In Virtual Desktop Infrastructure (VDI) environments, Carbon Black Response can be staged on your Gold Image to facilitate deployment and administration of Response sensors across all related virtual machines.

Note that these settings apply to Windows and OSX VDI configurations only, as Linux VDI behavior features are not supported at this time.

Part 1: Activate VDI Mode on your Cb Response server

  • If Red Canary hosts your Cb Response server, visit your Portal Help page and click Please enable VDI mode for my Carbon Black Response server to request we enable VDI
  • If you are a Cb Cloud customer, please email to coordinate with Cb Support to enable the needed settings
  • If you host your own Cb Response instance internally, please reference the correct Response Integration Guide on the Cb User Exchange for the necessary server-side configurations

Part 2: Create and configure a VDI Sensor Group

1. Under the Sensors section of your Response server, select the Create Group button to create a new sensor group in which your VDI endpoints will reside. 

2. Mirror the settings from your Default Group to your new group, paying close attention to the Server URL and Advanced Options

3. Select the VDI Behavior Enabled in the Advanced Options tab in addition to the other settings enabled here.

Part 3: Download the VDI-enabled sensor

1. On the Sensors page of your Response server, select your new VDI Sensor Group. 

2. Click Download Sensor Installer and download either the Windows Standalone Executable or OSX Standalone PKG

Part 4: Install the sensor on your Gold Image

Bring up your Gold Image system (in Private Mode if possible) and install the Cb Response sensor as usual. After installing the sensor, configure the system using the following steps:

Note that these steps must be performed each time the Gold Image is brought up for maintenance.

Windows Sensors

Open an elevated command prompt and run the following:

sc stop carbonblack
sc stop carbonblackk
for /d %G in ("%WINDIR%\CarbonBlack\store\MD5_*") do rd /s /q "%~G"
del %WINDIR%\CarbonBlack\EventLogs\active-event.log
del %WINDIR%\CarbonBlack\EventLogs\eventlog_*
reg add HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config /t REG_SZ /v SensorId /d 0 /f

Save and deploy your image.

OSX Sensors
Open a terminal window and run the following:

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plistSet
sudo rm -rf /var/lib/cb/store/MD5_*
sudo rm -rf /var/lib/cb/event.log*
echo 0 > /var/lib/cb/

Save and deploy your image.

Did this answer your question?