EDR: Set Up and Customize Virtual Desktop Infrastructure (VDI)
search cancel

EDR: Set Up and Customize Virtual Desktop Infrastructure (VDI)

book

Article ID: 285269

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Enable and configure VDI settings allowing EDR to recognize rebuilt or re-imaged virtual machines.

Environment

EDR Servers: 7.6+

Resolution

1. Add VDI configuration lines to /etc/cb/cb.conf. 
 Adding the two lines below enables the VDI feature and defaults to mapping sensors by hostname and IP address per configured VDI settings in EDR GUI under Settings>VDI Settings. Make a backup of cb.conf before making changes.  If EDR is a cluster, add the lines to each EDR server.

# Added <date>
VDIAPIEnabled=True


2. Restart cb-enterprise or cbcluster for the changes to take affect.

Standalone Server:
service cb-enterprise restart

Cluster:
/usr/share/cb/cbcluster stop
/usr/share/cb/cbcluster start


3. Ensure the master image, 'gold disk', template has a sensorID=0, and the events and binary data have been removed.

Windows:
sc stop carbonblack
sc stop carbonblackk
regedit - Modify HKLM/software/carbonblack/config/SensorId to 0
del c:\windows\carbonblack\eventlogs\*
del c:\windows\carbonblack\store\MD5_*

Linux:
systemctl stop cbdaemon

vim /var/opt/carbonblack/response/sensorsetting.ini
VdiEnabled=1

vim /var/opt/carbonblack/response/config.ini
SensorId=0
SensorIdforDisplay=0

rm -rf /var/opt/carbonblack/response/store/* 
rm -rf /var/opt/carbonblack/response/eventlogs/* 

OSX:
launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
vi /var/lib/cb/sensor.id  (Replace current id with 0)


4.  In the EDR Console, choose which attributes define a virtual machine or rebuilt system.
User > Settings > VDI Settings > Edit > Save


 

5.  Configure the groups to accept the VDI settings.  With the sensor group VDI option, the server attempts to correlate only sensors that are in a VDI-enabled group. For this to occur, the desired sensor group VDI behavior setting must be enabled.

To set up group-based VDI support:
1 Login to the Carbon Black EDR console.
2 To configure a group for VDI support, click Sensors on the navigation bar.
3 From the Sensors menu, select the sensor group to configure for VDI support.
4 Click the Edit Settings tab. The Edit Settings page appears.
5 On the Advanced tab, select the VDI Behavior Enabled checkbox.
6 Click the Save Changes button to enable the configuration.


 

Additional Information

  • The Console VDI attribute selections have replaced the need to modify the /usr/share/cb/plugins/default_new_sensor_registration_callback.py files.
  • If there will be a need to configure the plugins, then configure below two lines in cb.conf and make sure that VDIAPIEnabled=True is commented out.
    NewRegistrationCallbackModulePath=/usr/share/cb/plugins/default_new_sensor_registration_callback.py
    NewRegistrationCallbackClassName=DefaultNewRegistrationCallback
  • If you opted for configuring the plugins, make sure you modify the plugin settings in file /usr/share/cb/plugins/default_new_sensor_registration_callback.py
Powered by Wolken Software