Technical Support

Need help?

 

How to create an image for Windows persistent and non-persistent environments (VDI) with products based on Aether Platform

Information applies to:

Products
Panda Adaptive Defense 360 on Aether PlatformPanda Adaptive Defense on Aether Platform
Panda Endpoint Protection on Aether PlatformPanda Endpoint Protection Plus on Aether Platform

IMPORTANT INFORMATION YOU MUST READ BEFORE YOU START!

It is critical that you follow this procedure step-by-step and that once you complete it, you verify that all cloned devices are displayed in the web UI.

ATTENTION!
Devices cloned incorrectly affect visibility of monitored actions, impact the reliability of the Advanced Protection and can compromise the security of your infrastructure.

If you only see a single device in the web UI, you must repeat the process, rebuild the gold image and deploy it again to the affected endpoints as soon as possible. For any questions, contact Technical Support.

Introduction
In large networks with many similar computers, you can automate the process to install the operating system and other software with a gold image. This is sometimes referred to as a master image, base image, or clone image. You then deploy the gold image to all computers on the network, which eliminates most of the manual work required to set up a new computer.

To generate a gold image, install an up-to-date operating system with all the software that users might need, such as security tools, on a computer on your network. Once the computer is ready, you need to use virtualization software to "seal" the installation and distribute it to the computers on the network. For information specific to your virtualization solution, consult your vendor's documentation.

The installation procedure requires the preparation of a template (for persistent environments) or a gold image (for non-persistent environments) that will be later deployed to the virtual computers on the network.

In persistent environments, information stored on the computer's hard disk persists between reboots. Therefore, you must install an updated version of the operating system with all the programs that users need and then create the template with your product protection updates configured.

In non-persistent environments, two security configuration profiles will be created; one to update the gold image when it is prepared and for maintenance purposes, and one to disable updates when the gold image is running, as it is not appropriate to update the client software when the computer's storage system reverts to its original state with each reboot.

This article offers a step-by-step walkthrough of how to install Panda Security solutions for Windows on Aether platform in persistent and non-persistent Virtual Desktop Infrastructure (VDI) environments. Due to their characteristics, virtual computers or instances require you to follow a specific procedure to ensure that the images or templates to be used in virtual environments are up to date, and don't have a previously assigned machine ID so that, when a virtual computer is started, it is uniquely registered in the Web UI.

It is very important to follow this procedure closely to:

  1. Ensure engine and knowledge updates.
  2. Optimize resource and bandwidth consumption in non-persistent environments.
  3. Ensure virtual instances are uniquely identified.

Prerequisites

  • In persistent environments, computers must have fixed MAC addresses.
    The computer used to generate the template or gold image must have an Internet connection.
  • Endpoint Agent Tool for Windows must be run as administrator and has a graphic interface but can also be run from the command line.
    If you run the tool from a .bat or .cmd file, you must use this command: start /wait "".
    For example, if the instruction is: EndpointAgentTool.exe /sg, this is the command you must type:

    start /wait "" "C:\Path\EndpointAgentTool.exe" /sg

Compatibilities
Generally, the procedure described in this document works with the following types of virtual machines:

  • VMware Workstation
  • VMware Server
  • VMware ESX
  • VMware ESXi
  • Citrix XenDesktop
  • XenApp
  • XenServer
  • MS Virtual Desktop
  • MS Virtual Servers
Procedure for Persistent Environments
Click on the + sign to see the instructions of each phase.
+ PHASE I - PREPARE THE COMPUTER WHERE THE TEMPLATE IS CREATED FROM - PHASE I - PREPARE THE COMPUTER THE TEMPLATE IS CREATED FROM

  1. Install or update the operating system with the user's applications.
  2. From the Aether platform, create a group called Virtual machines to host the template and the virtual machines. To do so, follow these steps:

    • Click on the Computers tab.
    • Select My organization from the left pane.
    • Select Add group.

  3. Create a settings profile with automatic Agent and Adaptive Defense 360 updates. To do so, follow these steps:

    • Click on the Settings tab.
    • Select Per-computer settings from the left pane.
    • Click Add and to create a settings profile that will ensure the image is updated.
    • Make sure the Automatically update Panda Adaptive Defense 360 on computers toggle is enabled.

    • Assign these settings to the Virtual machines group you created earlier for the template.
  4. Select the Settings tab and select Workstations and servers on the Security left pane.
    • Click Add to create a new profile with automatic Knowledge updates enabled and type a name and description if required.
    • Select General and enable the Automatic Knowledge Updates toggle.

    • Assign these settings to the Virtual machines group.
  5. Install the agent and the protection on the Virtual machines group:
    • From the top navigation bar, select Computers, select the Virtual machines template group and click on Add computers to download the installer.

    • Install the agent on the template and wait for the progress window to finish.
      During that time, the protection will be automatically installed, configured and updated. After the installation is completed, the computer will appear on the list of protected computers in the Web UI, with a green icon. The computer's protection and knowledge will be updated.
  6. Download the Endpoint Agent Tool for Windows, unzip it and run it on the computer with the template.
    • In the Non exclusive events section, select Detections, Counters and Check commands and click Send, or else, right-click on the protection icon and select Synchronize.

      If you do it from the command line, type in: EndpointAgentTool.exe /d /c /cmd

    • Remove the computer's ID. To do so, leave the Is a gold image checkbox unchecked.
    • If the computer is protected with Anti-Tamper, enter the password in the AntiTamper password field.

      If you use the command line, type in:

      EndpointAgentTool.exe /pei /atp:antitamperpassword

      If there is no password, do not add the atp parameter.
    • Click on the Prepare image button.
      This removes the agent ID from the template, so that all virtual machines obtain their ID when they connect to Aether for the first time.


  7. ATTENTION! Disable the Panda Endpoint Agent service so the service does not start automatically before the template is created for your virtual instances.

    This step is critical to ensure that each virtual machine is uniquely identified in the Web UI.
  8. Access the virtual environment management tool and generate the template. If you have questions about this step, contact your vendor.
+ PHASE II - MODIFY THE PANDA SERVICE'S STARTUP TYPE - PHASE II - MODIFY THE PANDA SERVICE'S STARTUP TYPE

Once the custom template is ready, you can enable the Panda Endpoint Agent service, either with GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc. In this example, we explain how to change the Panda Endpoint Agent service's startup type, using GPO. First, you must create a GPO.

In the GPO settings, go to the following path: Computer Configuration, Policies, Windows Settings, Security Settings, System Services, Panda Endpoint Agent. The service will be disabled. Change the status to Automatic. The service will start automatically on the next reboot and will be integrated in the console.

The Group Policy Management Editor screen looks like this:

Procedure for Non-Persistent Environments
Click on the + sign to see the information of each phase.
+ PHASE I - PREPARE AND GENERATE GOLD IMAGE - PHASE I - PREPARE AND GENERATE GOLD IMAGE

Before you create the gold image, prepare the computer where you are going to create it:
  1. Install/update the operating system with the user's applications.
  2. From the product's console, create a group where you will host the gold image (Gold group or template image) and the virtual computers (Virtual machines group).
    • Gold or Template image Group
      • Go to the Settings tab, click Per-computer settings and create a settings profile for future image updates.
      • Make sure the Automatically update Panda All features on computers toggle is enabled.
      • Select the Automatically Restart both workstations and servers option to make sure the computer will be updated.
      • Assign these settings to the Gold or template image group.
      • Next, click the Settings tab, and select Workstations and servers from the Security section to create a settings profile for future image updates.
      • Expand General and in the Updates section, make sure the Automatic knowledge updates toggle is enabled.
      • Assign these settings to the Gold or template image group.
    • Virtual machines group
      Virtual instances are based on the updated gold image. To optimize the VDI server's resources and reduce bandwidth usage, disable updates by following these steps:
      • Create a Per-computer settings profile that has the Automatically update Panda Adaptive Defense 360 on computers toggle disabled, and assign it to the Virtual Machines group.

      • Go to Workstations and servers in the Security section of the Settings tab, expand General, go to the Updates section, disable the Automatic knowledge updates toggle, and assign those settings to the Virtual Machines group.

  3. Install the agent and the protection on the Virtual Machines group in order to generate the gold image:
    • Go to the Computers tab, select the Virtual Machines group, and click Add computers. This will download the installer.
    • Install the agent on the machine used to create the gold image and wait for the progress window to finish. During that time, the protection will be automatically installed and configured. After the installation is completed, the computer will appear on the list of protected computers in the console.
  4. Move the machine with the gold image to its Gold or template image group so that it receives the settings with the option to update. We recommend that, from the computer, you right-click the protection icon in the notifications area of the taskbar, and force a synchronization. This will push the settings to the computer so that it will start updating.
  5. Download the Endpoint Agent Tool for Windows, unzip it and run it on the computer with the gold image.
    • Although it is not mandatory, in non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer.
      • For Adaptive Defense 360, you can use the scan option available either from the right-click menu or from Adaptive Defense 360 interface.
      • For Adaptive Defense, use the Start cache scan button from the Endpoint Agent Tool for Windows interface.

        This will fill the goodware cache and prepare the protection for virtual images. The process can take some time, depending on the contents of the hard disk. Wait until the operation finishes.

        Equivalent command line: EndpointAgentTool.exe /sg

        Remember that if you use a .bat or .cmd file, you must run this command:

        start /wait "" "C:\ToolPath\EndpointAgentTool.exe" /sg
    • In the Non Exclusive Events section, select the Detections, Counters and Check commands options and click Send or else, right-click on the protection icon and select Synchronize.

      Equivalent command line:

      EndpointAgentTool.exe /d /c /cmd

    • Remove the ID of the computer, by selecting the checkbox Is a gold image.
    • If the computer is protected by AntiTamper, type in the password in the AntiTamper password field.

      Equivalent command line
      :

      EndpointAgentTool.exe /pei /gi /atp:antitamperpassword

      If there is no password, leave the atp value blank.
    • Click the Prepare image button. This removes the agent ID from the gold image, so all virtual machines obtain their ID when they are run and connect to Aether for the first time.

      This step is critical to ensure that each virtual instance is uniquely identified in the Web UI.

  6. ATTENTION! Disable the Panda Endpoint Agent service to prevent it from starting automatically before the gold image is created for your virtual instances.

    This step is critical to generate a specific ID for each virtual machine.
  7. Access the VDI management tools and generate the gold image. If you have questions about this step, contact your vendor.
  8. You can configure the maximum number of non-persistent machines that can be active simultaneously in the VDI environments section of the Web UI. This enables automatic management of the licenses used by those machines, relieving you of the task of deleting them from the Aether platform to recover their licenses.
+ PHASE II - MODIFY THE PANDA SERVICE STARTUP TYPE - PHASE II - MODIFY THE PANDA SERVICE STARTUP TYPE

Once the custom gold image is ready, you can enable the Panda Endpoint Agent service, either with GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc.

In this example, we show you how to change the Panda Endpoint Agent service's startup type with GPO. First, you must create a GPO. To do so, in the GPO settings, browse to this path: Computer Configuration, Policies, Windows Settings, Security Settings, System Services, Panda Endpoint Agent. The service will be disabled. Change the setting to Automatic. The service will start automatically on the following reboot and will be integrated in the console.

The GPO report looks like this:

+ PHASE III - MAINTENANCE OF THE GOLD IMAGE - PHASE III - MAINTENANCE OF THE GOLD IMAGE
The agent, the protection, and the signatures of the gold image created must be updated frequently, at least once a month. These updates are essential to ensure maximum protection against the new attack techniques developed by hackers. Follow these steps to update the gold image:
  1. Start the machine where the gold image is installed.
  2. From the console, move the computer with the gold image to the Gold or template image group so that it receives the appropriate settings with automatic updates of the engine and knowledge.
  3. From the computer, right-click the protection icon in the notifications area of the taskbar to force a synchronization. This will update the computer.
    • Updates are performed silently in the background. We recommend that you wait a few minutes to make sure the image is properly updated.
    • If a new version of the protection is available, a restart window will be displayed and the computer will restart automatically (as configured in Per-computer settings).

      In this case, once the restart is completed, we recommend that you force a new synchronization to make sure the product is fully updated and properly configured.
  4. Download the Endpoint Agent Tool for Windows, unzip it and run it on the computer with the gold image.
    • Scan it by using the Start cache scan button. This will fill the goodware cache and leave the protection in an appropriate state for virtual images.
      This process can take some time, depending on the contents of the hard disk. Wait until you are notified that the operation has finished.

      Equivalent command line: EndpointAgentTool.exe /sg

      Remember that if you use a .bat o .cmd file, this is the command to type:

      start /wait "" "C:\ToolPath\EndpointAgentTool.exe" /sg
    • In the Non exclusive events sections, select options Detections, Counters and Check commands and click Send or else, right-click on the protection icon and choose Synchronize.

      Equivalent command line: EndpointAgentTool.exe /d /c /cmd

    • Remove the ID of the computer, by selecting the Is a gold image verification checkbox.
    • If the computer is protected with AntiTamper, write the password in the AntiTamper password field. Otherwise, leave it blank.

      Equivalent command line: EndpointAgentTool.exe /pei /gi /atp:antitamperpassword
    • Select the Prepare image button, making sure the Is a gold image option is checked.

      This will remove the agent ID from the gold image, so that all virtual instances obtain their unique ID when they are run and connect to Aether for the first time.

      This step is critical to ensure that each virtual instance is uniquely identified in the Web UI!

Verify Procedure
It is essential to ensure that you have followed the procedure correctly.

  • View non-persistent computers
    Panda Adaptive Defense 360 uses the FQDN (Fully Qualified Domain Name) to identify computers whose IDs have been deleted using the Endpoint Agent Tool and are marked as gold image.
    To get a list of non-persistent VDI computers,follow these steps:
    • From the top navigation bar, go to Settings.
    • Click Computer Maintenance from the left pane.
    • Go to the VDI Environments section.
    • Click the Show non-persistent computers link.
    • The Computers list is displayed, with the non-persistent computers filter applied.
  • View persistent computers
    • From the top navigation bar, select Computers.
    • Verify that all your cloned devices are correctly displayed in the web UI.

IMPORTANT! If you see a single device, you must remove the device from the Computers list and start the procedure from scratch, that is, rebuild the gold image and deploy it again to the affected endpoints.

Manage Licenses
If you follow the process correctly and delete the agent ID by configuring the Is a gold image option as indicated, every time a new computer is started, the system will calculate its ID and will determine if it is a new computer or an existing one.

In non-persistent environments, if the maximum number of machines that can be active simultaneously for non-persistent images is set, the server will manage licenses automatically, provided there are available licenses and the number of concurrent machines is not exceeded.

In persistent environments, if there are multiple machines that are no longer used, delete them from the database in order to free up licenses just as you would do with physical machines. This can be done from the Aether console, by selecting all machines to delete and clicking the Delete button, or individually via the context menu of each machine to delete.

Related articles
How to create an image for Linux persistent and non-persistent environments (VDI) with products based on Aether


Help nº- 20240109 700050 EN
ALWAYS ONLINE TO HELP YOU TWITTER FORUM
ALWAYS ONLINE TO HELP YOU TWITTER FORUM