Cortex XDR Agent for Virtual Environments and Desktops

Learn about the Cortex XDR agent virtual installation options and use the provided workflows to install the Cortex XDR agent on virtual Windows endpoints.
You can deploy Cortex XDR agents in virtual environments either as a standard installation, or as follows:

Cortex XDR Agent Virtual Desktop Infrastructure

You can deploy Cortex XDR agents in virtual environments as follows:
  • Non-persistent VDI installation
    —Intended for non-persistent endpoints that replicate (also referred to as
    spawn
    ) from a golden image which has the Cortex XDR agent installed. When a new VDI session starts, the endpoint uses the original golden image policy until the Cortex XDR agent retrieves the new policy from the Cortex XDR server. This may take up to 10 minutes. In addition, with VDI installation, the endpoint license returns to license pool either when the user logs off or ends the VDI session, or after a shorter timeout period than a standard Cortex XDR agent installation, thus ensuring that licenses are consumed only by active VDI. To install the Cortex XDR on non-persistent endpoints, follow the procedure to Configure the Cortex XDR Agent in a Non-Persistent VDI.
  • Persistent (Stateful) VDI installation
    —For Cortex XDR agent installation on a Persistent VDI, follow the standard installation procedure for Windows endpoints.
  • Temporary session
    —Intended for either physical or virtual endpoints (such as Microsoft Terminal Services) that repeatedly revert to a snapshot (or image) on which the Cortex XDR agent is not installed. After you install the Cortex XDR agent, Cortex XDR issues a license to the physical or virtual endpoint but will revoke the license after a short period of inactivity. When the machine reverts to the original state, and the Cortex XDR agent is reinstalled, the machine receives a license again. In a temporary session installation, the machine is protected by Cortex XDR from startup to shutdown, regardless of the time in which you logged on or off the machine. To install the Cortex XDR agent on a snapshot from which temporary sessions will spawn, Configure the Cortex XDR Agent for Temporary Sessions.

Configure the Cortex XDR Agent in a Non-Persistent VDI

In non-persistent VDI mode, each session is temporary. When a user accesses a non-persistent virtual desktop and logs out, the virtual desktop is wiped clean and reverts back to the original pristine state of the golden image. The next time the user logs in, they receive a fresh image.
In non-persistent VDI mode, the machine exhibits the following behavior:
  • Licensing
    —With non-persistent virtual desktops, the Cortex XDR agent receives a license from the pool of available endpoint licenses. Cortex XDR automatically returns the license to the license pool when the user logs off, the agent is uninstalled, the session ends, or when the VDI is inactive (for additional information on revoking licenses, see About Licenses). Revoking the license frees it up for use by another Cortex XDR agent.
  • Connectivity
    —When the user logs on to the VDI machine, the Cortex XDR agent connects to Cortex XDR to receive the license and to obtain the relevant updates. The Cortex XDR agent continues to communicate with Cortex XDR throughout the life cycle of the VDI instance. The Cortex XDR agent only protects the machine when a user is logged in. When the user is logged out, the Cortex XDR agent disconnects from Cortex XDR. During this time, the Cortex XDR agent does not receive updated policies or verdicts and does not send heartbeat communications to Cortex XDR.
  • Storage
    —In a non-persistent VDI, many VDI solutions allow you to choose either non-persistent or persistent storage. With non-persistent storage, the user settings and data are stored for the length of the session and are wiped clean when the session ends or a user logs out. With persistent storage, you can select folders or specific locations that persist after a session ends.
To ensure Cortex XDR correctly identifies and treats the agent as a VDI agent, perform the following workflow on the golden image:
  1. Install any software that you plan to have on the VDI instances.
    1. On the golden image, Install the Cortex XDR Agent 7.0 Using Msiexec and include the
      VDI_ENABLED=1
      VDI flag.
      For example:
      msiexec /i c:\install\cortexxdr.msi /l*v C:\temp\cortexxdrinstall.log /qn VDI_ENABLED=1
    2. Install additional required software.
  2. Scan your golden image for files and request verdicts.
    Use Cytool to scan your endpoint. We recommend this step to populate the golden image with verdicts for executable files, DLLs, and files containing macros. If you do not perform this step, the Cortex XDR agent has to evaluate each file when it attempts to run on an endpoint during each VDI session.
    1. Open a command prompt as an administrator and navigate to
      C:\Program Files\Palo Alto Networks\Traps
      .
    2. If you plan to output the scanning report to the Cortex XDR folder, you must run the
      cytool protect disable
      command to disable Cortex XDR protection.
    3. Run the
      cytool imageprep scan
      command. You can add any of the following optional parameters:
      • [timeout
        <timeout in hours>
        ]
        —Number of hours you permit Cytool to run the scan (default is 4 hours).
      • [upload
        <upload timeout in minutes>
        ]
        —Number of minutes that you permit Cytool to upload unknown files to assess the verdict (default is 95 minutes).
      • [path
        <full path>
        ]
        —Path to the directory in which you want to output the scanning report.
      For example:
      cytool imageprep scan timeout 4 upload 60 path c:\report
      If you need to install additional software after performing this step, you must re-scan the endpoint to allow the Cortex XDR agent to obtain verdicts for the new software.
    4. If you previously disabled service protection, enable it using the
      cytool protect enable
      command after the scan is complete.
    5. Review any portable executable (PE) files that WildFire
      ®
      determined to be malicious.
      1. Open the scan report in Microsoft Excel or an editor of your choice.
      2. Perform one of the following actions for each malicious PE file found:
        • Remove the malicious file from the golden image.
        • If you believe the WildFire verdict is incorrect, override the verdict for the PE file in Cortex XDR. Then perform a
          Check In
          from the Cortex XDR console on the golden image.
  3. (Optional)
    If you later rename the golden image, you must run the
    cytool vdi update
    to update the golden image name in the registry.

