Environment
EDR Servers: 7.6+
Objective
Enable and configure VDI settings allowing EDR to recognize rebuilt or re-imaged virtual machines.
Resolution
1. Add VDI configuration lines to /etc/cb/cb.conf.
1a. Adding the two lines below enables the VDI feature and defaults to mapping sensors by hostname (and the DNS name). The advantage is enabling VDI but not allowing it to be configurable by the EDR Console. Warning: The lines must match exactly with no extra spaces, special characters, and have the right case. Make a backup of cb.conf before making changes. If EDR is a cluster, add the lines to each EDR server.
2. Restart cb-enterprise or cbcluster for the changes to take affect.
3. Ensure the master image, 'gold disk', template has a sensorID=0, and the events and binary data have been removed.
4. In the EDR Console, choose which attributes define a virtual machine or rebuilt system.
User > Settings > VDI Settings > Edit > Save
This is a article attached image
5. Configure the groups to accept the VDI settings. With the sensor group VDI option, the server attempts to correlate only sensors that are in a VDI-enabled group. For this to occur, the desired sensor group VDI behavior setting must be enabled.
1a. Adding the two lines below enables the VDI feature and defaults to mapping sensors by hostname (and the DNS name). The advantage is enabling VDI but not allowing it to be configurable by the EDR Console. Warning: The lines must match exactly with no extra spaces, special characters, and have the right case. Make a backup of cb.conf before making changes. If EDR is a cluster, add the lines to each EDR server.
# Added <date> NewRegistrationCallbackModulePath=/usr/share/cb/plugins/default_new_sensor_registration_callback.py NewRegistrationCallbackClassName=DefaultNewRegistrationCallback VDIAPIEnabled=True1b. Adding the line below overrides the variables in 1a, and instructs EDR that VDI is controlled and configurable by the console. If EDR is a cluster, add the line to each EDR server.
# Added <date> VDIAPIEnabled=True
2. Restart cb-enterprise or cbcluster for the changes to take affect.
Standalone Server: service cb-enterprise restart Cluster: /usr/share/cb/cbcluster stop /usr/share/cb/cbcluster start
3. Ensure the master image, 'gold disk', template has a sensorID=0, and the events and binary data have been removed.
Windows: sc stop carbonblack sc stop carbonblackk regedit - Modify HKLM/software/carbonblack/config/SensorId to 0 del c:\windows\carbonblack\eventlogs\* del c:\windows\carbonblack\store\MD5_*
Linux: systemctl stop cbdaemon vim /var/opt/carbonblack/response/sensorsetting.ini VdiEnabled=1 vim /var/opt/carbonblack/response/config.ini SensorId=0 SensorIdforDisplay=0 rm -rf /var/opt/carbonblack/response/store/* rm -rf /var/opt/carbonblack/response/eventlogs/*
OSX: launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist vi /var/lib/cb/sensor.id (Replace current id with 0)
4. In the EDR Console, choose which attributes define a virtual machine or rebuilt system.
User > Settings > VDI Settings > Edit > Save
This is a article attached imageTo set up group-based VDI support: 1 Login to the Carbon Black EDR console. 2 To configure a group for VDI support, click Sensors on the navigation bar. 3 From the Sensors menu, select the sensor group to configure for VDI support. 4 Click the Edit Settings tab. The Edit Settings page appears. 5 On the Advanced tab, select the VDI Behavior Enabled checkbox. 6 Click the Save Changes button to enable the configuration.
Additional Notes
- The Console VDI attribute selections have replaced the need to modify the /usr/share/cb/plugin files.
Related Content
- VMware Carbon Black Integrations Guide, Chap 8. Deploying a VDI Support Plug-in
- EDR: How to Create a Base "Gold Disk" Image For VDI Deployment
- EDR: Does EDR Support VDI for Linux Endpoints?
- EDR: How to Enable Logging for VDI SensorID Lookup
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.