Configuring an Anti-Virus product on a Golden image always requires some special attention. Various problems can occur when such a product is installed using default options in a Golden image. The booted target devices can end-up multiple times in the Anti-Virus management console, they can end up inactivated and thus unprotected.

To resolve such issues, each target device booted from a Golden Image needs to have a unique ID related towards the AV management product. How this is achieved depends upon the product itself. Some products need to have some registry keys, files or computer certificates deleted before ‘sealing’ the Golden Image.

Trend Micro Deep Security Agent (version 9.5.2754 was used in this case) uses a different approach. After the Anti-Virus agent has been installed, it needs to be activated on a per computer basis. This can be done manually in the management console of the product. Obviously, when speaking about VDI/SBC environment this is not ideal. For such environment, this can be executed from the Anti-Virus client side.

To allow the product to have unique devices in the console, the activation needs to occur after the Golden Image has been sealed when a device is booted in standard mode. Using this method, activation of the Anti-Virus product occurs at each boot. The devices will appear unique, and only once, in the console.

Using our deployment framework (Raido Taskflow) we configured this as such:

Installation of the Agent: (Deployment flow)

The product was installed using a normal msi installation during the deployment flow. This is executed during the build of the Golden Image.

Activation of the Agent:

The activation is a command which is executed during the startup flow. It’s a batch file which contacts the Anti-Virus management server on a specific protocol (dsm://). The action is executed by default.


Unless the VDisk is in Private Mode, the command is not executed. This is achieved by configuring an override “Private mode” on the “Default” action which unticks the “Enabled” flag. The Anti-Virus client won’t be activated in Private mode.


Using this approach, the Deep Security Agent is installed and configured correctly in an automated way.