Layer antivirus apps

This article explains how to deploy each of the most commonly used antivirus products in a layer. You can layer any antivirus software, unless listed below as unsupported. Though we expect newer versions of antivirus software to function properly, this isn’t guaranteed until we have tested them. Check this topic to see if new versions of your antivirus software have been tested.

Some antivirus installation procedures require that you modify the Windows Registry.

Warning:

Back up the registry before you edit it. Using Registry Editor incorrectly can cause serious problems that require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk, and always back up the Registry before you edit it.

You can exclude antivirus files and folders from persisting on the user’s desktop. You create the exclusions in the layer, and they are processed in the image after it is published.

Options for managing Antivirus software updates

This section explains how to layer antivirus software and configure major updates based on how you deploy the images. This applies only to major updates. Daily updates for virus definitions are done no matter what type of image you deploy.

Recommended for all antivirus software

In all cases, we recommend making a new version of the app layer when the antivirus software has a major update. Once the layer has been updated, update all of the templates that use that antivirus app, and redeploy new images to take advantage of the changes in the antivirus software.

Elastic layering NOT enabled

If you are deploying images without elastic layering enabled, consider whether your images are non-persistent or persistent:

• For persistent machines, you probably want to enable auto updates to keep the antivirus software up-to-date.
• For non-persistent machines, you may not want to turn on auto updates, because the updates take place on the images after every reboot. (The non-persistent machine is reverted whenever it reboots.)

Elastic layering enabled, but no user layers

If you are deploying images with elastic layering but no user layers, clear auto updates, since the machines are non-persistent and would be reverted on the reboot. Also, assign the antivirus layer to be deployed in the image and not loaded as an elastic layer, since the antivirus drivers must be loaded at boot time to function correctly. When layers are assigned as elastic layers, they are only loaded once a user logs on to the machine, and therefore the drivers would not be present at boot time.

Elastic layering enabled, with user layers (or user personalization layers)

If you are deploying images with elastic layering and a full user layer (or a User personalization layer), we recommend turning off auto updates. The machines are non-persistent desktops, so they revert when the user logs off. There is also the extra consideration that if the users remain logged on to the machines for several days, the daily updates to the virus definition files may end up in user layers. For most antivirus software this is not a problem. But, if you find that the antivirus software is having some problems running, you may want to determine the directory where they store their definitions and consider adding a registry setting to force these files to reside on the non-persistent image, instead of in the user layer. Make sure that these settings are done in a different layer than the antivirus app, because you would not want those settings to interfere with updates to the antivirus layer.

Before you start

When deploying any antivirus software package in App Layering, the following might be required:

• Start the Remote Registry Service for any of the remote installations.
• Disable the firewall on the desktop before installing to allow the products to install.
• Disable Windows Defender.
• Enable or disable User Account Control (UAC).
• Read the installation instructions for virtual desktop infrastructure (VDI) deployments on the website for the product you are installing.

AVG

You can use a gold image or an Application Layer to deploy the AVG Business Edition antivirus software.

Deployment methods

Use one of the following methods to install the AVG antivirus software:

• Install the software on a gold image of the operating system and import it to a new OS Layer.
• Install the software on an Application Layer and assign the layer to new or existing desktops.

Citrix supports AVG antivirus Business Edition version 13.0.0.x only.

To install the software on a gold image

1. Install the AVG software on the gold image.

2. Open the AVG application and select AVG Settings Manager.

3. Select Edit AVG Settings.

4. Select System Services, and disable all AVG Services.

5. Select AVG Advanced Settings, Anti-Virus, Cache Server, and disable file caching.

6. Delete cache files:

   On Windows, delete the following files: C:\ProgramData\AVG2013\Chjw\*.*

7. Enable all the AVG Services again.

8. Shut down the gold image.

9. Create an OS Layer by using the gold image.

10. On newly deployed desktops, enable the Caching option again, which can happen automatically through integration with AVG Remote Administrator.

