Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Create a Base "Gold Disk" Image For VDI Deployment

EDR: How to Create a Base "Gold Disk" Image For VDI Deployment

Environment

  • EDR Sensor: 5.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

To create a gold master disk that will ensure all future cloned images will check in a unique sensors to the EDR Server. 

Resolution

  1. On the base system, ensure that the sensor id is set to 0.
  2. Stop the EDR services on the base image sensor version 7.1.x and below:
  3. For sensor version 7.2.0 and above follow this link to disable sensor
sc stop carbonblack
sc stop carbonblackk
  1. Edit the registry key that holds the Sensor ID:
HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config\SensorId
  1. Set that value to 0.
  2. Delete everything in:
C:\Windows\CarbonBlack\EventLogs\*
  1. Delete any cached binaries in this folder, but leave the "catalog" file present.
C:\Windows\CarbonBlack\store\MD5_*
  1. Shutdown the master image

Additional Notes

  • Full instructions can be found in the Integration Guide documentation here
  • It is important to not start the services on the Windows endpoint after the Sensor ID has been set to 0. If that occurs, you will have to reset it back to 0 because the server will provide it with a SensorID.
  • Ensure that the Sensor Groups in the EDR console have been configured to allow VDI.  

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎09-03-2020
Views:
10381
Contributors