run Endpoint Agent Tool on the computer with the gold image.
    • Although it is not mandatory, for non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer with the Start cache scan button.
      If you have Advanced EDR/EPDR, you can use the context menu and scan the specific partition. This will fill the goodware cache and prepare the protection for virtual images. The process can take some time, depending on the contents of the hard disk. Wait until the operation finishes.
    • Select the DetectionsCounters and Check commands options and click Send or else, right-click on the protection icon and select Synchronize.
    • Remove the machine ID. To do this, if the computer is protected with AntiTamper, enter the password in the AntiTamper password field or else, leave it blank.
    • Click the Prepare image button, and make sure the Is a gold image option is checked.
      This removes the agent ID from the gold image, so all virtual machines obtain their ID when they are run and connect to Advanced EDR/EPDR for the first time.This step is critical to ensure that each virtual instance is uniquely identified in the Web UI.
  6. ATTENTION! Disable the Panda Endpoint Agent service to prevent it from starting automatically before the gold image is created for your virtual instances.

    This step is critical to generate a specific ID for each virtual machine.
  7. Access the VDI management tools and generate the gold image. If you have questions about this step, contact your vendor.
  8. You can configure the maximum number of non-persistent machines that can be active simultaneously in the VDI environments section of the Web UI. This enables automatic management of the licenses used by those machines, relieving you of the task of deleting them from the Advanced EDR/EPDR to recover their licenses.

PHASE II - CHANGE THE ENDPOINT AGENT SERVICE START TYPE

Once the custom gold image is ready, you can enable the Panda Endpoint Agent service, either with GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc.
In this example, we show you how to change te Panda Endpoint Agent service’s startup type with GPO. First, you must create a GPO. To do so, in the GPO settings, browse to the following path: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsSystem ServicesPanda Endpoint Agent. The service will be disabled. Change the setting to Automatic. The service will start automatically on the following reboot and will be integrated in the console.

The Group Policy Management Editor screen looks like this:

PHASE III - GOLD IMAGE MAINTENANCE

The agent, the protection, and the signatures of the gold image created must be updated frequently, at least once a month. These updates are essential to ensure maximum protection against the new attack techniques developed by hackers. Follow the steps below to update the gold image:

  1. Start the machine where the gold image is installed.
  2. From the Web UI, move the machine with the gold image to the ‘Gold or template image‘ group so that it receives the appropriate settings with automatic updates of the engine and knowledge.
  3. From the computer, right-click the protection icon in the notifications area of the taskbar to force a synchronization. This will update the machine.
    • Updates are performed silently in the background. We recommend that you wait a few minutes to make sure the image is properly updated.
    • If a new version of the protection is available, a restart window will be displayed and the computer will restart automatically (as configured in the Per-computer settings).In this case, once the restart is completed, we recommend that you force a new synchronization to make sure the product is fully up-to-date and configured properly.
  4. Run the Endpoint Agent Tool (password panda) on the computer with the gold image.
    • Scan it by using the Start cache scan button. This will fill the goodware cache and leave the protection in an appropriate state for virtual images.
      This process can take some time, depending on the contents of the hard disk. Wait until you are notified that the operation has finished.
    • Select options DetectionsCounters and Check commands and click Send or else, right-click on the protection icon and choose Synchronize.
    • Remove the machine ID. To do so, select the Prepare image button, making sure the Is a gold image option is checked.
      This will remove the agent ID from the gold image, so that all virtual instances obtain their unique ID when they are run and connect to Aether for the first time.This step is critical to ensure that each virtual instance is uniquely identified in the Web UI!
Verify Procedure_

It is essential to ensure that you have followed the procedure correctly.

  • View non-persistent computers
    Advanced EDR/EPDR uses the FQDN (Fully Qualified Domain Name) to identify computers whose ID has been deleted using the Advanced EDR/EPDR Tool program and are marked as gold image.
    To get a list of non-persistent VDI computers,follow the steps below:

    • From the top navigation bar, go to Settings.
    • Click VDI environments from the left pane.
    • Click the Show non-persistent computers link.
      The Computers list is displayed, with the non-persistent computers filter applied.
  • View persistent computers
    • From the top navigation bar, select Computers.
    • Verify that all your cloned devices are correctly displayed in the web UI.

IMPORTANT! If you see a single device, you must remove the device from the Computers list and start the procedure from scratch, that is, rebuild the gold image and deploy it again to the affected endpoints.

License management_

If the aforementioned process is followed appropriately, that is, if the step to delete the agent ID is performed correctly selecting and clearing the Is a gold image option as indicated, every time a new machine is started, the system will calculate its machine ID and will determine whether the computer is a new computer or an existing one, based on the selected environment.

  • In non-persistent environments, if the maximum number of machines that can be active simultaneously for non-persistent images is set, the server will manage licenses automatically, provided there are available licenses and the number of concurrent machines is not exceeded.
  • In persistent environments, if there are multiple machines that are no longer used, delete them from the database in order to free up licenses just as you would do with physical machines. This can be done from the Advanced EDR/EPDR console, by selecting all machines to delete and clicking the Delete button, or individually via the context menu of each machine to delete.