Carbon Black Policy Setting Recommendations for Citrix Golden Images

We recommend that Carbon Black Cloud console administrators create specific policies to manage a Citrix golden image.

All clones inherit the policy from the golden image unless otherwise directed by membership in an Asset Group or Sensor Group.

Important: Asset Groups is available to Carbon Black Cloud customers on 27 November 2023. Carbon Black recommends that you upgrade from Sensor Groups to Asset Groups as soon as it is operationally feasible for your organization. Sensor Groups will be phased out by 01 December 2024. See Asset Groups and Sensor Groups in the User Guide.

We recommend the following policy settings for a Citrix golden image.

Prevention Tab - Permissions

Bypass rules (exclusions) – Policy-level bypass rules help achieve stability in a VDI environment.
Each organization must understand the trade-offs between performance and security. Carbon Black recommends the use of exclusions. Work with stakeholders to review risks and benefits (performance versus visibility) and apply the bypass rules as needed.
Carbon Black Cloud provides exclusions for supported methods as examples. Please review the applications that are installed in the VDI environment and apply any required bypass rules.
The following examples are based on public documentation for Citrix solutions. Additional bypass rules might be needed.
Citrix bypass rules best practices
```
**\Program Files*\Citrix\**
            **\AppData\Local\Temp\Citrix\HDXRTConnector\*\*.txt
            **\*.vdiskcache
            **\System32\spoolsv.exe
```
Note: Additional bypass rules might be required. For example, some organizations do not want to bypass winlogon.exe. This is a Citrix recommendation for any AV solution because a common problem with VDIs that use AV is longer login times. This bypass rule helps restore the expected experience.

Prevention

Blocking and Isolation

Best practices recommend applying Blocking and Isolation rules to address specific attack surfaces. To get started, we recommend that you duplicate the Standard policy rules to the Virtual Desktops policy.

Local Scan tab

On Access File Scan Mode – Disabled
Allow Signature Updates – Enabled

Sensor tab

Run Background Scan – For optimal clone performance, run the background scan on the golden image. This pre-populates the sensor cache with the reputation of files that are currently on the system and improves clone performance. A background scan takes some time to complete, and not all users want to wait for the scan when creating a new image. For performance sensitive customers, the extra wait time might be worth it if the image is deployed at scale.
Scan files on network drives – Disabled
Scan execute on network drives – Enabled
Delay execute for Cloud scan – Enabled. This critical setting serves as the sole point of reference for pre-execution reputation lookups. If it is disabled, endpoints must rely on Application at Path and Deny List rules for pre-execution prevention.
Hash MD5 – Disabled. The sensor always calculates the SHA-256.
Auto-deregister VDI sensors that have been inactive for – Disable this setting to prevent unintentional uninstall of the sensor.

Note: Previously, Carbon Black Cloud could automatically deregister golden image machines due to inactivity. Carbon Black Cloud no longer leverages time-based deregistration for any VM that has a child.