We recommend that the golden image be in a separate policy from its clones. Use sensor groups to avoid the clones inheriting the golden image policy.

Important: Asset Groups is available to Carbon Black Cloud customers on 27 November 2023. Carbon Black recommends that you upgrade from Sensor Groups to Asset Groups as soon as it is operationally feasible for your organization. Sensor Groups will be phased out by 01 December 2024. See Asset Groups and Sensor Groups in the User Guide.

To get started, we recommend that you duplicate the Standard policy rules to the full clone policy. We then recommend the following specific policy settings for Horizon full clones.

General Tab

  • Name – For easy identification we recommend giving the policy a name that distinguishes the sensors as Full Clones.
  • Description – This policy is optimized for Horizon full clones. Special considerations improve performance and provide a strong base of reputation, behavioral, and targeted prevention.
  • Target Value – Medium

Sensor Tab

  • Display sensor message in system tray - Enable this setting and add a message similar to this sample text: "Virtual Desktops Policy - Contact someone@example.com with any questions and concerns. Provide context regarding the issue and any available replication steps."

Prevention Tab - Permissions

  • Bypass rules (exclusions) – Policy-level bypass rules help achieve stability in a VDI environment.

    Each organization must understand the trade-offs between performance and security. VMware recommends the use of exclusions. Work with stakeholders to review risks and benefits (performance versus visibility) and apply the bypass rules as needed.

    Carbon Black Cloud provides exclusions for supported methods as examples. Please review the applications that are installed in the VDI environment and apply any required bypass rules.

    The following examples are based on public documentation for VMware solutions. Additional bypass rules might be needed.

VMware bypass rules best practices

**\Program Files\VMware\**,
**\Program Files*\cloudvolumes\agent\svhook64.dll,
**\SnapVolumesTemp**,
**\SVROOT**,
**\SoftwareDistribution\DataStore**,
**\System32\Spool\Printers**,
**\ProgramData\VMware\VDM\Logs**,
**\AppData\VMware\**

Prevention

Blocking and Isolation

Best practices recommend applying Blocking and Isolation rules to address specific attack surfaces.

Local Scan tab

  • On Access File Scan Mode – Enabled
  • Allow Signature Updates – Enabled

Full clones are rarely recreated from the golden image, so they effectively never receive signature updates. Enable Allow Signature Updates for full clones.

Sensor tab

  • Run Background Scan – Disabled. To optimize performance, it is recommended to complete a background scan on the golden image and then subsequently have the background scan disabled on the policy assigned to the clones.
  • Scan files on network drives – Disabled
  • Scan execute on network drives – Enabled
  • Delay execute for Cloud scan – Enabled. This critical setting serves as the sole point of reference for pre-execution reputation lookups. If it is disabled, endpoints must rely on Application at Path and Deny List rules for pre-execution prevention.
  • Hash MD5 – Disabled. The sensor always calculates the SHA-256.
  • Auto-deregister VDI sensors that have been inactive for – Disable this setting to prevent unintentional uninstall of the sensor.

Behavior of a Quarantined Instant Clone VM

Carbon Black Cloud Quarantine prevents suspicious activity and malware from affecting the rest of your network by isolating the affected asset from the network. As a result of this network isolation, the Horizon agent communication from an instant clone VM to the Horizon connection server is cut off. To consider the full implications of this scenario, please see the following KB: Best Practices when Using Endpoint Detection and Response (EDR) Tools with Horizon (95512).