We recommend that Carbon Black Cloud console administrators create specific policies to manage Citrix clones.
After a policy is applied to the golden image, all clones inherit this policy unless otherwise directed by membership in sensor groups.
For more information about sensor groups and policy settings, see the Carbon Black Cloud on VMware Cloud Services Platform User Guide.
We recommend the following policy settings for Citrix clones.
General Tab
- Name – Virtual Desktops – “Virtual Desktops” was previously a prescribed policy name. You can now put VMs into any policy name, and support VMs in different policies. This allows you to segregate clones from physical machines, and have different settings for each type.
- Description – This policy is optimized for Citrix clones. Special considerations improve performance and provide a strong base of reputation, behavioral, and targeted prevention.
- Target Value – Medium
Sensor Tab
- Display sensor message in system tray - Enable this setting and add a message similar to this sample text: "Virtual Desktops Policy - Contact [email protected] with any questions and concerns. Provide context regarding the issue and any available replication steps."
Prevention Tab - Permissions
- Bypass rules (exclusions) – Policy-level bypass rules help achieve stability in a VDI environment.
Each organization must understand the trade-offs between performance and security. VMware recommends the use of exclusions. Work with stakeholders to review risks and benefits (performance versus visibility) and apply the bypass rules as needed.
Carbon Black Cloud provides exclusions for supported methods as examples. Please review the applications that are installed in the VDI environment and apply any required bypass rules.
The following examples are based on public documentation for Citrix solutions. Additional bypass rules might be needed.Note: Additional bypass rules might be required. For example, some organizations do not want to bypasswinlogon.exe
. This is a Citrix recommendation for any AV solution because a common problem with VDIs that use AV is longer login times. This bypass rule helps restore the expected experience.
Citrix bypass rules best practices
**\Program Files*\Citrix\**, **\AppData\Local\Temp\Citrix\HDXRTConnector\*\*.txt, **\*.vdiskcache, **\System32\spoolsv.exe
Prevention
Blocking and Isolation
Best practices recommend applying Blocking and Isolation rules to address specific attack surfaces. To get started, we recommend that you duplicate the Standard policy rules to the Virtual Desktops policy.
Local Scan tab
- On Access File Scan Mode – Disabled
- Allow Signature Updates – Disabled
It is a best practice to disable Allow Signature Updates for clones. The local scan feature adds network overhead and augments resource utilization. The Carbon Black Cloud can pull reputation and enforce policy in real time from the Cloud because most VDI environments maintain 99% uptime.
However, you can install the signature pack to the golden image. This installation avoids the performance penalty of running updates on each clone, but allows the clones to have some offline protection. Malware that can be identified by the signature pack on the golden image is detected and blocked independent of Cloud activity.
Installing updates to a golden image works well for clones because the clones are frequently recreated from the golden image and thereby inherit the updates.
Sensor tab
- Run Background Scan – To optimize performance, most VDI vendors recommend disabling any background scan of the file system. Operating under the expectation that the golden image is free of malware, and the clones maintain consistent connectivity to the Cloud, it is not recommended to utilize the background scan feature. Reputation is derived from the Cloud at execution when necessary, per policy configuration. See the following Delay Execute for Cloud scan recommendation.
- Scan files on network drives – Disabled
- Scan execute on network drives – Enabled
- Delay execute for Cloud scan – Enabled. This critical setting serves as the sole point of reference for pre-execution reputation lookups. If it is disabled, endpoints must rely on Application at Path and Deny List rules for pre-execution prevention.
- Hash MD5 – Disabled. The sensor always calculates the SHA-256.
- Auto-deregister VDI sensors that have been inactive for – Enable this setting to remove any clones that been inactive for the specified duration.