Configure the Golden Image for Non-Persistent VDI

To avoid starting your VDI with a cache of unknown executable files, use the Traps VDI tool to request verdicts for all known PEs on your golden image.
There are two versions of the VDI tool: 32-bit and 64-bit. Use the version of VDI tool that matches the VDI architecture.
  1. Before you begin:
  2. Use the Traps VDI Tool to obtain verdicts for all PE files (collected in 4 ).
    A command-line version of the Traps VDI tool is also available. See Traps VDI Tool CLI .
    The Traps VDI tool communicates with the ESM Server to request any verdicts the server has stored in its server cache. The Traps VDI tool then creates a WildFire cache which can contain any of the following verdicts for each hash: malicious, benign, or unknown. A hash has an unknown verdict if the ESM Server has not submitted the sample to or received an updated verdict from WildFire.
    vdi-tool-main.png
    1. Open the Traps VDI tool.
    2. Configure the following settings:
      • ESM server address—IP address or hostname of the ESM Server used for checking the hashes. This server must be able to connect to WildFire.
      • ESM server SSL binding—Set the value to True if the server uses an SSL binding (default is False).
      • Input file—Path of the comma-separated value (CSV) file that you created in 4 that contains all the hashes.
      • Password—Enter the agent's uninstall password. This password is required to read data from protected locations when Service Protection is enabled.
      • ESM server port—Port number for the ESM server (default is 2125).
      • Hash bulk size—Hashes will be reported to the server in fragments of this size (default is 300; range is 1 to 500).
      • Tool timeout in hours—Time in hours to wait for the Traps VDI tool to finish obtaining verdicts. If the Traps VDI tool exceeds the timeout, it stops generating the WildFire cache (default is 24 hours).
      • Wait for WildFire verdicts—Select False to skip uploading unknown hashes and creating the cache file.
      • WildFire verdicts check interval—Time in minutes between inquiries to check for new verdicts (default is 10).
      • Write malware to cache—Select True to write malware verdicts to the cache file (default is False).
    3. Click Start.
      The Traps VDI tool uses the results of the verdict lookup to create the WildFire cache of verdicts.
    4. Wait two hours for the ESM Server to query WildFire for any unknown verdicts and then proceed to the next step. During this time, the ESM Server populates the server cache with any verdicts for hashes WildFire has previously analyzed.
  3. Submit any remaining unknown executable files for analysis.
    The Traps VDI tool uploads the files to the ESM Server which then sends the files to WildFire for inspection. After the ESM Server submits the samples, the server queries WildFire every 10 minutes for updated verdicts. The entire process can take up to 24 hours to obtain verdicts for all unknown files.
    1. Open the Traps VDI tool.
    2. Change the Wait for WildFire verdicts setting to True. This setting enables the Traps VDI tool to send any remaining unknown executable files and wait for the WildFire verdict.
    3. Click Start.
      After the verdict lookup is complete, the Traps VDI tool recreates the WildFire cache containing the hashes and their verdicts.
  4. Review any PE files that WildFire determined to be malicious.
    1. From the ESM Console, go to the PoliciesMalwareHash Control page.
    2. Use the Hash Control search conditions to identify malware detected on the golden image:
      golden-image-hash-search.png
    3. Perform one of the following actions for each malicious PE file:
      • Remove the malicious PE file from the golden image.
      • If you believe the WildFire verdict is incorrect:
        1. Override the verdict for the PE file on the Hash Control page of the ESM Console.
        2. Ensure that the Traps agent receives any verdict overrides. To do this, run the Traps VDI tool with the Wait for WildFire verdicts set to True. This enables the Traps VDI tool to obtain the changed verdicts from the ESM Server. This step typically finishes within ten minutes.
  5. Configure the golden image as a non-persistent VDI using the Traps VDI tool.
    This ensures that the agent on each spawned machine registers with the ESM as a new agent. This also ensures the ESM revokes licenses for the VDI when the session is inactive or ends.
    1. On the golden image, open the Traps VDI tool.
    2. Select MenuMark as VDI.
    3. Enter the Traps uninstall password and click Mark as VDI.
      The Traps VDI tool identifies the machine in the Windows registry as a non-persistent VDI.

Related Documentation