How to re-create VM profiles in Advanced Threat Defense and Intelligent Sandbox
Technical Articles ID:
KB89552
Last Modified: 2023-02-24 10:52:10 Etc/GMT
Environment
Advanced Threat Defense (ATD)
Trellix Intelligent Sandbox (IS)
Problem
When you upgrade your ATD/IS appliance to a later release, Microsoft Windows or Office, which is installed as part of your sandbox VMs, requests activation.
You see this request in the Screenshot section of the Analysis Report and in the X-Mode desktop.
Cause
The ATD/IS upgrade includes an update to the hypervisor in the back-end. This update triggers a Windows or Office license activation.
Solution
1
To resolve this issue, first try to re-create the VM profiles as follows:
- Reactivate Windows or Office:
- Navigate to Policy, VM Profile.
- Click New.
- Select the IMG image that you want to reactivate from the Image drop-down list.
- Click Activate.
- In the Activation browser window, complete the activation of your Microsoft product.
- Perform a graceful shutdown of the Windows operating system in the activation browser window.
- After Windows shuts down, close the activation browser window.
- Validate the VM:
- (Optional) If your Windows VM is non-English and its local administrator account name isn't administrator, type the administrator account name of your VM in the VM logon field.
- Click Validate.
- Confirm that validation completes.
- Click Save.
- Wait until the VM creation process finishes.
- Open an SSH session to your ATD/IS appliance, and log on using cliadmin credentials.
- Reflect the activated Windows/Office image to the sandbox VM:
reboot vmcreator
- Wait until ATD/IS reboots and completes VM creation.
- After you reactivate Windows or Office, manually submit a sample and confirm that Windows or Office no longer requests activation.
If you no longer see the request for activation, you don't need to continue following the additional troubleshooting steps. If you still see a Windows or Office activation request, continue to the next "Solution" section to delete and re-create the VM profiles.
Solution
2
If re-creating the VM profiles using the previous Solution doesn't resolve the issue, delete and re-create the VM profiles as follows:
IMPORTANT: If you have multiple VM profiles, and you see activation requests in only a specific VM profile, continue to the Further troubleshooting subsection below.
Otherwise, you need to create a temporal VM profile and its associated analyzer profile before you delete the affected VM profiles.
Create a temporal VM profile:
- Convert your VMDK image into a temporary IMG image:
- Select Manage, Image & Software, Image.
- From the VMDK Image drop-down list, select the VMDK image for your temporary VM.
- Type a name for your temporary image.
- From the Operating System drop-down list, select the appropriate operating system type.
- Click Convert.
- Activate the temporary VM:
- Select Policy, VM Profile.
- Click New.
- From the Image drop-down list, select the temporary IMG.
- Click Activate.
- In the Activation browser window, complete the activation process.
- Perform a graceful shutdown of the Windows operating system in the activation browser window.
- After Windows shuts down, close the activation browser window.
- Validate the temporal VM:
- (Optional) If your Windows VM is non-English and its local administrator account name isn't administrator, enter the administrator account name of your VM in the VM logon field.
- Click Validate.
- Confirm that the validation completes.
- For Maximum Licenses, type 1.
- Click Save.
- Create a temporary analyzer profile using the temporary VM profile:
- Select Policy, Analyzer Profile.
- Click New.
- In the Name field, type a name for the temporary analyzer profile.
- From the VM Profiles drop-down list, select the temporary VM profile.
- Click Save. You don't need to change other settings because you need this analyzer profile only while reactivating your main VM.
Further troubleshooting:
- Change the users' default analyzer profile from the affected profile to an alternative:
- Select Manage, ATD Configuration, temporary.
- Select the user whose Default Analyzer Profile uses the affected VM.
- Click Edit.
- Change the Default Analyzer Profile from the affected VMs to an alternative.
- Click Save.
- Repeat the above steps for all users whose default analyzer profile is affected.
- Delete one or more affected analyzer profiles:
- Navigate to Policy, Analyzer Profile.
- Identify the analyzer profile that uses the affected VM profile, and select it.
- Click Delete.
NOTE: If the analyzer profile is used as the default analyzer profile in ATD/TIS user, you can't delete the analyzer profile. Make sure that you change the default analyzer profiles from the affected profile to the temporary profile before you try to delete the analyzer profile.
- Repeat the above steps for all affected profiles.
- Delete one or more affected VM profiles:
- Select Policy, VM Profile.
- Identify the VM profile requesting activation of Windows or Office, and then select it.
- Click Delete.
- Repeat the above steps for all affected profiles.
- Reactivate Windows or Office:
- Navigate to Policy, VM Profile.
- Click New.
- From the Image drop-down list, select the IMG image that you want to reactivate.
- Click Activate.
- In the Activation browser window, complete the activation process.
- Perform a graceful shutdown of the Windows operating system in the Activation browser window.
- After Windows shuts down, close the Activation browser window.
- Validate the VM:
- (Optional) If your Windows VM is non-English and its local administrator account name isn't administrator, type the administrator account name of your VM in the VM logon field.
- Click Validate.
- Confirm that validation completes.
- For Maximum Licenses, type the needed number of VMs.
- Click Save.
- Create an analyzer profile using the reactivated VM profile:
- Select Policy, Analyzer Profile.
- Click New.
- In the Name field, type the name for your reactivated analyzer profile.
- In the VM Profiles drop-down list, select the reactivated VM profile.
- Configure analyzer profile settings as needed.
- Click Save.
- Revert the users' default analyzer profile from the temporary profile to the reactivated one:
- Select Manage, ATD Configuration, ATD Users.
- Select the user whose Default Analyzer Profile uses the temporary profile.
- Click Edit.
- Change the Default Analyzer Profile to the reactivated one.
- Click Save.
- Repeat the above steps for all users whose default analyzer profile is the temporary profile.
|