Citrix / Windows

AV Exclusions Best Practices for Citrix VDI Setup

- by Rajeev - 1 Comment

Hi there!

In most of the VDI Implementations AV creates issues, mainly for PVS, profiles & performance. I’ve put forth some best practices on AV exclusions with supporting articles. Be advised every company will have it’s own security policy and i do not take any ownership of the below details; use it at your own risk!!!

 

  1. HSD/HVD

Citrix Profile Manager Agent: – ref: http://support.citrix.com/proddocs/topic/user-profile-manager-5-x/upm-secure-antivirus.html?_ga=1.9649781.1927866785.1413273549

Do not scan on open or status-check operations

UserProfileManager.exe

PVS Target: ref http://support.citrix.com/article/CTX124185

Exclude scanning of Write Cache

\Program Files\Citrix\Provisioning Services\BNDevice.exe

\Windows\System32\drivers\bnistack6.sys

\Program Files\Citrix\Provisioning Services\TargetOSOptimizer.exe

\Windows\System32\drivers\CfsDep2.sys

\Windows\System32\drivers\CVhdBusP6.sys

Vdiskdif.vhdx

.vdiskcache

 

RDSH Session Host: ref: http://support.citrix.com/article/ctx127030

\Windows\system32\spoolsv.exe

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\CpSvc.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\ImaSrv.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe

\Program Files (x86)\Citrix\HealthMon\HCAService.exe

\Program Files (x86)\Citrix\Streaming Client\RadeSvc.exe

\Program Files (x86)\Citrix\Streaming Client\RadeHlprSvc.exe

\Program Files (x86)\Citrix\XTE\bin\XTE.exe

\Program Files\Citrix\Independent Management Architecture\RadeOffline.mdb

%AppData%\ICAClient\Cache (if using pass-through authentication)

 

Windows Desktop/Server OS Machines – XenDesktop 7.x: ref: http://support.citrix.com/article/ctx127030

\Windows\system32\spoolsv.exe

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\CpSvc.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

 

2.Support Server Policy

Provisioning Services Server: ref: http://support.citrix.com/article/CTX124185

Exclude scanning of Local vDisk Store

\Windows\System32\drivers\CvhdBusP6.sys

\Windows\System32\drivers\CfsDep2.sys

\Program Files\Citrix\Provisioning Services\BNTFTP.EXE

\ProgramData\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN

\Program Files\Citrix\Provisioning Services\StreamService.exe

\Program Files\Citrix\Provisioning Services\StreamProcess.exe

\Program Files\Citrix\Provisioning Services\soapserver.exe

\Program Files\Citrix\Provisioning Services\inventory.exe

\Program Files\Citrix\Provisioning Services\mgmtDaemon.exe

\Program Files\Citrix\Provisioning Services
otifier.exe

\Program Files\Citrix\Provisioning Services\PVSTSB.exe

\Program Files\Citrix\Provisioning Services\BNPXE.exe

\Program Files\Citrix\Provisioning Services\BNAbsService.exe

\Program Files\Citrix\Provisioning Services\cdfsvc.exe

.vhd

 

XenDesktop            Controller: ref: http://support.citrix.com/article/ctx127030

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

 

The following antivirus exclusions should be applied to all Citrix infrastructure servers: ref: http://support.citrix.com/article/ctx127030  & http://support.microsoft.com/en-us/kb/822158

Set real-time scanning to scan on write operations only and not on read/access

Set real-time scanning to scan local drives only and not network drives

Disable scan on boot

Exclude the pagefile(s) from being scanned

Exclude IIS log files from being scanned

Exclude Windows event logs from being scanned

Turn off scanning of Windows Security files

Add the following files in the %windir%\Security\Database path of the exclusions list:

*.edb

*.sdb

*.log

*.chk

*.jrs

 

Turn off scanning of Group Policy related files

Group Policy user registry information. These files are located in the following folder:

%allusersprofile%\

 

Specifically, exclude the following file:

NTUser.pol

 

Group Policy client settings files. These files are located in the following folder:

%SystemRoot%\System32\GroupPolicy\Machine\
%SystemRoot%\System32\GroupPolicy\User\

Specifically, exclude the following file:

Registry.pol

Hope it helps!

Related Posts

Mitigate Vulnerabilities in Citrix Netscaler & Storefront – Penetration test

Citrix Desktop Director – IT admins from different domain

SSL Certificate importing in Linux Citrix Receiver – Ubuntu

About Rajeev

View all posts by Rajeev →