CylancePROTECT and non-persistent VDI: the perfect match


Non-persistent VDI offers a number of advantages to enterprises, as well as a specific set of challenges that must be overcome before we can provide a great end user experience. It enables us to offer a fresh desktop experience every time a user logs in, and it facilitates other things such as image management and applying software updates in a more controlled way. But how do we go about securing these endpoints?

With CylancePROTECT, we can offer an endpoint security solution that can be tailored to work seamlessly in a VDI environment. Here’s how:

Definition updates

Traditional anti-malware solutions require administrators to keep up with the latest threat updates all the time. If administrators fail to do so, they will find themselves at risk of running out of date virus definitions, which would, in turn, imply a significant risk to enterprises due to a lack of coverage for new(er) threats.

Given the frequency at which zero-days are being released into the wild, these definition updates are released at least once a day. A signature update means that a golden image is then outdated and therefore, a (partial) rebuild of said image is required. This is usually a task that a human has to undertake at regular intervals in order to manage risk and to keep network bandwidth usage low (generated by automatic updates to definition files).

Testing those new signature definitions would be essential for each update, as there is no other way to verify compatibility with existing applications. This is usually a manual effort and neither signatures nor human intervention are impervious to errors.

CylancePROTECT doesn’t rely on signatures, but instead, it harnesses the power of machine learning. This approach offers a much higher level of protection against zero-day malware, and it takes away the complexity that would otherwise be involved when managing a traditional signature-based anti-malware solution.

Recurring scans

Unlike some other solutions, CylancePROTECT doesn’t require recurring scans. It is sufficient to perform a full scan of the system once, and then inspect new files as they appear on the machine. More importantly, this can be achieved without introducing any additional risk to the enterprise.

This is good news for our VDI because we only have to scan the golden image once while we are preparing it. When machines are then deployed from the image, they no longer need to run the full scan. This means we’ll have less I/O on our environment, resulting in a better overall experience for the end user.

Low-performance impact

Observed impact on CPU and memory usage is equally important, especially in VDI. Luckily, CylancePROTECT has a very low CPU and memory footprint. This becomes even more important in a VDI scenario, where we want to optimize the number of VMs and sessions per physical host.



As Cylance technology is built with modern computing environments in mind (such as VDI), it is trivial to uniquely identify separate virtual machines based upon different properties (such as a hostname and unique identifiers).

Historically, traditional security solutions have struggled to manage VDI environments due to virtual machine similarities. The VDI=1 setting enhances fingerprinting on VDI, making sure devices can be identified in a reliable way.


We have covered how CylancePROTECT helps us secure our VDI endpoints. It’s important to note how manual effort is kept to a minimum, and how system resource usage can be optimized.

Orange Cyberdefense are experts in integrating Cylance solutions into VDI environments (VMware and Citrix) and we would love to demonstrate how CylancePROTECT can positively improve enterprise security as well as improve the user experience.

Contact us for more info on this topic via

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.