Configure the Golden Image for Non-Persistent VDI

To avoid starting your VDI with a cache of unknown executable files, you can use the Traps VDI tool to request verdicts for all known PEs on your golden image. The Traps VDI tool is available on the Customer Support Portal (UpdatesSoftware UpdatesTraps Endpoint Protection Agent).
There are two versions of the VDI tool: 32-bit and 64-bit. Use the version of VDI tool that matches the VDI architecture.
  1. Before you begin:
    1. Install the Traps Agent for Windows and any software that you plan to have on the VDI instances.
      If after completing the process to configure the golden image, you need to install additional software, you must recreate the WildFire cache file using the Traps VDI tool. This ensures that Traps obtains verdicts for the new software.
    2. Verify that the Traps agent on the golden image can access the ESM Server.
      On the Traps agent, click Check In Now to obtain the latest verdicts from the ESM Server. If the ESM Server is reachable, the status on the console displays Connected.
    3. Use the Cytool for Windows to stop Traps services (including local analysis) on the endpoint.
      Note that the Traps Reporting Service remains running after you stop services.
    4. Collect all PE files available on the golden image using Sigcheck. This tool creates a file for you to use as input for the Traps VDI tool.
      1. Download Sigcheck (a Windows Sysinternals utility) from https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx.
      2. Open a command prompt as an administrator and navigate to the directory to which you downloaded Sigcheck.
      3. Run Sigcheck recursively to find executable files regardless of extension and output the hashes in comma-separated format to a folder and file name of your choice.
        The Sigcheck parameters are subject to change. To display available usage guidelines, run the sigcheck command without options.
        The following examples show the commands you can use in two different versions of Sigcheck:
        Sigcheck version 2.54
        sigcheck
        /s /c /e /h C:\ > C:\temp\outfilename.csv
        Sigcheck version 2.2
        sigcheck /accepteula -s -h
        -e -c C:\ > C:\temp\outfilename.csv
  2. Use the Traps VDI Tool to obtain verdicts for all PE files
    A command-line version of the Traps VDI tool is also available. See Traps VDI Tool CLI.
    To ensure that the Traps VDI tool can obtain verdicts for all unknown files, we recommend that you verify the ESM Server can access WildFire (https://wildfire.paloaltonetworks.com).
    The Traps VDI tool communicates with the ESM Server to request any verdicts the server has stored in its server cache. The Traps VDI tool then creates a WildFire cache which can contain any of the following verdicts for each hash: malicious, benign, or unknown. A hash has an unknown verdict if the ESM Server has not submitted the sample to or received an updated verdict from WildFire.
    vdi-tool-main.png
    1. Open the Traps VDI tool.
    2. Configure the following settings:
      • ESM server address—IP address or hostname of the ESM Server used for checking the hashes. This server must be able to connect to WildFire.
      • ESM server SSL binding—Set the value to True if the server uses an SSL binding (default is False).
      • Input file—Path of the comma-separated value (CSV) file created by the Sigcheck tool that contains all the hashes.
      • Password—Enter the agent's uninstall password. This password is required to read data from protected locations when Service Protection is enabled.
      • ESM server port—Port number for the ESM server (default is 2125).
      • Hash bulk size—Hashes will be reported to the server in fragments of this size (default is 300; range is 1 to 500).
      • Tool timeout in hours—Time in hours to wait for the Traps VDI tool to finish obtaining verdicts. If the Traps VDI tool exceeds the timeout, it stops generating the WildFire cache (default is 24 hours).
      • Wait for WildFire verdicts—Select False to skip uploading unknown hashes and creating the cache file.
      • WildFire verdicts check interval—Time in minutes between inquiries to check for new verdicts (default is 10).
      • Write malware to cache—Select True to write malware verdicts to the cache file (default is False).
    3. Click Start.
      The Traps VDI tool uses the results of the verdict lookup to create the WildFire cache of verdicts.
    4. Wait two hours for the ESM Server to query WildFire for any unknown verdicts and then proceed to the next step. During this time, the ESM Server populates the server cache with any verdicts for hashes WildFire has previously analyzed.
  3. Submit any remaining unknown executable files for analysis.
    The Traps VDI tool uploads the files to the ESM Server which then sends the files to WildFire for inspection. After the ESM Server submits the samples, the server queries WildFire every 10 minutes for updated verdicts. The entire process can take up to 24 hours to obtain verdicts for all unknown files.
    1. Open the Traps VDI tool.
    2. Change the Wait for WildFire verdicts setting to True. This setting enables the Traps VDI tool to send any remaining unknown executable files and wait for the WildFire verdict.
    3. Click Start.
      After the verdict lookup is complete, the Traps VDI tool recreates the WildFire cache containing the hashes and their verdicts.
  4. Review any PE files that WildFire determined to be malicious.
    1. From the ESM Console, go to the PoliciesMalwareHash Control page.
    2. Use the Hash Control search conditions to identify malware detected on the golden image:
      golden-image-hash-search.png
    3. Perform one of the following actions for each malicious PE file:
      • Remove the malicious PE file from the golden image.
      • If you believe the WildFire verdict is incorrect:
        1. Override the verdict for the PE file on the Hash Control page of the ESM Console.
        2. Ensure that the Traps agent receives any verdict overrides. To do this, run the Traps VDI tool with the Wait for WildFire verdicts set to True. This enables the Traps VDI tool to obtain the changed verdicts from the ESM Server. This step typically finishes within ten minutes.
  5. Configure the golden image as a non-persistent VDI using the Traps VDI tool.
    This ensures that the agent on each spawned machine registers with the ESM as a new agent. This also ensures the ESM revokes licenses for the VDI when the session is inactive or ends.
    1. On the golden image, open the Traps VDI tool.
    2. Select MenuMark as VDI.
    3. Enter the Traps uninstall password and click Mark as VDI.
      The Traps VDI tool identifies the machine in the Windows registry as a non-persistent VDI.

Related Documentation