Sunday 18 November 2018

Citrix 11. citrix-recommended-antivirus-exclusions

citrix-recommended-antivirus-exclusions


There are lots of Citrix support articles and blog posts out there with information on recommended antivirus exclusions for Citrix products, all of which have been extremely helpful over the years. But let’s face it, it is a little annoying to have to gather information from multiple product-specific posts/articles to get all configurations that apply to your virtualization solution.

The introduction of the “Current Release” Servicing Option this year (2016) and resulting frequent product release cycles, in particular, has made it, to say the least, challenging to maintain content that recommends whitelisting all Citrix services against an ever-changing set of product services. So, my goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field (and for the most part tend to remain consistent across releases, no guarantees though), rather than identifying every single Citrix process, folder, and file for each product.

Before we continue… WARNING! While we generally feel these configurations and exclusions provide the best balance between security and performance, please don’t forget that antivirus exclusions increase the attack surface of a system and might expose it to real security threats. Citrix does NOT recommend implementing any of these settings in production without first discussing them with your organization’s security teams and thoroughly testing and validating them in a test environment.

Now, just because files and folders are excluded from real-time and/or on-access scans, it doesn’t mean they should never be scanned. Scheduled full-system scans for your infrastructure servers (and any persistent machines) should still be performed to ensure everything in the system is safe, but it should be done during non-business or off-peak hours to mitigate any performance impact as much as possible.

One more thing before we get into the recommendations: the exclusions recommended include folders, files, and processes. Folder and file exclusions are pretty straight forward; we don’t want those files or folders to be scanned when accessed or modified. When it comes to processes, however, there is typically some confusion about what the goal is. When excluding processes, what we want is to prevent any reads and writes done by those processes from being scanned; not necessarily to prevent the exe file from being scanned. In some antivirus solutions, this is referred to as defining trusted processes.

The following recommendations apply to all Citrix components:

Set real-time scanning to scan local drives only and not network drives


Disable scan on boot


Remove any unnecessary antivirus related entries from the Run key


Exclude the pagefile(s) from being scanned


Exclude Windows event logs from being scanned


Exclude IIS log files from being scanned


The following are the recommendations specific to each component:

StoreFront
2.0 – 2.5Files:

%ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService
\**\PersistentDictionary.edb


Processes:

%ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService
\Citrix.DeliveryServices.ServiceHosting.WindowsServiceHost.exe


%ProgramFiles%\Citrix\Receiver StoreFront\Services\CredentialWallet
\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe


StoreFront
2.6 – 3.xFiles:

%SystemRoot%\ServiceProfiles\NetworkService\AppData\Roaming
\Citrix\SubscriptionsStore\**\PersistentDictionary.edb


Processes:

%ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService
\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe


%ProgramFiles%\Citrix\Receiver StoreFront\Services\CredentialWallet
\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe


PVS ServerFiles:

**\*.vhd


**\*.avhd


**\*.vhdx


**\*.avhdx


%SystemRoot%\System32\drivers\CvhdBusP6.sys (Windows Server 2008 R2)


%SystemRoot%\System32\drivers\CVhdMp.sys (Windows Server 2012 R2)


%SystemRoot%\System32\drivers\CfsDep2.sys


%ProgramData%\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN


Processes:

%ProgramFiles%\Citrix\Provisioning Services\BNTFTP.EXE


%ProgramFiles%\Citrix\Provisioning Services\PVSTSB.EXE


%ProgramFiles%\Citrix\Provisioning Services\StreamService.exe


%ProgramFiles%\Citrix\Provisioning Services\StreamProcess.exe


%ProgramFiles%\Citrix\Provisioning Services\soapserver.exe


PVS Target DeviceFiles:

**\*.vdiskcache


**\vdiskdif.vhdx (7.x only)


%SystemRoot%\System32\drivers\bnistack6.sys


%SystemRoot%\System32\drivers\CfsDep2.sys


%SystemRoot%\System32\drivers\CVhdBusP6.sys


%SystemRoot%\System32\drivers\CVhdMp.sys (7.x only)


Processes:

%ProgramFiles%\Citrix\PvsVm\Service\PvsVmAgent.exe


%ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVD.exe (PvD and AppDisks only)


%ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVDSVC.exe (PvD and AppDisks only)


XenApp / XenDesktop 7.x ControllerFiles:

%systemroot%\ServiceProfiles\NetworkService\HaDatabaseName.mdf (7.12+)


%systemroot%\ServiceProfiles\NetworkService\HaDatabaseName_log.ldf (7.12+)


Folders:

%programdata%\Citrix\Broker\Cache (7.6+)


Processes:

%ProgramFiles%\Citrix\Broker\Service\BrokerService.exe


%ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe (7.12+)


%ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe (7.12+)


Cloud ConnectorFolders:

%systemdrive%\Logs\CDF


%programdata%\Citrix\WorkspaceCloud\Logs


Processes:

%ProgramFiles%\Citrix\XaXdCloudProxy\XaXdCloudProxy.exe


%ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe


%ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe


XenApp / XenDesktop 7.x Server OS VDAFiles:

%userprofile%\AppData\Local\Temp\Citrix\HDXRTConnector\*\*.txt


Processes:

%ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe


%ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe


%ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVD.exe (AppDisks only)


%ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVDSVC.exe (AppDisks only)


%SystemRoot%\System32\spoolsv.exe


%SystemRoot%\System32\winlogon.exe


XenDesktop 7.x Client OS VDAFiles:

%userprofile%\AppData\Local\Temp\Citrix\HDXRTConnector\*\*.txt


Processes:

%ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe


%ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe


%ProgramFiles%\Citrix\ICAService\picaSvc2.exe


%ProgramFiles%\Citrix\ICAService\CpSvc.exe


%ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVD.exe (PvD and AppDisks only)


%ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVDSVC.exe (PvD and AppDisks only)


%SystemRoot%\System32\spoolsv.exe


%SystemRoot%\System32\winlogon.exe


XenApp 6.5Files:

%ProgramFiles(x86)%\Citrix\Independent Management Architecture\RadeOffline.mdb


%ProgramFiles(x86)%\Citrix\Independent Management Architecture\imalhc.mdb


%ProgramFiles(x86)%\Citrix\Citrix Resource Manager\LocalDB\RMLocalDatabase.mdb


Processes:

%ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe


%ProgramFiles(x86)%\Citrix\System32\Citrix\Ima\ImaSrv.exe


%ProgramFiles(x86)%\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe


Workspace Environment Management Infrastructure ServiceProcesses:

Norskale Broker Service.exe


Norskale Broker Service Configuration Utility.exe


Norskale Database Management Utility.exe


Workspace Environment Management AgentProcesses:

Agent Log Parser.exe


AgentCacheUtility.exe


AppsMgmtUtil.exe


Norskale Agent Host Service.exe


PrnsMgmtUtil.exe


VUEMAppCmd.exe


VUEMAppCmdDbg.exe


VUEMAppHide.exe


VUEMCmdAgent.exe


VUEMMaintMsg.exe


VUEMRSAV.exe


VUEMUIAgent.exe


EdgeSight AgentFolders:

%AllUsersProfile%\Application Data\Citrix\System Monitoring\Data


Processes:

%ProgramFiles%\Citrix\System Monitoring\Agent\Core\rscorsvc.exe


%ProgramFiles%\Citrix\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe


EdgeSight ServerFolders:

%CommonProgramFiles(x86)%\Citrix\System Monitoring\Server\RSSH


%ProgramFiles(x86)%\Citrix\System Monitoring\Server\EdgeSight\scripts\rssh


%ProgramFiles(x86)%\Citrix\System Monitoring\Server\EdgeSight\Pages


%ProgramFiles(x86)%\Microsoft SQL Server\MSSQL\Reporting Services


%ProgramFiles%\Microsoft SQL Server\MSSQL\Data


%SystemRoot%\SYSTEM32\Logfiles


Receiver for WindowsFiles:

%userprofile%\AppData\Local\Temp\Citrix\RTMediaEngineSRV
\MediaEngineSRVDebugLogs\*\*.txt


Processes:

%programfiles(x86)%\Citrix\ICA Client\MediaEngineService.exe


%programfiles(x86)%\Citrix\ICA Client\CDViewer.exe


%programfiles(x86)%\Citrix\ICA Client\concentr.exe


%programfiles(x86)%\Citrix\ICA Client\wfica32.exe


%programfiles(x86)%\Citrix\ICA Client\AuthManager\AuthManSvr.exe


%programfiles(x86)%\Citrix\ICA Client\SelfServicePlugin\SelfService.exe


%programfiles(x86)%\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe


Please note that these exclusions for Receiver are typically not needed.  We have only seen a need for these in environments where the antivirus is configured with stricter than usual policies or where multiple security agents are in use simultaneously (AV, DLP, HIP, etc.)

 


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)