We recommend that the golden image be assigned a different policy from its clones. Use sensor groups to avoid the clones inheriting the golden image.
For more information about sensor groups, see the VMware Carbon Black Cloud on AWS GovCloud (US) User Guide
To get started, we recommend that you duplicate the Standard policy rules to the instant clone policy. We then recommend the following specific policy settings for Horizon instant clones.
General Tab
- Name – For easy identification, we recommend giving the policy a name that distinguishes the sensors as Instant Clones.
- Description – This policy is optimized for Horizon instant clones. Special considerations improve performance and provide a strong base of reputation, behavioral, and targeted prevention.
- Target Value – Medium
Sensor Tab
- Display sensor message in system tray - Enable this setting and add a message similar to this sample text: "Virtual Desktops Policy - Contact [email protected] with any questions and concerns. Provide context regarding the issue and any available replication steps."
Prevention Tab - Permissions
- Bypass rules (exclusions) – Policy-level bypass rules help achieve stability in a VDI environment.
Each organization must understand the trade-offs between performance and security. VMware recommends the use of exclusions. Work with stakeholders to review risks and benefits (performance versus visibility) and apply the bypass rules as needed.
Carbon Black Cloud provides exclusions for supported methods as examples. Please review the applications that are installed in the VDI environment and apply any required bypass rules.
The following examples are based on public documentation for VMware solutions. Additional bypass rules might be needed.
VMware bypass rules best practices
**\Program Files\VMware\**, **\SnapVolumesTemp**, **\SVROOT**, **\SoftwareDistribution\DataStore**, **\System32\Spool\Printers**, **\ProgramData\VMware\VDM\Logs**, **\AppData\VMware\**
Prevention
Blocking and Isolation
Best practices recommend applying Blocking and Isolation rules to address specific attack surfaces.
Local Scan tab
- On Access File Scan Mode – Enabled
- Allow Signature Updates – Disabled
This setting is circumstantial. For short-lived clones, it is recommendedto have Allow Signature Updates set to Disabled and have On Access File Scan Mode set to Enabled. The policy of the golden image would have both of these settings Enabled. This setup makes sure that clones can still perform AV scans using the signature packs that came from the golden image, without incurring the cost of updating the signature pack on each clone. If the clones are expected to be long-lived it is recommended to have both settings set to Enabled (to avoid the use of outdated signature packs.
Sensor tab
- Run Background Scan – Disabled. To optimize performance, it is recommended to complete a background scan on the golden image andsubsequently have the background scan disabled on the policy that is assigned to the clones.
- Scan files on network drives – Disabled
- Scan execute on network drives – Enabled
- Delay execute for Cloud scan – Enabled. This critical setting serves as the sole point of reference for pre-execution reputation lookups. If it is disabled, endpoints must rely on Application at Path and Deny List rules for pre-execution prevention.
- Hash MD5 – Disabled. The sensor always calculates the SHA-256.
- Auto-deregister VDI clone sensors that have been inactive for – Because instant clones are generally short-lived, it is recommended to Enable this setting to remove any instant clones that have been inactive for the specified duration.
Note: VMware Carbon Black recommends setting an interval of at least 24 hours to ensure that sensors do not get de-registered during common maintenance windows from VMware Carbon Black or your environment.