Product Documentation

Deploy anti-virus software

Oct 30, 2017

You can deploy some of the most commonly used anti-virus products in an App Layering environment. The products include versions of Symantec, McAfee, Trend Micro, Sophos, Kaspersky, and AVG.

Some anti-virus installation procedures require that you modify Windows Registry.

Warning

Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Ensure you back up the registry before you edit it.

Anti-virus software update options

When you deploy anti-virus software in an App Layering layer, one of the considerations is how to handle the anti-virus updates. You can either:

  • Enable auto updates, and store the updates in users Personalization Layer. If auto updates happen daily, it can be the most convenient approach. Reinstall a major product update on the App Layering management console by redeploying the layer to the desktop. Ensure that you select the Reinstall the layer check box when you redeploy.
  • Disable auto updates, and redeploy the layer for each update. This step requires updating the layer when you want to install new updates.

Before you start

When deploying any anti-virus software package in App Layering, the following might be required:

  • Start the Remote Registry Service for any of the remote installations.
  • Disable the firewall on the desktop before installing to allow the products to install.
  • Disable Windows Defender.
  • Enable or disable User Account Control (UAC).
  • Read the installation instructions for virtual desktop infrastructure (VDI) deployments on the website for the product you are installing.

AVG AntiVirus

You can use a gold image or an Application Layer to deploy the AVG Business Edition anti-virus software in the App Layering environment.

Deployment methods

Use one of the following methods to install the AVG anti-virus software:

  • Install the software on a gold image of the operating system and import it to a new OS Layer.
  • Install the software on an Application Layer and assign the layer to new or existing desktops.

Citrix supports AVG AntiVirus Business Edition version 13.0.0.x only.

To install the software on a gold image

Install the AVG software on the gold image.

Open the AVG application and select AVG Settings Manager.

Select Edit AVG Settings.

Select System Services, and disable all AVG Services.

Select AVG Advanced Settings, Anti-Virus, Cache Server, and disable file caching.

Delete cache files:

On Windows 7, delete the following files:

Delete files Copy

C:\ProgramData\AVG2013\Chjw\*.*

Enable all the AVG Services again.

Shut down the gold image.

Create an OS Layer by using the gold image.

On newly deployed desktops, enable the Caching option again, which can happen automatically through integration with AVG Remote Administrator.

To install the software on an App Layer

  1. Install the AVG software on the App Layer.
  2. Deploy the App Layer to desktops.

To enable the Scan files on close option

  1. Open Advanced settings (F8).
  2. Select Antivirus > Resident Shield.
  3. Select the Scan files on close option, and save the setting.

Kaspersky anti-virus software

This section provides Kaspersky installation information that is specific to the App Layering environment. See the Kaspersky documentation for more instructions about installing the software in a VDI environment. Read the Dynamic VDI support section in this article to learn about using Kaspersky for non-persistent desktops in a VDI environment.

App Layering supports the following versions of Kaspersky anti-virus software:

  • Kaspersky Endpoint Security version 10.2.5.3201
  • Kaspersky Administration version 10.3.407.0
  • Kaspersky Administration Server version 8.0.2163
  • Kaspersky Anti-Virus for Windows Workstations  version 6.0.4.1424
  • Kaspersky for VDI Agentless version 3.0
  • Kaspersky Endpoint Security version 10.1.0.867(a) 
  • Kaspersky Endpoint Security version 10.2
  • Kapersky for VDI Agentless version 3.1.0.77

Note

Encryption with Kaspersky 10.2 is not supported. Kaspersky 10.2 Encryption uses a form of disk virtualization that bypasses App Layering virtualization, and as such is incompatible with App Layering. Before you deploy Kaspersky 10.2, disable the encryption options.

Deployment methods

Use one of the following methods to deploy the Kaspersky anti-virus software:

  • Install the software on an App Layer or App Layer revision.
  • Install the software on the gold image you import into an OS Layer.
  • Install the software on an OS Layer revision.

Requirements

  • If you deploy the Kaspersky software on a new OS Layer, install the software on the gold image before you install App Layering Machine Tools.
  • If you use the Kaspersky Administration Server to manage the desktop, install Kaspersky Anti-Virus for Workstations and NetAgent on the Packaging Machine or a gold image.
  • If you do not plan to use the Kaspersky Administration Server, install Kaspersky Anti-Virus for Workstations only on the Packaging Machine or the gold image.
  • When you install the Kaspersky NetAgent, clear the selection for the start application during install option.
  • When you install the Kaspersky Anti-Virus for Workstations in a stand-alone configuration, do not enable password protection for any of the administrative options. The password you type on the Packaging Machine or gold image does not work on the desktop after you deploy the software.
  • After you install the Kaspersky software on a Packaging Machine (for App Layers or layer revisions), a system restart (and desktop image rebuild) is required.

