Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Run a Background Scan in a Non-Persistent VDI Environment

Carbon Black Cloud: How to Run a Background Scan in a Non-Persistent VDI Environment

Environment

  • Carbon Black Cloud Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Supported Non-persistent VDI (See Sensor Install Guide for Supported Methods)

Objective

While the official recommendation is to disable the Background Scan Policy setting in a Non-Persistent VDI Environment, this document outlines alternative configuration options.

Resolution

  1. Install Sensor on Primary/Golden image specifying approved Security Identifier (SID) for RepCLI (can be either specific User or Group SID)
    Add the following to command-line install script
    CLI_USERS={Desired_SID}
  2. Log into Primary/Golden image as user account that matches the AD User or Group SID configured at the time of Sensor install
  3. Launch a Command Prompt
  4. Initiate on-demand scan using RepCLI
    "C:\Program Files\Confer\RepCLI.exe" ondemandscan C:\
  5. Progress can be tracked via "repcli status" command, which includes scan information under the General Info section
    > "C:\Program Files\Confer\RepCLI.exe" status
    General Info:
    Sensor Version[3.3.0.984]
    Local Scanner Version[4.9.0.264 - ave.8.3.52.154:avpack.8.4.3.26:vdf.8.15.17.116]
    Details[]
    Kernel File Filter[Connected]
    Background Scan[Complete]
    Total Files Processed[2025]
    Current Directory[None]

Additional Notes

  • The OnDemandScan will run on the specified directory and files and generate file hashes and reputation lookups; data will be stored in local database for future file lookups
  • This local store will help reduce the cost on each cloned machine from having to do hashing, file analysis, and reputation lookups for those files already scanned on the primary image
  • The OnDemandScan will run as an expedited scan, which means the scan will run faster than a normal background scan and may impact performance
  • Any on-demand scans launched by RepCLI will be logged in the Windows Application Logs under Event ID 17

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎08-31-2020
Views:
4308
Contributors