Configure the Cortex XDR Agent for Temporary Sessions

To ensure Cortex XDR correctly identifies and manages the agent and associated licenses as a temporary session, perform the following workflow to install the Cortex XDR agent on the snapshot:
  1. Install the Cortex XDR Agent 7.0 Using Msiexec and include the
    TS_ENABLED=1
    flag.
    For example:
    msiexec /i c:\install\cortexxdr.msi /l*v C:\temp\cortexxdrinstall.log /qn TS_ENABLED=1

Cortex XDR Agent Compatibility with Virtual Applications

Configure the Cortex XDR Agent for Compatibility with Citrix App Layering

Due to a Citrix App Layering limitation, you must install the Cortex XDR agent only on the OS layer according to this workflow. This enables the Cortex XDR agent to provide full protection of your endpoints:
  1. Install the Cortex XDR agent on OS layer during the preparation process of the App Layering image.
    Cortex XDR agent installations on the Application layer or User layer are not supported.
  2. Stop the Cortex XDR agent.
    Before you finalize the OS layer, you must make changes in the Cortex XDR agent settings. To make these changes, you must first stop the agent by running the
    Cytool runtime stop
    command.
  3. Delete two
    Cyvera
    folders.
    Delete the following folders to allow them to be recreated later on:
    • c:\ProgramData\Cyvera\LocalSystem\Download\content
    • c:\ProgramData\Cyvera\LocalSystem\Persistence\cloud_frontend_db
  4. Add the Cortex XDR agent to the Citrix App Layering exclusion list.
    Add the following entry to the Windows Registry:
    HKLM\SYSTEM\CurrentControlSet\Services\Unirsd\ExcludeKey [REG_SZ] = "\Registry\Machine\System\Cyvera"
  5. Shut down the OS layer and finalize the layer.

Configure the Cortex XDR Agent for C ompatibility with Citrix App Volumes

To deploy Cortex XDR agents with Citrix App Volumes, you must add Cortex XDR services to the App Volumes template exclusions list.
Cortex XDR agent installations with Citrix App Volumes that are not performed according to this flow are not supported.
  1. Edit the
    Snapvol.cfg
    file.
    Follow the steps described in the VMware Knowledge Base to locate, open, and edit the
    Snapvol.cfg
    file.
  2. Add Cortex XDR process exclusions to the App Volumes templates.
    Add the following Cortex XDR process exclusions to the App Volumes templates:
    ################################################################ # Process exclusions ################################################################ # Cortex Agent exclude_path=\Program Files\Palo Alto Networks\Traps exclude_path=\ProgramData\Cyvera ################################################################ # 64-Bit OS exclusions ################################################################ # Cortex Agent exclude_path=\Program Files (x86)\Palo Alto Networks\Traps ################################################################ # Registry exclusions ################################################################ #Cortex Agent exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tlaservice exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyserver exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyveraservice exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyverak exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrfsfd exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrmtgn exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\telam exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tedrdrv exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tdevflt exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\twdservice exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tlaservice exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyserver exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyveraservice exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyverak exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrfsfd exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrmtgn exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\telam exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tedrdrv exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tdevflt exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\twdservice exclude_registry=\REGISTRY\MACHINE\SYSTEM\CYVERA exclude_registry=\REGISTRY\MACHINE\SOFTWARE\CYVERA exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Palo Alto Networks\Traps
  3. Create new AppStacks and Writable Volumes.
  4. Install the Cortex XDR agent on your virtual machines without any volumes attached.
    If you plan to mount any AppStacks and Writable Volumes that were made before the templates update to machines where the Cortex XDR agent is installed, you must update these templates individually.
  5. Verify the process.
    Check the new additions were added to the
    Snapvol.cfg
    file.

Recommended For You