There are lots of Citrix support articles and blog posts out there with information on recommended antivirus exclusions for Citrix products, all of which have been extremely helpful over the years. But let’s face it, it is a little annoying to have to gather information from multiple product-specific posts/articles to get all configurations that apply to your virtualization solution.
The introduction of the “Current Release” Servicing Option this year (2016) and resulting frequent product release cycles, in particular, has made it, to say the least, challenging to maintain content that recommends whitelisting all Citrix services against an ever-changing set of product services. So, my goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field (and for the most part tend to remain consistent across releases, no guarantees though), rather than identifying every single Citrix process, folder, and file for each product.
Before we continue… WARNING! While we generally feel these configurations and exclusions provide the best balance between security and performance, please don’t forget that antivirus exclusions increase the attack surface of a system and might expose it to real security threats. Citrix does NOT recommend implementing any of these settings in production without first discussing them with your organization’s security teams and thoroughly testing and validating them in a test environment.
Now, just because files and folders are excluded from real-time and/or on-access scans, it doesn’t mean they should never be scanned. Scheduled full-system scans for your infrastructure servers (and any persistent machines) should still be performed to ensure everything in the system is safe, but it should be done during non-business or off-peak hours to mitigate any performance impact as much as possible.
One more thing before we get into the recommendations: the exclusions recommended include folders, files, and processes. Folder and file exclusions are pretty straight forward; we don’t want those files or folders to be scanned when accessed or modified. When it comes to processes, however, there is typically some confusion about what the goal is. When excluding processes, what we want is to prevent any reads and writes done by those processes from being scanned; not necessarily to prevent the exe file from being scanned. In some antivirus solutions, this is referred to as defining trusted processes.
The following recommendations apply to all Citrix components:
Set real-time scanning to scan local drives only and not network drives
Disable scan on boot
Remove any unnecessary antivirus related entries from the Run key
Exclude the pagefile(s) from being scanned
Exclude Windows event logs from being scanned
Exclude IIS log files from being scanned
The following are the recommendations specific to each component:
Please note that these exclusions for Receiver are typically not needed. We have only seen a need for these in environments where the antivirus is configured with stricter than usual policies or where multiple security agents are in use simultaneously (AV, DLP, HIP, etc.)
In case you feel compelled to look at multiple articles and posts, here are a few references: