1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR™ Agent Administrator's Guide
    5. Cortex® XDR™ Agent 7.5 for Windows
    6. Cortex® XDR™ Agent for Virtual Environments and Desktops

    Cortex® XDR™ Agent for Virtual Environments and Desktops

    Learn about the Cortex® XDR™ agent virtual installation options and use the provided workflows to install the Cortex XDR agent 7.5 on virtual Windows endpoints.
    You can deploy Cortex XDR agents in virtual environments either as a standard installation, or as follows:

    Cortex XDR Agent Virtual Desktop Infrastructure

    You can deploy Cortex XDR agents in virtual environments as follows:
    • Non-persistent VDI installation
      —Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has the Cortex XDR agent installed. When a new VDI session starts and a connection to the internet is available, the endpoint uses the original golden image policy until the Cortex XDR agent retrieves the new policy from Cortex XDR and applies it after the first user logon. This may take up to 10 minutes. In addition, with VDI installation, the endpoint license returns to license pool either when the user logs off or ends the VDI session, or after a shorter timeout period than a standard Cortex XDR agent installation, thus ensuring that licenses are consumed only by active VDI. To install the Cortex XDR on non-persistent endpoints, follow the procedure to Configure the Cortex XDR Agent in a Non-Persistent VDI.
    • Persistent (Stateful) VDI installation
      —For Cortex XDR agent installation on a Persistent VDI, follow the standard installation procedure for Windows endpoints.
    • Temporary session
      —Intended for either physical or virtual endpoints (such as Microsoft Terminal Services) that repeatedly revert to a snapshot (or image) on which the Cortex XDR agent is not installed. After you install the Cortex XDR agent, Cortex XDR issues a license to the physical or virtual endpoint but will revoke the license after a short period of inactivity. When the machine reverts to the original state, and the Cortex XDR agent is reinstalled, the machine receives a license again. In a temporary session installation, the machine is protected by Cortex XDR from startup to shutdown, regardless of the time in which you logged on or off the machine. To install the Cortex XDR agent on a snapshot from which temporary sessions will spawn, Configure the Cortex XDR Agent for Temporary Sessions.

    Configure the Cortex XDR Agent in a Non-Persistent VDI

    In non-persistent VDI mode, each session is temporary. When a user accesses a non-persistent virtual desktop and logs out, the virtual desktop is wiped clean and reverts back to the original pristine state of the golden image. The next time the user logs in, they receive a fresh image.
    In non-persistent VDI mode, the machine exhibits the following behavior:
    • Licensing
      —With non-persistent VDI endpoints, the Cortex XDR agent registers with Cortex XDR when the VDI instance boots. However the agent receives a license from the pool of available licenses and enforces endpoint protection only after the first user logon. To identify these endpoints for which protection is not yet available, Cortex XDR displays the status as
      VDI Pending Log-on
      . If the Cortex XDR agent does not perform a successful check-in within 1.5 hours since the user log-on, the agent reports back
      Connection Lost
       status. Cortex XDR automatically returns the license to the license pool when the user logs off, the agent is uninstalled, the session ends, or when the VDI is inactive (for additional information on revoking licenses, see About Licenses). Revoking the license frees it up for use by another Cortex XDR agent.
    • Connectivity
      —When the user logs on to the VDI machine, the Cortex XDR agent connects to Cortex XDR to receive the license and to obtain the relevant updates. The Cortex XDR agent continues to communicate with Cortex XDR throughout the life cycle of the VDI instance. The Cortex XDR agent only protects the machine when a user is logged in. When the user is logged out, the Cortex XDR agent disconnects from Cortex XDR. During this time, the Cortex XDR agent does not receive updated policies or verdicts and does not send heartbeat communications to Cortex XDR.
    • Storage
      —In a non-persistent VDI, many VDI solutions allow you to choose either non-persistent or persistent storage. With non-persistent storage, the user settings and data are stored for the length of the session and are wiped clean when the session ends or a user logs out. With persistent storage, you can select folders or specific locations that persist after a session ends.
    To ensure Cortex XDR correctly identifies and treats the agent as a VDI agent, perform the following workflow on the golden image:
    1. Install any software that you plan to have on the VDI instances.
      1. On the golden image, Install the Cortex XDR Agent 7.5 Using Msiexec and include the
        VDI_ENABLED=1
         VDI flag.
        For example:
        msiexec /i c:\install\cortexxdr.msi /l*v C:\temp\cortexxdrinstall.log /qn VDI_ENABLED=1
      2. Install additional required software.
    2. Scan your golden image for files and request verdicts.
      Use Cytool to scan your endpoint. We recommend this step to populate the golden image with verdicts for executable files, DLLs, and files containing macros. If you do not perform this step, the Cortex XDR agent has to evaluate each file when it attempts to run on an endpoint during each VDI session.
      1. Open a command prompt as an administrator and navigate to
        C:\Program Files\Palo Alto Networks\Traps
        .
      2. If you plan to output the scanning report to the Cortex XDR folder, you must run the
        cytool protect disable
         command to disable Cortex XDR protection.
      3. Run the
        cytool imageprep scan
         command. You can add any of the following optional parameters:
        • [timeout
          <timeout in hours>
          ]
          —Number of hours you permit Cytool to run the scan (default is 4 hours).
        • [upload
          <upload timeout in minutes>
          ]
          —Number of minutes that you permit Cytool to upload unknown files to assess the verdict (default is 95 minutes).
        • [path
          <full path>
          ]
          —Path to the directory in which you want to output the scanning report.
        For example: 
        cytool imageprep scan timeout 4 upload 60 path c:\report
        If you need to install additional software after performing this step, you must re-scan the endpoint to allow the Cortex XDR agent to obtain verdicts for the new software.
      4. (
        Optional for Cortex XDR Pro per Endpoint and Cortex XDR agents 7.2 and later
        ) If you plan to use the file search and destroy response action, you need to perform an additional scan to map all the files on the endpoint. Run the following commands and wait for them to complete:
        cytool file_system_scan start
        cytool file_system_scan query
      5. If you previously disabled service protection, enable it using the
        cytool protect enable
         command after the scan is complete.
      6. Review any portable executable (PE) files that WildFire
        ®
         determined to be malicious.
        1. Open the scan report in Microsoft Excel or an editor of your choice.
        2. Perform one of the following actions for each malicious PE file found:
          • Remove the malicious file from the golden image.
          • If you believe the WildFire verdict is incorrect, override the verdict for the PE file in Cortex XDR. Then perform a
            Check In
             from the Cortex XDR console on the golden image.
    3. (Optional)
       If you later rename the golden image, you must run the
      cytool vdi update
       to update the golden image name and ID in the persistent database.

