Today we are working on the gold image for our Microsoft RDS VDI environment. This build runs Windows 7 x86 along with core apps and is protected by Trend Micro OfficeScan.
As I’m sure many people will know anti-malware software does not always take kindly to being imaged. Usually there is either a tool, script or manual task to be run which removes whatever GUID is in place for the client. Trend is no different in this respect and the OfficeScan package comes with a VDI tool which allows you to pre-scan your image and then remove the GUID ready for image deployment.
The tool is called TCacheGen.exe – there are different versions for x86 and x64 as well as command line EXEs. The default path on the OfficeScan server is c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\TCacheGen
The process is simple, drop the relevant EXE onto your gold image and run as administrator to be sure you don’t encounter any permissions issues.
Launching the GUI version will bring up a new window with 2 options.
The first option will perform both a pre-scan and remove the GUID while the second option only removes the GUID.
If we check the command line tool the options are the same with a simple command syntax –
C:\>TCacheGenCli_x64.exe USAGE: TCacheGenCli [ GENERATE_TEMPLATE | REMOVE_GUID ] where GENERATE_TEMPLATE Generate pre-scan template. REMOVE_GUID Remove GUID from template. C:\>TCacheGenCli_x64.exe GENERATE_TEMPLATE
If you read the notes regarding pre-scan you will see that it can really benefit your setup by validating the image now and then only scanning the parts that have changed on subsequent image deployments. Obviously if you are running a lot of clients this can make a big difference in terms of resource overhead. You don’t want to have hundreds of VDI images (all basically identical) running AV scans across the same data it’s just a waste of resource.
I have seen some people suggest not installing any anti-malware protection on a VDI image as they spin up and then (in most cases, ignoring persistent images here) get deleted so why go to the effort of protecting something with such a short lifespan? Well the obvious answer is these machines are a hole in your security – users will browse the Internet and access network resources so we must ensure the images are secured.
Typically I would suggest using Trend Deep Security (agentless protection) for a VDI deployment however as we are stuck using Microsoft Server 2012 R2 RDS/VDI this isn’t currently an option.