Kaspersky 10.2 special requirement

Add a value to the Unifltr service in the registry before you add Kaspersky 10.2 to the gold image or to a layer.

To edit the registry

  1. Click Start, click Run, and then type regedit.
  2. Navigate to the HKLM\System\CurrentControlSet\Services\Unifltr key.
  3. On the Edit menu, click New, and then click DWORD (32-bit) value.
  4. In the right pane, right-click the New value and select Modify
  5. In Value, name, type the name MiniFilterBypass.
  6. In Value, type 1 and then click OK.
  7. Close Registry Editor.
  8. Restart the machine, as the setting is only read at start time.

Note

Attempts to finalize Kaspersky for Virtualization Light Agent 3.0 on Windows 7 32-bit and Windows 7 64-bit packaging machines fail. The failure occurs when layer integrity attempts to restart.

 

Special steps for installing the software on an App Layer

To install the Kaspersky software on an App Layer

  1. Install the Kaspersky software on the Packaging Machine.
    If you deploy nonpersistent desktops running Kaspersky, mark the image as a Dynamic VDI. When you mark the image, the Kaspersky Administration Server considers the clones of this image dynamic. When a clone is disabled, its information is automatically deleted from the database. To mark the image of a dynamic VDI, install the Kaspersky Network Agent with the Enable dynamic mode for VDI parameter enabled. For details, see the section of this article on Dynamic VDI support.
  2. Restart the Packaging Machine.
    When you restart the Packaging Machine, it might display the STOP message 0x75640001 several times. The Packaging Machine restarts normally. No intervention is necessary. When you deploy this layer, the desktops restart normally and the STOP message does not appear.
  3. Finalize the layer.

The Kaspersky NetAgent might not start when users log on to the desktop for the first time. This issue occurs when you assign the App Layer with the Kaspersky software to a desktop. Restart the desktop to start the NetAgent software.

Possible issues

The following interoperability issues can occur on App Layering desktops that have Kaspersky anti-virus software installed.

Kaspersky NetAgent startup
If you use an App Layer to deploy the Kaspersky NetAgent software to a desktop, the NetAgent software might not start when the desktops restarts. The Windows Event Viewer can show the following error:

#1266 (0) Transport level error while connection to: authentication failure

If the NetAgent software doesn't start, restart the desktop. Then the NetAgent software starts correctly.

Kaspersky 10 - end-user Pause causes Network Attack Blocker to stop working
When using Kaspersky 10, the end-user Pause causes the Network Attack Blocker to stop working. To fix this issue, restart the Kaspersky software. The Network Attack Blocker continues to run.

McAfee anti-virus software

The following procedures describe how to use an OS Layer or an App Layer to deploy the McAfee anti-virus software in an App Layering environment.

Deployment method

Use one of the following methods to deploy the McAfee anti-virus software:

  • Install the software on a gold image that you import into an OS Layer.
  • Install the software on an OS Layer version.
  • Install the software on an App Layer and assign the layer to new or existing desktops.

App Layering supports the following versions: of McAfee software:

  • ePolicy Orchestrator (ePO), versions 4.6.4, 5.3.1, and 5.3.2
  • McAfee Agent, versions 4.8.0.1938, 5.0.2.188, and 5.0.4.283
  • VirusScan Enterprise, versions 8.8.0.1528, 8.8.0.1445, and 8.8.0.1599

If you use the ePolicy Orchestrator 5.3.1 server to create the McAfee Agent installation package, set the Agent Contact Method priority in the following sequence:

  • IP Address
  • FQDN
  • NetBIOS Name to communicate correctly with IM in workgroup and disable the 'Enable self protection' for the McAfee Agent policy.

Installation requirements

Installation requirements to install McAfee anti-virus on a gold image or App Layer are the same. You can also find the requirements for including the agent on an image in the McAfee ePO product guide.

Depending on the McAfee version, you might need to remove the Globally Unique Identifier (GUID) for the McAfee Agent after you install it. See the McAfee documentation for the version of the software you are using for more information.

Use the following procedure if you plan to use an OS Layer to deploy the McAfee anti-virus software on App Layering desktops.

To install the software on a gold image

Install the McAfee Agent software on the gold image. The gold image becomes visible in the ePolicy Orchestrator System Tree systems list.

Install the McAfee VirusScan Enterprise software on the gold image:

    a. When prompted to remove Windows Defender, click Yes.

    b. Allow the McAfee Agent Updater to complete the update. This step can take several minutes to complete.

    c. Click Finish to complete the installation.

After the installation is complete, a scan starts. Allow the scan to complete.

Change the McAfee Start value:

    a. Open the McAfee VirusScan Console, and disable the AccessProtection.

    b. Open the registry editor (regedit), go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mfehidk], and change the Start value from 0 to 1.

    c. Exit Registry Editor.

    d. In the McAfee VirusScan Console, enable the AccessProtection.

If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary):

    a. Open registry editor (regedit).

    b. Delete the following registry keys:

32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID
64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

When prompted, restart the gold image to allow McAfee to install its drivers.

Shut down the gold image and import it to an OS Layer.

To install the software on a layer

Use this procedure if you plan to use a layer to deploy the McAfee anti-virus software on App Layering desktops.

In the App Layering management console, complete the Create Layer wizard.

When prompted to install the software, install the McAfee Agent software on the Packaging Machine. After completing the installation, the Packaging Machine is visible in the ePolicy Orchestrator System Tree systems list.

Install the McAfee VirusScan Enterprise (VSE) software on the Packaging Machine.

    a. If prompted to remove Windows Defender, click Yes.

    b. Install the VSE software on the Packaging Machine using files from the McAfee EPO server. Otherwise, allow the McAfee Agent Updater to complete an update. This step can take several minutes to complete.

    c. Click Finish to complete the installation.

Change the McAfee Start value:

    a. Open the McAfee VirusScan Console, and disable the AccessProtection.

    b. Open the registry editor, go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mfehidk] and change the Start value from 0 to a 1.

    c. In the McAfee VirusScan Console, enable the AccessProtection.

If McAfee requires it for your VDI set up, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary):

    a. Open the registry editor.

    b. Delete the following registry keys:

32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID
64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

Finalize the App Layer and deploy the layer in the usual way.

Possible interoperability issues

The following interoperability issues can occur on App Layering desktops with McAfee anti-virus software installed.

Delays in opening video files

If you configure the McAfee anti-virus software to scan script files, there can be long delays when you open video files in Internet Explorer.

When you try to open these files, the McAfee software and App Layering try to perform operations on these files at the same time. This conflict causes a delay in running the video file. All other windows and applications continue to function normally.

If you encounter this type of delay, wait for the video file to run. Eventually, the McAfee operation times out and the App Layering operation completes.

This issue has no affect on the ability of the anti-virus software to check the video files for viruses.

Desktops with McAfee layer are not visible from ePolicy Orchestrator

If you cannot see desktops in the McAfee layer in ePolicy Orchestrator, fix the issue by using the steps in the following McAffee knowledge base article:

How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator directory.

McAfee MOVE AntiVirus software

The following procedures describe how to deploy the McAfee MOVE AntiVirus software in an App Layering environment.

Note

These instructions assume that you installed and configured McAfee MOVE AntiVirus software on McAfee ePolicy Orchestrator (ePO).

To deploy the McAfee MOVE AntiVirus software, install the software on an App Layer and assign the layer to existing desktops.

The following versions of McAfee MOVE AntiVirus software are supported.

  • McAfee Agent for Windows, version 4.8.0.1938
  • McAfee AV MOVE Multi-Platform client, version 3.6.0.347
  • McAfee VirusScan Enterprise, version 8.8.0.1247
  • McAfee AV MOVE Multi-Platform Offload Scan Server, version 3.6.0.347
  • McAfee VirusScan Enterprise, version 8.8.0.1445 and 8.8.0.1599
  • McAfee AV MOVE Multi-Platform Offload Scan Server, version 3.6.1.141 and 4.5.0.211

Note

The McAfee Agent does not start for Remote Desktop sessions.

Installation requirements

Before you install McAfee MOVE, disable Windows Defender in Windows 7.

To create a McAfee Agent MOVE AV CLIENT App Layer

In the App Layering management console, navigate to Layers > Application Layer > Create Layer.
The Create Layer Wizard opens.

Complete the Create Layer Wizard and click Create Layer on the Confirm and Complete tab

View the current tasks in the App Layering management console.
At first, confirm that there is a "Running" status in the Create Application Layer <layer_name> task. When the status of the Create Application Layer <layer_name> task changes to 'Action Required', log on to the Packaging Machine  as an administrator.

Move the McAfee Agent software to the Packaging Machine by using the McAfee ePolicy Orchestrator. The Packaging Machine becomes visible in the ePO System Tree list and the McAfee icon appears in the taskbar of the Packaging Machine.

Use the Product Deployment task on the ePO to install the McAfee MOVE AV [Multi-Platform] Client on the Packaging Machine.

Restart the Packaging Machine and then log on as an administrator.

On the Packaging Machine, delete the value for the registry key named AgentGUID from one of the following locations:

  • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent
  • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent

Shut down the Packaging Machine.

Finalize the App Layer.

Microsoft Security Essentials

The following procedures describe how to use an OS Layer or an App Layer to deploy the Microsoft Security Essentials anti-virus software in App Layering.

App Layering supports the following versions of Microsoft Security Essentials anti-virus software:

  • Microsoft Security Essentials 2012 version 4.10.0209.0
    • Antimalware Client Version: 4.2.223.0
    • Engine Version: 1.1.9901.0
    • Antivirus definition: 1.159.324.0
    • Antispyware definition: 1.159.324.0
    • Network Inspection System Engine Version: 2.1.9900.0
    • Network Inspection System Definition Version: 108.1.0.0

Deployment method

Use one of the following methods to deploy the Microsoft Security Essentials anti-virus software:

  • Install the software on a gold image that you import into an OS Layer.
  • Install the software on an OS Layer version.
  • Install the software on an App Layer.

Installation requirements

The Microsoft Security Essentials anti-virus software in an App Layering gold image, OS Layer version, or App Layer.

Enable the Windows Update service, but do not use the Windows Updates. The updates must remain disabled.

Configure Microsoft Security Essentials for Windows 7 on an App Layering Layer version.

Use these steps to configure Microsoft Security Essentials on Windows 7 (32-bit or 64-bit).

By default, the App Layering Optimization script disables the Windows Update service. To deploy Microsoft Security Essentials as either an OS or App Layer on Windows 7, do the following:

  1. Create an OS or App Layer version.
  2. Go to C:\windows\setup\scripts and run the App Layering Optimization Script Builder. If the script builder is not available, download it again from the App Layering Machine OS Tools ZIP file.
  3. In the App Layering Optimization Script Builder, disable Disable Windows Update Service.
  4. Finalize the Layer.

The Update service startup type changes from Disabled to Manual. Windows Updates are not enabled, which is an App Layering requirement.

During installation, check services.msc and ensure that the Windows Update Service startup type is set to Manual. If it’s not, change the Windows Update Service startup type to Manual and restart Windows.

Troubleshooting failed Microsoft Windows Essentials updates

If the Microsoft Security Essentials update fails on a desktop because Windows updates are disabled, try the following.

  • Enable Windows Updates in Control Panel. Microsoft Security Essentials can then update automatically on the desktop.
  • If you disabled Windows Updates by using the Local Group Policy Editor, edit the registry to remove the Local Group Policy:
  1. Run Registry Editor and remove the Local Group Policy.
  2. Restart the machine.
  3. Enable Windows Updates from Control Panel.

Sophos Cloud Anti-Virus - All supported operating systems

App Layering supports the following versions:

  • Sophos Enterprise Console 5.4
  • Sophos Endpoint Security and Control 10.6.3.537
  • Sophos Endpoint Security and Control 11.5.2 Cloud

Before you start, create and activate your Sophos Cloud account, as described in the Sophos documentation.

To install the Sophos Cloud software on a new version of the OS Layer

In the App Layering management console, select Layers > OS Layers > Add Version.

When the task status changes to Action Required, prepare your packaging machine according to the General Guidelines for deploying anti-virus software. You can find this information at the beginning of this article.

Join the packaging machine to the domain.

Note

The Sophos installer creates Groups and puts users into them. Ensure that the packaging machine is in the domain.

On the packaging machine, log on to your Sophos Cloud console.

Download SophosInstall.exe from your Sophos Cloud account.

Important

Do not use the emailed installer for this installation.

Install the Sophos Cloud software on the packaging machine.

When the task to install Sophos is complete (or indicates that an Action is required), restart the packaging machine.

In your Sophos Cloud console, click Reports > Events. Ensure that Sophos Cloud manages the computer and that it is current before you continue.

Stop and disable the following Windows services:

  • Sophos MCS Client
  • Sophos MCS Agent

Delete the following files:

  • C:\ProgramData\Sophos\AutoUpdate\cache\rms_cache
  • C:\ProgramData\Sophos\AutoUpdate\cache\savxp_cache
  • C:\ProgramData\Sophos\AutoUpdate\cache\ntp64_cache
  • C:\ProgramData\Sophos\AutoUpdate\cache\sau_cache
  • C:\ProgramData\Sophos\AutoUpdate\cache\ssp_cache
  • C:\Windows\Temp\sophos_autoupdate1.dir

In Windows 7 | Windows 8.1 | Windows Server 2008 R2:

  • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\Credentials
  • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt
  • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist*.xml
  • C:\ProgramData\Sophos\AutoUpdate\data\machine_ID

Edit the Sophos configuration:

  1. Navigate to the Sophos configuration folder for your operating system:
    Windows 7 | Windows 8.1 | Windows Server 2008 R2
    C:\ProgramData\Sophos\Management Communications System\Endpoint\Config\
  2. Create or open a file called registration.txt, and add the following lines to this file:
    [McsClient]
    Token=value_of_MCS_REGISTRATION_TOKEN where value_of_MCS_REGISTRATION_TOKEN is the value of the MCS_REGISTRATION_TOKEN, which identifies your Sophos Cloud account. Extract the value of this token from SophosInstall.exe.

Edit the Sophos setup file:

    a. In the following folders, create a file called SophosSetup.cmd.

    Windows 7 | Windows 8.1 | Windows 2008 R2 Datacenter
    C:\Windows\Setup\scripts\kmsdir

    b. Add the following lines to this file, including the double quotes:

sc config "Sophos MCS Client" start= auto

sc config "Sophos MCS Agent" start= auto

net start "Sophos MCS Client"

net start "Sophos MCS Agent"

Edit the commands to run each time Sophos is started:

    a. Edit the file c:\Windows\Setup\scripts\kmsdir\kmssetup.cmd.

    b. Add the following script to the section labeled, Commands to run every boot. This script runs the SophosSetup.cmd file. Script details:

Script commands Copy

REM Change Sophos Service to Automatic - once
If EXIST SophosSetup.cmd (
echo !date!-!time!-kmssetup.cmd:Call SophosSetup.cmd >> SophosSetuplog.txt
Call SophosSetup.cmd >> SophosSetuplog.txt
Copy SophosSetup.cmd SophosSetupCMD.txt >> SophosSetuplog.txt
Del SophosSetup.cmd >> SophosSetuplog.txt
)

Join the Packaging Machine back to the workgroup.

Finalize the OS Layer.

Sophos Anti-Virus - Windows 7, Windows 8.1, and Windows 2008 R2 desktops

This section explains how to deploy Sophos Anti-Virus on new or existing desktops. You can add Sophos Anti-Virus to either the gold image or to a version of the OS Layer.

These procedures are based on the Sophos knowledge base article Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines.

Note

If Sophos is unable to update the Sophos Auto Update module, updating the virus signature updates also fail. To allow Sophos to update its own updater, edit your OS Layer and delete this directory:

C:\ProgramData\Sophos\AutoUpdate\Cache\sau

Deployment method

Use a gold image or an OS Layer version to deploy Sophos software. You cannot deploy Sophos software as an App layer. Sophos creates a user account that it uses for updates on the desktops it manages. App Layering supports these user accounts in the gold image or OS Layer Version.

To configure the gold image or the OS Layer version

Install the Sophos software on the gold image or OS Layer version.

If using a gold image, install the App Layering Tools on the image. If using an OS Layer version, skip this step.

When prompted, allow the system to restart, but do not shut down the gold image after installation finishes. Complete the rest of this procedure first.

Stop and disable only the following Sophos services. When you deploy the desktops, a Mini-Setup runs. Disabling the specified services ensures that the Sophos services do not start until the Mini-Setup is complete.

  • Sophos Agent
  • Sophos AutoUpdate Service
  • Sophos Message Router

Open Registry Editor and delete the pkc and pkp values for the following keys:

Windows 32-bit systems
HKLM\Software\Sophos\Messaging System\Router\Private\
HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private\

Windows 64-bit systems
HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private\
HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\

Delete the following files:

C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt
C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml

Rename the following directories:

From: C:\ProgramData\Sophos\AutoUpdate\Cache\savxp

To: C:\ProgramData\Sophos\AutoUpdate\Cache\savxp.copy

From: C:\ProgramData\Sophos\AutoUpdate\Cache\rms

To: C:\ProgramData\Sophos\AutoUpdate\Cache\rms.copy

Renaming the directories is required because App Layering blocks attempts to rename directories that exist on a gold image. The Sophos update requires it to rename these directories.

