Citrix Recommended Antivirus Exclusions

UPDATE: Please note that this topic has been moved to Citrix Tech Zone, so this post will not be updated any longer. For up-to-date recommendations on Antivirus exclusions, please refer to the Endpoint Security, Antivirus and Antimalware Best Practices tech paper.

********************************************************************************

There are lots of Citrix support articles and blog posts out there with information on recommended antivirus exclusions for Citrix products, all of which have been extremely helpful over the years. But let’s face it, it is a little annoying to have to gather information from multiple product-specific posts/articles to get all configurations that apply to your virtualization solution.

The introduction of the “Current Release” Servicing Option this year (2016) and resulting frequent product release cycles, in particular, has made it, to say the least, challenging to maintain content that recommends whitelisting all Citrix services against an ever-changing set of product services. So, my goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field (and for the most part tend to remain consistent across releases, no guarantees though), rather than identifying every single Citrix process, folder, and file for each product.

Before we continue… WARNING! While we generally feel these configurations and exclusions provide the best balance between security and performance, please don’t forget that antivirus exclusions increase the attack surface of a system and might expose it to real security threats. Citrix does NOT recommend implementing any of these settings in production without first discussing them with your organization’s security teams and thoroughly testing and validating them in a test environment.

Now, just because files and folders are excluded from real-time and/or on-access scans, it doesn’t mean they should never be scanned. Scheduled full-system scans for your infrastructure servers (and any persistent machines) should still be performed to ensure everything in the system is safe, but it should be done during non-business or off-peak hours to mitigate any performance impact as much as possible.

One more thing before we get into the recommendations: the exclusions recommended include folders, files, and processes. Folder and file exclusions are pretty straight forward; we don’t want those files or folders to be scanned when accessed or modified. When it comes to processes, however, there is typically some confusion about what the goal is. When excluding processes, what we want is to prevent any reads and writes done by those processes from being scanned; not necessarily to prevent the exe file from being scanned. In some antivirus solutions, this is referred to as defining trusted processes.

The following recommendations apply to all Citrix components:

Set real-time scanning to scan local drives only and not network drives
Disable scan on boot
Remove any unnecessary antivirus related entries from the Run key
Exclude the pagefile(s) from being scanned
Exclude Windows event logs from being scanned
Exclude IIS log files from being scanned

The following are the recommendations specific to each component:

StoreFront 2.0 – 2.5	Files: %ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService \**\PersistentDictionary.edb Processes: %ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService \Citrix.DeliveryServices.ServiceHosting.WindowsServiceHost.exe %ProgramFiles%\Citrix\Receiver StoreFront\Services\CredentialWallet \Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe
StoreFront 2.6 – 3.x	Files: %SystemRoot%\ServiceProfiles\NetworkService\AppData\Roaming \Citrix\SubscriptionsStore\**\PersistentDictionary.edb Processes: %ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService \Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe %ProgramFiles%\Citrix\Receiver StoreFront\Services\CredentialWallet \Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe
PVS Server	Files: *\.vhd *\.avhd *\.vhdx *\.avhdx %SystemRoot%\System32\drivers\CvhdBusP6.sys (Windows Server 2008 R2) %SystemRoot%\System32\drivers\CVhdMp.sys (Windows Server 2012 R2) %SystemRoot%\System32\drivers\CfsDep2.sys %ProgramData%\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN Processes: %ProgramFiles%\Citrix\Provisioning Services\BNTFTP.EXE %ProgramFiles%\Citrix\Provisioning Services\PVSTSB.EXE %ProgramFiles%\Citrix\Provisioning Services\StreamService.exe %ProgramFiles%\Citrix\Provisioning Services\StreamProcess.exe %ProgramFiles%\Citrix\Provisioning Services\soapserver.exe
PVS Target Device	Files: *\.vdiskcache **\vdiskdif.vhdx (7.x only) %SystemRoot%\System32\drivers\bnistack6.sys %SystemRoot%\System32\drivers\CfsDep2.sys %SystemRoot%\System32\drivers\CVhdBusP6.sys %SystemRoot%\System32\drivers\CVhdMp.sys (7.x only) Processes: %ProgramFiles%\Citrix\PvsVm\Service\PvsVmAgent.exe %ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVD.exe (PvD and AppDisks only) %ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVDSVC.exe (PvD and AppDisks only)
XenApp / XenDesktop 7.x Controller	Files: %systemroot%\ServiceProfiles\NetworkService\HaDatabaseName.mdf (7.12+) %systemroot%\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf (7.12+) %systemroot%\ServiceProfiles\NetworkService\HaDatabaseName_log.ldf (7.12+) %systemroot%\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf (7.12+) Folders: %programdata%\Citrix\Broker\Cache (7.6+) Processes: %ProgramFiles%\Citrix\Broker\Service\BrokerService.exe %ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe (7.12+) %ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe (7.12+)
Cloud Connector	Files: %systemroot%\ServiceProfiles\NetworkService\HaDatabaseName.mdf %systemroot%\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf %systemroot%\ServiceProfiles\NetworkService\HaDatabaseName_log.ldf %systemroot%\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf Folders: %systemdrive%\Logs\CDF %programdata%\Citrix\WorkspaceCloud\Logs Processes: %ProgramFiles%\Citrix\XaXdCloudProxy\XaXdCloudProxy.exe %ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe %ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe
XenApp / XenDesktop 7.x Server OS VDA	Files: %userprofile%\AppData\Local\Temp\Citrix\HDXRTConnector\\.txt Processes: %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe %ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe %ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVD.exe (AppDisks only) %ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVDSVC.exe (AppDisks only) %SystemRoot%\System32\spoolsv.exe %SystemRoot%\System32\winlogon.exe
XenDesktop 7.x Client OS VDA	Files: %userprofile%\AppData\Local\Temp\Citrix\HDXRTConnector\\.txt Processes: %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe %ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe %ProgramFiles%\Citrix\ICAService\picaSvc2.exe %ProgramFiles%\Citrix\ICAService\CpSvc.exe %ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVD.exe (PvD and AppDisks only) %ProgramFiles%\Citrix\Personal vDisk\BIN\CTXPVDSVC.exe (PvD and AppDisks only) %SystemRoot%\System32\spoolsv.exe %SystemRoot%\System32\winlogon.exe
XenApp 6.5	Files: %ProgramFiles(x86)%\Citrix\Independent Management Architecture\RadeOffline.mdb %ProgramFiles(x86)%\Citrix\Independent Management Architecture\imalhc.mdb %ProgramFiles(x86)%\Citrix\Citrix Resource Manager\LocalDB\RMLocalDatabase.mdb Processes: %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe %ProgramFiles(x86)%\Citrix\System32\Citrix\Ima\ImaSrv.exe %ProgramFiles(x86)%\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe
Workspace Environment Management Infrastructure Service	Processes: Norskale Broker Service.exe Norskale Broker Service Configuration Utility.exe Norskale Database Management Utility.exe
Workspace Environment Management Agent	Processes: Agent Log Parser.exe AgentCacheUtility.exe AppsMgmtUtil.exe Norskale Agent Host Service.exe PrnsMgmtUtil.exe VUEMAppCmd.exe VUEMAppCmdDbg.exe VUEMAppHide.exe VUEMCmdAgent.exe VUEMMaintMsg.exe VUEMRSAV.exe VUEMUIAgent.exe
EdgeSight Agent	Folders: %AllUsersProfile%\Application Data\Citrix\System Monitoring\Data Processes: %ProgramFiles%\Citrix\System Monitoring\Agent\Core\rscorsvc.exe %ProgramFiles%\Citrix\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe
EdgeSight Server	Folders: %CommonProgramFiles(x86)%\Citrix\System Monitoring\Server\RSSH %ProgramFiles(x86)%\Citrix\System Monitoring\Server\EdgeSight\scripts\rssh %ProgramFiles(x86)%\Citrix\System Monitoring\Server\EdgeSight\Pages %ProgramFiles(x86)%\Microsoft SQL Server\MSSQL\Reporting Services %ProgramFiles%\Microsoft SQL Server\MSSQL\Data %SystemRoot%\SYSTEM32\Logfiles
Receiver for Windows	Files: %userprofile%\AppData\Local\Temp\Citrix\RTMediaEngineSRV \MediaEngineSRVDebugLogs\\.txt Processes: %programfiles(x86)%\Citrix\ICA Client\MediaEngineService.exe %programfiles(x86)%\Citrix\ICA Client\CDViewer.exe %programfiles(x86)%\Citrix\ICA Client\concentr.exe %programfiles(x86)%\Citrix\ICA Client\wfica32.exe %programfiles(x86)%\Citrix\ICA Client\AuthManager\AuthManSvr.exe %programfiles(x86)%\Citrix\ICA Client\SelfServicePlugin\SelfService.exe %programfiles(x86)%\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe Please note that these exclusions for Receiver are typically not needed. We have only seen a need for these in environments where the antivirus is configured with stricter than usual policies or where multiple security agents are in use simultaneously (AV, DLP, HIP, etc.)

In case you feel compelled to look at multiple articles and posts, here are a few references:

Until next time!

Migs

Enterprise Architect | Citrix Consulting

Topics

Products