To install the software on an App Layer

1. Install the AVG software on the App Layer.
2. Deploy the App Layer to desktops.

To enable the Scan files on close option

1. Open Advanced settings (F8).
2. Select Antivirus > Resident Shield.
3. Select the Scan files on close option, and save the setting.

Kaspersky

This section explains how to deploy Kaspersky in a layer. See the Kaspersky documentation for more instructions about installing the software in a VDI environment. Read the Dynamic VDI support section in this article to learn about using Kaspersky for non-persistent desktops in a VDI environment.

The following versions of Kaspersky antivirus software have been tested by Citrix and are verified to work with App Layering:

• Kaspersky Endpoint Security version 10.2.5.3201
• Kaspersky Administration version10.3.407.0
• Kaspersky Administration Server version 8.0.2163
• Kaspersky antivirus for Windows Workstations version 6.0.4.1424
• Kaspersky for VDI Agentless version 3.0
• Kaspersky Endpoint Security version 10.1.0.867(a)
• Kaspersky Endpoint Security version 10.2
• Kaspersky for VDI Agentless version 3.1.0.77

Note:

Encryption with Kaspersky 10.2 is not supported. Kaspersky 10.2 Encryption uses a form of disk virtualization that bypasses App Layering virtualization, and as such is incompatible with App Layering. Before you deploy Kaspersky 10.2, disable the encryption options.

Deployment methods

Use one of the following methods to deploy the Kaspersky antivirus software:

• Install the software on an App Layer or App Layer revision.
• Install the software on the gold image you import into an OS Layer.
• Install the software on an OS Layer revision.

Requirements

• If you deploy the Kaspersky software on a new OS Layer, install the software on the gold image before you install App Layering Machine Tools.

• If you use the Kaspersky Administration Server to manage the desktop, install Kaspersky antivirus for Workstations and NetAgent on the Packaging Machine or a gold image.

• If you do not plan to use the Kaspersky Administration Server, install Kaspersky antivirus for Workstations only on the Packaging Machine or the gold image.

• When you install the Kaspersky NetAgent, clear the selection for the start application during install option.

• When you install the Kaspersky antivirus for Workstations in a stand-alone configuration, do not enable password protection for any of the administrative options. The password you type on the Packaging Machine or gold image does not work on the desktop after you deploy the software.

• After you install the Kaspersky software on a PackagingMachine (for App Layers or layer revisions), a system restart (and desktop image rebuild) is required.

Kaspersky 10.2 special requirement

Add a value to the Unifltr service in the registry before you add Kaspersky 10.2 to the gold image or to a layer.

To edit the registry

1. Click Start, click Run, and then type regedit.
2. Navigate to the HKLM\System\CurrentControlSet\Services\Unifltr key.
3. On the Edit menu, click New, and then click DWORD (32-bit) value.
4. In the right pane, right-click the New value and select Modify.
5. In Value, name, type the name MiniFilterBypass.
6. In Value, type 1 and then click OK.
7. Close Registry Editor.
8. Restart the machine, as the setting is only read at start time.

Special steps for installing the software on an App Layer

To install Kaspersky software on an app layer:

1. Install the Kaspersky software on the Packaging Machine. If you deploy nonpersistent desktops running Kaspersky, mark the image as a Dynamic VDI. When you mark the image, the Kaspersky Administration Server considers the clones of this image dynamic. When a clone is disabled, its information is automatically deleted from the database. To mark the image of a dynamic VDI, install the Kaspersky Network Agent with the Enable dynamic mode for VDI parameter enabled. For details, see the section of this article on Dynamic VDI support.

2. Restart the Packaging Machine. When you restart the Packaging Machine, it might display the STOP message 0x75640001 several times. The Packaging Machine restarts normally. No intervention is necessary. When you deploy this layer, the desktops restart normally and the STOP message does not appear.

3. Finalize the layer.

The Kaspersky NetAgent might not start when users log on to the desktop for the first time. This issue occurs when you assign the App Layer with the Kaspersky software to a desktop. Restart the desktop to start the NetAgent software.

Possible issues

The following interoperability issues can occur on App Layering desktops that have Kaspersky antivirus software installed.

Kaspersky NetAgent startup - If you use an App Layer to deploy the Kaspersky NetAgent software to a desktop, the NetAgent software might not start when the desktops restarts. The Windows Event Viewer can show the following error:

#1266 (0) Transport level error while connection to: authentication failure

If the NetAgent software doesn’t start, restart the desktop. Then the NetAgent software starts correctly.

Kaspersky 10 - end-user Pause causes Network Attack Blocker to stop working - When using Kaspersky 10, the end-user Pause causes the Network Attack Blocker to stop working. To fix this issue, restart the Kaspersky software. The Network Attack Blocker continues to run.

McAfee

The following procedures describe how to use an OS Layer or an App Layer to deploy the McAfee antivirus software.

Deployment method

Install the McAfee software on one of the following layers:

• The original OS Layer.
• A new version of the OS Layer.
• An App Layer.

The following versions of McAfee software have been tested by Citrix and are verified to work with App Layering:

• ePolicy Orchestrator (ePO), versions 4.6.4, 5.3.1, and 5.3.2
• McAfee Agent, versions4.8.0.1938, 5.0.2.188, and5.0.4.283
• VirusScan Enterprise, versions8.8.0.1528, 8.8.0.1445, and 8.8.0.1599

If you use the ePolicy Orchestrator 5.3.1 server to create the McAfee Agent installation package, set the Agent Contact Method priority in the following sequence:

• IP Address
• FQDN
• NetBIOS Name to communicate correctly with IM in the workgroup, and disable the ‘Enable self-protection’ for the McAfee Agent policy.

Installation requirements

Installation requirements to install McAfee antivirus on a gold image or App Layer are the same. You can also find the requirements for including the agent on an image in the McAfee ePO product guide.

Important:

You must install McAfee in VDI mode, using the framepkg.exe command with the switches described in the steps below. This allows for the agent to deregister from ePO on shutdown, which in turn prevents duplicate host names from populating in the ePO console. For more about this requirement, see the McAfee KB87654.

Depending on the McAfee version, you might need to remove the Globally Unique Identifier (GUID) for the McAfee Agent after you install it. See the McAfee documentation for the version of the software you are using for more information.

Use the following procedure if you plan to use an OS Layer to deploy the McAfee antivirus software on App Layering desktops.

To install the software on a gold image

1. Install the McAfee Agent software in VDI mode onto the gold image, using the following command:

   framepkg.exe /Install=agent /enableVDImode

   The gold image becomes visible in the ePolicy Orchestrator System Tree systems list.

2. Install the McAfee VirusScan Enterprise software on the gold image:

   1. When prompted to remove Windows Defender, click Yes.

   2. Allow the McAfee Agent Updater to complete the update. This step can take several minutes to complete.

   3. Click Finish to complete the installation.

3. After the installation is complete, a scan starts. Allow the scan to complete.

4. Change the McAfee Start value:

   1. Open the McAfee VirusScan Console, and disable the AccessProtection.

   2. Open the registry editor (regedit), go to the key:

      \[HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\mfehidk\]

   3. Exit Registry Editor.

   4. In the McAfee VirusScan Console, enable the AccessProtection.

5. If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary):

   1. Open registry editor (regedit).

   2. Delete the following registry keys:

      • 32-bit:

        HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

      • 64-bit:

        HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

6. When prompted, restart the gold image to allow McAfee to install its drivers.

7. Shut down the gold image and import it to an OS Layer.

To install the software on a layer

Use this procedure if you plan to use a layer to deploy the McAfee antivirus software on App Layering desktops.

1. In the App Layering management console, create a layer.

2. When prompted to install the software, install the McAfee Agent software in VDI mode using the following command.

   framepkg.exe /Install=agent /enableVDImode

   After completing the installation, the Packaging Machine is visible in the ePolicy Orchestrator System Tree systems list.

3. Install the McAfee VirusScan Enterprise (VSE) software on the Packaging Machine.

   1. If you are prompted to remove Windows Defender, click Yes.

   2. Install the VSE software on the Packaging Machine using files from the McAfee EPO server. Otherwise, allow the McAfee Agent Updater to complete an update. This step can take several minutes to complete.

   3. Click Finish to complete the installation.

4. Change the McAfee Start value:

   1. Open the McAfee VirusScan Console, and disable the AccessProtection.

   2. Open the registry editor, go to the following key, and change the Start value from 0 to a 1:

      [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mfehidk]

   3. In the McAfee VirusScan Console, enable the AccessProtection.

5. If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary):

   1. Open the registry editor.

   2. Delete the following registry keys:

      32-bit:

      HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

      64-bit:

      HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

6. Finalize the App Layer and deploy the layer in the usual way.

Possible interoperability issues

The following interoperability issues can occur on App Layering desktops with McAfee antivirus software installed.

Delays in opening video files

If you configure the McAfee antivirus software to scan script files, there can be long delays when you open video files in Internet Explorer.

When you try to open these files, the McAfee software and App Layering try to perform operations on these files at the same time. This conflict causes a delay in running the video file. All other windows and applications continue to function normally.

If you encounter this type of delay, wait for the video file to run. Eventually, the McAfee operation times out and the App Layering operation completes.

This issue has no effect on the ability of the antivirus software to check the video files for viruses.

Desktops with McAfee layer are not visible from ePolicy Orchestrator

If you cannot see desktops in the McAfee layer in the ePolicy Orchestrator, fix the issue by using the steps in the following McAffee knowledge base article: How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator directory.

McAfee MOVE

The following procedures describe how to deploy the McAfee MOVE antivirus software in a layer.

Note:

These instructions assume that you installed and configured McAfee MOVE antivirus software on the McAfee ePolicy Orchestrator (ePO).

To deploy the McAfee MOVE antivirus software, install the software on an App Layer and assign the layer to existing desktops.

The following versions of McAfee MOVE antivirus software have been tested by Citrix and are verified to work with App Layering.

• McAfee Agent for Windows, version 4.8.0.1938
• McAfee AV MOVE Multi-Platform client, version 3.6.0.347
• McAfee VirusScan Enterprise, version 8.8.0.1247
• McAfee AV MOVE Multi-Platform Offload Scan Server, version 3.6.0.347
• McAfee VirusScan Enterprise, version 8.8.0.1445 and8.8.0.1599
• McAfee AV MOVE Multi-Platform Offload Scan Server, version 3.6.1.141 and 4.5.0.211

Note:

The McAfee Agent does not start for Remote Desktop sessions.

Installation requirements

Before you install McAfee MOVE, disable Windows Defender.

To create a McAfee Agent MOVE AV CLIENT App Layer

1. In the App Layering management console, navigate to Layers > Application Layer > Create Layer.

2. View the current tasks in the App Layering management console. At first, confirm that there is a “Running” status in the Create Application Layer <layer_name> task. When the status of the Create Application Layer <layer_name> task changes to ‘Action Required’, log on to the Packaging Machine as an administrator.

3. Move the McAfee Agent software to the Packaging Machine by using the McAfee ePolicy Orchestrator. The Packaging Machine becomes visible in the ePO System Tree list and the McAfee icon appears in the taskbar of the Packaging Machine.

4. Use the Product Deployment task on the ePO to install the McAfee MOVE AV [Multi-Platform] Client on the Packaging Machine.

5. Restart the Packaging Machine and then log on as an administrator.

6. On the Packaging Machine, delete the value for the registry key named AgentGUID from one of the following locations:

   • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent

   • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent

7. Shut down the Packaging Machine.

8. Finalize the App Layer.

Microsoft Security Essentials

The following procedures describe how to use an OS Layer or an App Layer to deploy the Microsoft Security Essentials antivirus software in App Layering.

App Layering supports the following versions of Microsoft Security Essentials antivirus software:

Microsoft Security Essentials 2012 version4.10.0209.0

• Antimalware Client Version: 4.2.223.0
• Engine Version: 1.1.9901.0
• Antivirus definition: 1.159.324.0
• Antispyware definition: 1.159.324.0
• Network Inspection System Engine Version: 2.1.9900.0
• Network Inspection System Definition Version: 108.1.0.0

Deployment method

Use one of the following methods to deploy the Microsoft Security Essentials antivirus software:

• Install the software on a gold image that you import into an OS Layer.
• Install the software on an OS Layer version.
• Install the software on an App Layer.

Installation requirements

The Microsoft Security Essentials antivirus software in an App Layering gold image, OS Layer version, or App Layer.

Enable the Windows Update service, but do not use the Windows updates. The updates must remain disabled.

Configure Microsoft Security Essentials for Windows on an App Layering Layer version.

Use these steps to configure Microsoft Security Essentials on Windows.

By default, the App Layering Optimization script disables the Windows Update service. To deploy Microsoft Security Essentials as either an OS or App Layer on Windows, do the following:

1. Create an OS or App Layer version.
2. Go to C:\windows\setup\scripts and run the App Layering Optimization Script Builder. If the script builder is not available, download it again from the App Layering Machine OS Tools ZIP file.
3. In the App Layering Optimization Script Builder, disable Disable Windows Update Service.
4. Finalize the Layer.

The Update service startup type changes from Disabled to Manual. Windows Updates are not enabled, which is an App Layering requirement.

During installation, check services.msc and ensure that the Windows Update Service startup type is set to Manual. If it’s not, change the Windows Update Service startup type to Manual and restart Windows.

Troubleshooting failed Microsoft Windows Essentials updates

If the Microsoft Security Essentials update fails on a desktop because Windows updates are disabled, try the following.

• Enable Windows Updates in Control Panel. Microsoft Security Essentials can then update automatically on the desktop.
• If you disabled Windows Updates by using the Local Group Policy Editor, edit the registry to remove the Local Group Policy:

1. Run Registry Editor and remove the Local Group Policy.
2. Restart the machine.
3. Enable Windows Updates from Control Panel.

Sophos Central Endpoint/Server

Before you start, create and activate your Sophos Cloud account, as described here.

For more information on deploying Sophos Central Endpoint/Server in an App Layering environment, refer to the Sophos documentation.

Optional: Adjust the security identifier

After you import the gold image into an OS Layer, you might be required to update the security identifier (SID) values. To do so, create a version for the OS Layer to update the SID in one of the Sophos configuration files. The following Sophos knowledge base article explains how to update the security identifier (SID) values in one of the Sophos configuration files:

You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application. You are not a member of any of the Sophos groups.

When do I adjust the SID?

If you deploy a desktop in the OS Layer and users cannot open the Sophos Endpoint Security and Control user interface, adjust the SID.

SID adjustment procedure

You can do these steps either before or after importing the gold image into a layer. If you imported the gold image, you can do these steps by editing the latest OS Layer revision. You can also create a revision of the OS Layer.

To adjust the SID

1. Download the script file called UpdateSID.vbs from the Sophos website. Place this file in the C:\Windows\Setup\Scripts directory. This script is required to fix the machine ID after deploying a desktop.

2. Edit the file C:\Windows\Setup\Scripts\SophosSetup.cmd, and add the following two lines to the end of the file:

   cd \Windows\setup\scripts

   cscript.exe UpdateSID.vbs //B

3. If the script is for an OS layer version, finalize the version.

You can now create desktops by using this version of the OS Layer. Ensure that the desktops can connect to the Enterprise Console, register, and update according to the schedule.

Symantec Endpoint Protection

You can deploy the Symantec Endpoint Protection application by using any of the following methods:

• Install the application on a gold image, then import the gold image into an OS Layer.
• Install the application as an OS Layer version.
• Install the application as part of an App Layer.