    Configure the Cortex XDR Agent for Temporary Sessions

    To ensure Cortex XDR correctly identifies and manages the agent and associated licenses as a temporary session, perform the following workflow to install the Cortex XDR agent on the snapshot:
    1. Install the Cortex XDR Agent 7.5 Using Msiexec and include the
      TS_ENABLED=1
       flag.
      For example:
      msiexec /i c:\install\cortexxdr.msi /l*v C:\temp\cortexxdrinstall.log /qn TS_ENABLED=1

    Cortex XDR Agent Compatibility with Virtual Applications

    You can deploy the Cortex XDR agent using the virtual applications supported with Cortex XDR. The following virtual applications require a unique installation workflow:

    Configure Agent Compatibility for Citrix App Layering

    Due to a Citrix App Layering limitation, you must install the Cortex XDR agent only on the OS layer according to this workflow. This enables the Cortex XDR agent to provide full protection of your endpoints:
    1. Install the Cortex XDR agent on OS layer during the preparation process of the App Layering image.
      Cortex XDR agent installations on the Application layer or User layer are not supported.
    2. (
      For Cortex XDR agent releases up to 7.2.X only
      ) Stop the Cortex XDR agent.
      Before you finalize the OS layer, you must make changes in the Cortex XDR agent settings. To make these changes, you must first stop the agent by running the
      Cytool runtime stop
       command.
    3. (
      For Cortex XDR agent releases up to 7.2.X only
      ) Delete two
      Cyvera
       folders.
      Delete the following folders to allow them to be recreated later on:
      • c:\ProgramData\Cyvera\LocalSystem\Download\content
      • c:\ProgramData\Cyvera\LocalSystem\Persistence\cloud_frontend_db
    4. Add the Cortex XDR agent to the Citrix App Layering exclusion list.
      Add the following entry to the Windows Registry:
      HKLM\SYSTEM\CurrentControlSet\Services\Unirsd\ExcludeKey [REG_SZ] = "\Registry\Machine\System\Cyvera"
    5. Shut down the OS layer and finalize the layer.

    Configure Agent Compatibility for VMWare App Volumes

    To deploy Cortex XDR agents with VMWare App Volumes, you must add Cortex XDR services to the App Volumes template exclusions list.
    Cortex XDR agent installations with VMWare App Volumes that are not performed according to this flow are not supported.
    1. Edit the
      Snapvol.cfg
       file.
      Follow the steps described in the VMware Knowledge Base to locate, open, and edit the
      Snapvol.cfg
       file.
    2. Add Cortex XDR process exclusions to the App Volumes templates.
      Add the following Cortex XDR process exclusions to the App Volumes templates:
      
################################################################
# Process exclusions
################################################################

# Cortex Agent
exclude_path=\Program Files\Palo Alto Networks\Traps

exclude_path=\ProgramData\Cyvera
################################################################
# 64-Bit OS exclusions
################################################################

# Cortex Agent
exclude_path=\Program Files (x86)\Palo Alto Networks\Traps

################################################################
# Registry exclusions
################################################################

#Cortex Agent
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tlaservice
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyserver
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyveraservice
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyverak
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrfsfd
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrmtgn
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\telam
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tedrdrv
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tdevflt
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\twdservice
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tedrpers-*

exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tlaservice
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyserver
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyveraservice
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyverak
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrfsfd
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrmtgn
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\telam
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tedrdrv
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tdevflt
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\twdservice
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tedrpers-*

exclude_registry=\REGISTRY\MACHINE\SYSTEM\CYVERA
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\CYVERA
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Palo Alto Networks\Traps
    3. Create new AppStacks and Writable Volumes.
    4. Install the Cortex XDR agent on your virtual machines without any volumes attached.
      If you plan to mount any AppStacks and Writable Volumes that were made before the templates update to machines where the Cortex XDR agent is installed, you must update these volumes individually.
    5. Verify the process.
      Check the new additions were added to the
      Snapvol.cfg
       file.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo