Use the Traps VDI Tool to Configure the Master Policy

To avoid starting your VDI with a cache of unknown executable files, use the VDI Tool to request verdicts for all known PEs on your master image.
There are two versions of the VDI Tool: 32-bit and 64-bit. Use the version of VDI Tool that matches the VDI architecture.
  1. Before you begin...
  2. Use the Traps VDI Tool to obtain verdicts for all PE files (collected in 4).
    A command-line version of the Traps VDI Tool is also available. See Traps VDI Tool CLI.
    The Traps VDI tool communicates with the ESM Server to request any verdicts the server has stored in its server cache. The Traps VDI tool then creates a file called WildFireCache.xml which can contain any of the following verdicts for each hash: malicious, benign, or unknown. A hash has an unknown verdict if the ESM Server has not submitted the sample to or received an updated verdict from WildFire.
    vdi-tool-main.png
    1. Open the Traps VDI tool.
    2. Configure the following settings:
      • ESM server address—IP address or hostname of the ESM Server used for checking the hashes. This server must be able to connect to WildFire.
      • ESM server SSL binding—Set the value to True if the server uses an SSL binding (default is False).
      • Input file—Path of the comma-separated value (CSV) file that you created in 4 that contains all the hashes.
      • Output file path—Enter the filename that the Traps VDI tool will use to create the WildFire cache output: WildFireCache.xml. The Traps VDI tool creates the file in the same folder as the tool unless you changed the path here.
      • ESM server port—Port number for the ESM server (default is 2125).
      • Hash bulk size—Hashes will be reported to the server in fragments of this size (default is 300; range is 1 to 500).
      • Tool timeout in hours—Time in hours to wait for the Traps VDI tool to finish obtaining verdicts. If the Traps VDI tool exceeds the timeout, it stops generating the WildFire cache (default is 24 hours).
      • Wait for WildFire verdicts—Select False to skip uploading unknown hashes and creating the cache file.
      • WildFire verdicts check interval—Time in minutes between inquiries to check for new verdicts (default is 10).
      • Write malware to cache—Select True to write malware verdicts to the cache file (default is False).
    3. Click Start.
      The Traps VDI tool uses the results of the verdict lookup to create the WildFireCache.xml file.
    4. Wait two hours for the ESM Server to query WildFire for any unknown verdicts and then proceed to the next step. During this time, the ESM Server populates the server cache with any verdicts for hashes WildFire has previously analyzed.
  3. Submit any remaining unknown executable files for analysis. The Traps VDI tool uploads the files to the ESM Server which then sends the files to WildFire for inspection. After the ESM Server submits the samples, the server queries WildFire every 10 minutes for updated verdicts.
    1. Open the Traps VDI tool.
    2. Change the Wait for WildFire verdicts setting to True. This setting enables the Traps VDI tool to send any remaining unknown executable files and wait for the WildFire verdict.
    3. Click Start.
      After the verdict lookup is complete, the Traps VDI tool recreates the XML file containing the hashes and their verdicts.
  4. Review any PE files that WildFire determined to be malicious.
    1. Open the Malware text file created by the Traps VDI tool. This file contains the list of hashes for which WildFire returned a malicious verdict.
    2. Perform one of the following actions for each malicious PE file:
      • Remove the malicious PE file from the master image.
      • If you believe the WildFire verdict is incorrect, override the verdict for the PE file on the Hash Control page of the ESM Console and change the verdict to benign in the WildFireCache.xml.
  5. Terminate the agent service and drivers using Cytool.
  6. Replace the WildFire cache with the file generated by the Traps VDI tool.
    1. Locate the WildFire cache file generated by the Traps VDI tool. The file is located in the path that you specified in the Output file path field.
    2. Replace WildFireCache.xml file with the new file in %ProgramData%\Cyvera\LocalSystem\.
  7. Use the Traps VDI tool to identify the master image as a VDI instance.
    1. Open the Traps VDI tool.
    2. Click the Menu in the top left corner and select Mark as VDI.
    3. Enter the Traps uninstall password and click Mark as VDI.
    The tool identifies the machine in the Windows registry as a VDI instance.
  8. Ensure the ESM Server can access WildFire.
    From the ESM Server, open a browser to the following address: https://wildfire.paloaltonetworks.com.

Related Documentation