We recommend that Carbon Black Cloud console administrators create specific policies to manage a Citrix golden image.
All clones inherit the policy from the golden image unless otherwise directed by membership in an Asset Group or Sensor Group.
We recommend the following policy settings for a Citrix golden image.
Prevention Tab - Permissions
- Bypass rules (exclusions) – Policy-level bypass rules help achieve stability in a VDI environment.
Each organization must understand the trade-offs between performance and security. Carbon Black recommends the use of exclusions. Work with stakeholders to review risks and benefits (performance versus visibility) and apply the bypass rules as needed.
Carbon Black Cloud provides exclusions for supported methods as examples. Please review the applications that are installed in the VDI environment and apply any required bypass rules.
The following examples are based on public documentation for Citrix solutions. Additional bypass rules might be needed.Citrix bypass rules best practices
**\Program Files*\Citrix\** **\AppData\Local\Temp\Citrix\HDXRTConnector\*\*.txt **\*.vdiskcache **\System32\spoolsv.exe
Note: Additional bypass rules might be required. For example, some organizations do not want to bypasswinlogon.exe
. This is a Citrix recommendation for any AV solution because a common problem with VDIs that use AV is longer login times. This bypass rule helps restore the expected experience.
Prevention
Blocking and Isolation
Best practices recommend applying Blocking and Isolation rules to address specific attack surfaces. To get started, we recommend that you duplicate the Standard policy rules to the Virtual Desktops policy.
Local Scan tab
- On Access File Scan Mode – Disabled
- Allow Signature Updates – Enabled
Sensor tab
- Run Background Scan – For optimal clone performance, run the background scan on the golden image. This pre-populates the sensor cache with the reputation of files that are currently on the system and improves clone performance. A background scan takes some time to complete, and not all users want to wait for the scan when creating a new image. For performance sensitive customers, the extra wait time might be worth it if the image is deployed at scale.
- Scan files on network drives – Disabled
- Scan execute on network drives – Enabled
- Delay execute for Cloud scan – Enabled. This critical setting serves as the sole point of reference for pre-execution reputation lookups. If it is disabled, endpoints must rely on Application at Path and Deny List rules for pre-execution prevention.
- Hash MD5 – Disabled. The sensor always calculates the SHA-256.
- Auto-deregister VDI sensors that have been inactive for – Disable this setting to prevent unintentional uninstall of the sensor.
Note: Previously, Carbon Black Cloud could automatically deregister golden image machines due to inactivity. Carbon Black Cloud no longer leverages time-based deregistration for any VM that has a child.