Create a file named SophosSetup.cmd and place it in the C:\Windows\Setup\scripts\kmsdir folder. (If the folder doesn't exist, create it).

Add the following lines to SophosSetup.cmd. Include the double quotes as shown.

Script commands Copy

pushd "c:\ProgramData\Sophos\AutoUpdate\Cache"
xcopy savxp.copy\*.* savxp\*.* /s/y
xcopy rms.copy\*.* rms\*.* /s/y
sc config "Sophos Agent" start= auto
sc config "Sophos AutoUpdate Service" start= auto
sc config "Sophos Message Router" start= auto
net start "Sophos Agent"
net start "Sophos AutoUpdate Service"
net start "Sophos Message Router"
cd "c:\Windows\Setup\scripts\kmsdir"
popd

Edit the c:\Windows\Setup\scripts\kmsdir\kmssetup.cmd file, and add the following script to the section labeled, 'Commands to run every boot'. This script runs the SophosSetup.cmd file.

Example of kmssetup.cmd with Sophos script:

Script commands Copy

REM Change Sophos Service to Automatic - once
If EXIST SophosSetup.cmd (
echo !date!-!time!-kmssetup.cmd:Call SophosSetup.cmd >> SophosSetuplog.txt
Call SophosSetup.cmd >> SophosSetuplog.txt
Del SophosSetupCMD.txt >> SophosSetuplog.txt
Copy SophosSetup.cmd SophosSetupCMD.txt >> SophosSetuplog.txt
Del SophosSetup.cmd >> SophosSetuplog.txt
)

If you are using a gold image, shut down the gold image, and use the App Layering management console to create an OS Layer. The gold image imports into the new OS Layer.

If you are using an OS Layer version, finalize the version.

To become protected, restart persistent desktops an extra time. Use the App Layering management console to restart the desktop.

Optional: Adjust the security identifier

After you import the gold image into an OS Layer, you might be required to update the security identifier (SID) values. To do so, create a version for the OS Layer to update the SID in one of the Sophos configuration files. The following Sophos knowledge base article explains how to update the security identifier (SID) values in one of the Sophos configuration files: You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application. You are not a member of any of the Sophos groups.

When do I adjust the SID?

If you deploy a desktop in the OS Layer and users cannot open the Sophos Endpoint Security and Control user interface, adjust the SID.

SID adjustment procedure

You can do these steps either before or after importing the gold image into the App Layering environment. You can do these steps before you import the gold image into the App Layering environment. If you imported the gold image, you can do these steps by editing the latest OS Layer revision. You can also create a revision of the OS Layer.

To adjust the SID

Download the script file called UpdateSID.vbs from the Sophos website. Place this file in the C:\Windows\Setup\Scripts directory. This script is required to fix the machine ID after deploying a desktop.

Edit the file C:\Windows\Setup\Scripts\SophosSetup.cmd, and add the following two lines to the end of the file:

Script commands Copy

cd \Windows\setup\scripts
cscript.exe UpdateSID.vbs //B

If the script is for an OS layer version, finalize the version.

You can now create desktops by using this version of the OS Layer. Ensure that the desktops can connect to the Enterprise Console, register, and update according to the schedule.

Symantec Endpoint Protection software

You can deploy the Symantec™ Endpoint Protection application by using any of the following methods:

  • Install the application on a gold image, then import the gold image into an OS Layer.
  • Install the application as an OS Layer version.
  • Install the application as part of an App Layer.

Note

Citrix recommends using on-access scanning in App Layering deployments. After marking the files “clean,” the Symantec Shared Insight Cache improves performance by not scanning the files in a Layer again.

Citrix supports the following Symantec Endpoint Protection versions for the client and manager:

  • 12 and 12.1
  • 12.1.4
  • 12.1.5
  • 12.1.6 (12.1 RU6 MR6) build 7004 (12.1.7061.6600)
  • 14 MP 1 (14.0.2332)

Note

Symantec Endpoint Protection 12.1.2 and 12.1.3 are not supported because of a Symantec issue that prevents App Layering from working correctly.

Symantec Endpoint Protection and Windows compatibility

Symantec Endpoint Protection supports the Windows 8.1 64-bit operating system, it is not compatible with Windows 8.1 32-bit.

Symantec Endpoint Protection behavior on App Layering desktops

Scan type Behavior

On-access

Microsoft Windows 7: On-access scans work as expected on all App Layering desktops.

Manual

Microsoft Windows 7: If you disable User Account Control (UAC), a manual virus scan examines only the files on the boot volume of the virtual machine. Keep UAC enabled when you install the software.

To install software by using Symantec Endpoint Protection Manager

This procedure uses Computer Mode as the deployment method, which applies policies to the entire desktop.

In the Symantec Endpoint Protection Manager, locate one of the following and then follow the steps:

  • Gold image if you use the OS Layer
  • Packaging Machine if you use an App Layer or layer revision

    a. Select Clients > Find Unmanaged Computers.

    b. Type the appropriate search criteria in the window that opens.

    c. Install the software.

Log on to the Packaging Machine and disable Tamper Protection.

Disable the registry entry for “Stealth” protection. Scanning works even if User Account Control (UAC) is enabled. Ensure that the following settings are correct in the registry:

  • For 32-bit machines:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Common]
    "ScanStealthFiles" = (REG_DWORD) 0
  • For 64-bit machines:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Common]
    "ScanStealthFiles" = (REG_DWORD) 0

Using regedit, change the Group and Tag values for each ccSettings GUID.

    a. Go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ccSettings_{GUID}].
    If there is more than one ccSettings_{GUID}, start with the first one.

    b. For each ccSettings_{GUID}, change the Group value from FSFilter Bottom to FSFilter Virtualization.

    c. Change the Tag value to an 8 for the first GUID, and add 1 to the value for each succeeding GUID. The next GUID the value is 9, then 10, and so on.

Note

When you install Symantec for the first time, there is one ccSettings_{GUID}. Each time you upgrade the application, Symantec adds another GUID.

Restart the Packaging Machine or the gold image. Then, restart the Packaging Machine as often as necessary until the post-installation restart request no longer appears in the App Layering management console.

Enable Tamper Protection.

For SEP 12.1.x, use the instructions in the following knowledge base article to prepare the machines to deploy the software in a VDI environment. For more information, see How to prepare a Endpoint Protection client for cloning.

Shut down the gold image and import it in to an OS Layer or finalize the Packaging Machine.

Installation considerations

During deployment of the Symantec software, the App Layering software rebuilds the desktop or Packaging Machine image several times. The number of times depends on how you deploy the Symantec application. This behavior is expected, as the Symantec Endpoint Protection software does not complete the full configuration of boot-level components during the initial installation.

For client-server deployments

The Symantec Endpoint Protection software:

  • Installs some of the required drivers and restarts the desktop or Packaging Machine.
  • Updates additional components and restarts the desktop or Packaging Machine again.
  • Completes the installation and restarts the desktop or Packaging Machine one more time.
  • Deploys to desktops

If you deploy the Symantec software to nonpersistent desktops, include the software when you create the desktop. If you add an App Layer containing Symantec Endpoint Protection to an existing nonpersistent desktop, two entries per desktop appear in the Symantec Endpoint Protection Manager.

Two instances of the same machine with different names appear in the Symantec Endpoint Protection console in the following scenarios:

  • Create a persistent desktop on Windows 2008 R2 with a Symantec Endpoint Protection App Layer
  • Assign the App Layer to an existing desktop

One name is correct. The second name is a temporary name and wasn't deleted. To fix this issue, you can delete clients that have not connected for X number of days.

To delete clients

  1. In the Symantec Endpoint Protection console, go to the Admin page, and select Domains.
  2. Under Tasks, select Edit Domain Properties.
  3. In the Edit Domain Properties window, on the default General tab, click Delete clients that have not connected for specified time. Citrix recommends that the value for large enterprise environments is 7–14 days.
  4. For more information, see Solution 2 in the article Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console.

Symantec Help (SymHelp) diagnostic tool considerations

If you deploy Symantec Endpoint Protection in a layer, the Symantec Help (SymHelp) diagnostic tool requires that you place two files in Unified Endpoint Protection. Create a script with the following lines and place the path to it in a script path when you apply the Symantec layer.

Script content Copy

pushd "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\IRON"
copy Iron.db Iron.db.save
copy Iron.db.save Iron.db /y
copy RepuSeed.irn RepuSeed.irn.save
copy RepuSeed.irn.save RepuSeed.irn /y
popd

Trend Micro OfficeScan anti-virus software

The following procedures describe how to use an OS Layer or an App Layer to deploy the Trend Micro OfficeScan anti-virus software. These procedures are based on the Trend Micro documentation for deploying desktops in a VDI environment.

Citrix App Layering supports Trend Micro OfficeScan Client and Server version 11.0.6054.

Deployment methods

Use any of the following methods to deploy the Trend Micro anti-virus software:

  • Install the software on a gold image and import it to a new OS Layer.
  • Install the software on an OS Layer version.
  • Install the software on an Application Layer and assign the layer to new or existing desktops.

Important

If you install Trend Micro OfficeScan on a gold image or OS Layer version, run the OfficeScan TCacheGen.exe file on the following:

  • The gold image or OS Layer
  • On every App Layer that uses the gold image or OS Layer

Each time you create an App Layer or layer version, run TCacheGen.exe on every layer that uses the OS Layer containing Trend Micro OfficeScan.

After you run TCacheGen.exe, do not run the Packaging Machine again.

You can copy TCacheGen.exe from the OfficeScan server, as specified in the Trend Micro documentation. Typically, this file is located in the \\<TrendServerName>\ofcscan\Admin\Utility\TCacheGen folder.

To install Trend Micro on a gold image

Delete the Globally Unique Identifier (GUID) for the Trend Micro software before you import the gold image into an OS Layer. When you install the App Layering Machine Tools, the system restarts, which creates a GUID. Therefore, you must install the Machine Tools first, allow the installation to restart the machine, and then delete the GUID.

For more information, see the Trend Micro document Configuring the OfficeScan (OSCE) Virtual Desktop Infrastructure (VDI) client/agent. It is important to understand recommendations from Trend Micro when you install the software.

  1. Install the App Layering Machine Tools on the gold image.
  2. Install the Trend Micro OfficeScan Client.
  3. Copy the TCacheGen.exe file from the OfficeScan server, as documented in the Trend Micro documentation. Typically, the file is located in the \\<TrendServerName>\ofcscan\Admin\Utility\TCacheGen folder.
  4. Run the TCacheGen.exe as described in the Trend Micro documentation.
  5. Click Remove GUID from the Template and then click OK.
  6. Shut down the gold image.
  7. Create an OS Layer by using the gold image.

Important

Any time you add a version to this layer, you must run the TCacheGen.exe and delete the GUID again. When you do these actions, it ensures that the desktops that use this layer operate correctly.

To install the software on an App Layer

In the App Layering management console, complete the Create Layer Wizard.

When prompted, install the Trend Micro OfficeScan Client on the Packaging Machine.

When you install Trend Micro OfficeScan 11 and the task status changes to Action Required, disable the Unauthorized Change Prevention service, as follows:

    a. On the OfficeScan server, double-click the OfficeScan Web Console (HTML) link on the desktop to open the OfficeScan Web Console.

    b. In the OfficeScan Web Console, select Agents > Agent Management.

    c. Right-click OfficeScan Server and select Settings > Additional service settings. The Additional service settings window opens.

    d. Under Unauthorized Change Prevention service, clear Enable service on the following operating systems.

    e. In the web console, select Agents > Agent Installation > Remote.

    f. In Search for endpoints, type the IP address of your Packaging Machine, and then press Enter.

    g. Type the local administrator user name and password for the Packaging Machine, and click Log in.

    h. Click Install to install the OfficeScan Agent to target computers, and then click OK in the confirmation dialog box. A confirmation message confirms the number of agents to which notifications were sent and the number that verified the receipt of those notices.

    i. In the OfficeScan Web Console, go to Agents > Agent Management. Click Workgroup, and then select the Packaging Machine name.

    j. Disable the Unauthorized Change Prevention service for the groups you are using. Right-click the Packaging Machine and select Settings > Additional service settings. The Additional service settings window opens.

Under Unauthorized Prevention Service, clear Enable service on the following operating systems.

If prompted, restart the Packaging Machine to allow the boot image to rebuild.

After the Packaging Machine restarts, copy the TCacheGen.exe file from the OfficeScan server. For more information, see the Trend Micro documentation. Typically, the file is located in the folder:

\\TrendServerName\ofcscan\Admin\Utility\TCacheGen folder.

Run the TCacheGen.exe. For more information, see the Trend Micro documentation.

Click delete GUID from the Template and then click OK.

Finalize the layer.

Important

Any time you add a version to this Layer, you must run the TCacheGen.exe and delete the GUID again. Doing so ensures that the desktops that use this Layer operate correctly.