Note:

Citrix recommends using on-access scanning in App Layering deployments. After marking the files “clean,” the Symantec Shared Insight Cache improves performance by not scanning the files in a Layer again.

The following versions of Symantec Endpoint Protection have been tested by Citrix and are verified to work with App Layering:

• 12 and 12.1
• 12.1.4
• 12.1.5
• 12.1.6(12.1 RU6 MR6) build 7004 (12.1.7061.6600)
• 14 MP 1 (14.0.2332)
• 14.2

Note:

Symantec Endpoint Protection 12.1.2 and 12.1.3 are not supported because of a Symantec issue that prevents App Layering from working correctly.

Symantec Endpoint Protection behavior on App Layering desktops

To install software by using Symantec Endpoint Protection Manager

This procedure uses Computer Mode as the deployment method, which applies policies to the entire desktop.

1. In the Symantec Endpoint Protection Manager, locate either the OS image or the packaging machine for the app, and log in:

   • OS image, if you use the OS layer
   • Packaging machine if you use an app layer or layer revision

   1. Select Clients > Find Unmanaged Computers.

   2. Type the appropriate search criteria in the window that opens.

   3. Install the software.

   Note:

   After installing the software, you are prompted to restart the Symantec Endpoint Protection Manager. If you do it in Step 1, it may cause an issue with starting the SEP services. Continue the installation process and restart the Symantec Endpoint Protection Manager in Step 5.

2. Log on to the Packaging Machine and disable Tamper Protection.

3. Disable the registry entry for “Stealth” protection. Scanning works even if User Account Control (UAC) is enabled. Ensure that the following settings are correct in the registry. If the values do not exist in the registry, add them.

   • For 32-bit machines:

     [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Common]

     "ScanStealthFiles" = (REG_DWORD) 0

   • For 64-bit machines:

     [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Common]

     "ScanStealthFiles" = (REG_DWORD) 0

4. Using regedit, change the Group and Tag values for each ccSettings GUID.

   1. Go to the following key:

      [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ccSettings_{GUID}]

      If there is more than one ccSettings_{GUID}, start with the first one.

   2. For each ccSettings_{GUID}, change the Group value from FSFilter Bottom to FSFilter Virtualization.

   3. Change the Tag value to an 8 for the first GUID, and add 1 to the value for each succeeding GUID. The next GUID the value is 9, then 10, and so on.

      Note:

      When you install Symantec for the first time, there is one ‘ccSettings_{GUID}’. Each time you upgrade the application, Symantec adds another GUID.

5. Restart the Packaging Machine or the gold image. Then, restart the Packaging Machine as often as necessary until the post-installation restart request no longer appears in the App Layering management console.

6. Enable Tamper Protection.

7. For SEP 12.1 and later, see the instructions in the following knowledge base article to prepare the machines to deploy the software in a VDI environment. For more information, see the article How to prepare an Endpoint Protection client for cloning.

8. Finalize the app or OS layer, or shut down and import the gold image.

9. If it is necessary for you to use the SEP Virtual Image Exception (VIE) tool, refer to the article, About the Symantec Virtual Image Exception tool for recommendations.

During deployment of the Symantec software, the App Layering software rebuilds the desktop or Packaging Machine image several times. The number of times depends on how you deploy the Symantec application. This behavior is expected, as the Symantec Endpoint Protection software does not complete the full configuration of boot-level components during the initial installation.

For client-server deployments

The Symantec Endpoint Protection software:

• Installs some of the required drivers and restarts the desktop or Packaging Machine.
• Updates other components and restarts the desktop or Packaging Machine again.
• Completes the installation and restarts the desktop or Packaging Machine one more time.
• Deploys to desktops

If you deploy the Symantec software to nonpersistent desktops, include the software when you create the desktop. If you add an App Layer containing Symantec Endpoint Protection to an existing nonpersistent desktop, two entries per desktop appear in the Symantec Endpoint Protection Manager.

Two instances of the same machine with different names appear in the Symantec Endpoint Protection console in the following scenarios:

• Create a persistent desktop on Windows 2008 R2 with a Symantec Endpoint Protection App Layer
• Assign the App Layer to an existing desktop

One name is correct. The second name is a temporary name and wasn’t deleted. To fix this issue, you can delete clients that have not connected for X number of days.

To delete clients

1. In the Symantec Endpoint Protection console, go to the Admin page, and select Domains.
2. Under Tasks, select Edit Domain Properties.
3. In the Edit Domain Properties window, on the default General tab, click Delete clients that have not connected for specified time. Citrix recommends that the value for large enterprise environments is 7–14 days.
4. For more information, see Solution 2 in the article Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console.

Symantec Help (SymHelp) diagnostic tool considerations

If you deploy Symantec Endpoint Protection in a layer, the Symantec Help (SymHelp) diagnostic tool requires that you place two files in Unified Endpoint Protection. Create a script with the following lines and place the path to it in a script path when you apply the Symantec layer.

pushd "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\IRON"
copy Iron.db Iron.db.save
copy Iron.db.save Iron.db /y
copy RepuSeed.irn RepuSeed.irn.save
copy RepuSeed.irn.save RepuSeed.irn /y
popd
<!--NeedCopy-->

Trend Micro OfficeScan

The following procedures describe how to use an OS Layer or an App Layer to deploy the Trend Micro OfficeScan antivirus software. These procedures are based on the Trend Micro documentation for deploying desktops in a VDI environment.

Citrix App Layering supports Trend Micro OfficeScan Client and Server version11.0.6054.

Deployment methods

Use any of the following methods to deploy the Trend Micro antivirus software:

• Install the software on a gold image and import it to a new OS Layer.
• Install the software on an OS Layer version.
• Install the software on an Application Layer and assign the layer to new or existing desktops.

Important:

If you install Trend Micro OfficeScan on a gold image or OS Layer version, run the OfficeScan TCacheGen.exe file on the following:

• The gold image or OS Layer.
• On every App Layer that uses the gold image or OS Layer

Each time you create an App Layer or layer version, run TCacheGen.exe on every layer that uses the OS Layer containing Trend Micro OfficeScan.

After you run TCacheGen.exe, do not run the packaging machine again.

You can copy TCacheGen.exe from the OfficeScan server, as specified in the Trend Micro documentation. Typically, this file is located in the \\<TrendServerName>\ofcscan\Admin\Utility\TCacheGen folder.

To install Trend Micro on a gold image

Delete the Globally Unique Identifier (GUID) for the Trend Micro software before you import the gold image into an OS Layer. When you install the App Layering Machine Tools, the system restarts and creates a GUID. Therefore, install the Machine Tools first, allow the installation to restart the machine, and then delete the GUID.

For more information, see the Trend Micro document Configuring the OfficeScan (OSCE) Virtual Desktop Infrastructure (VDI) client/agent. It is important to understand recommendations from Trend Micro when you install the software.

1. Install the App Layering Machine Tools on the gold image.
2. Install the Trend Micro OfficeScan Client.

3. Copy the TCacheGen.exe file from the OfficeScan server, as documented in the Trend Micro documentation. Typically, the file is located in the folder:

   \\<TrendServerName>\ofcscan\Admin\Utility\TCacheGen

4. Run the TCacheGen.exe as described in the Trend Micro documentation.
5. Click Remove GUID from the Template and then click OK.
6. Shut down the gold image.

7. Create an OS Layer by using the gold image.

   Important:

   Anytime you add a version to this layer, you must run the TCacheGen.exe and delete the GUID again. When you do these actions, it ensures that the desktops that use this layer operate correctly.

To install the software on an App Layer

1. In the App Layering management console, create a layer.

2. When prompted, install the Trend Micro OfficeScan Client on the Packaging Machine.

   When you install Trend Micro OfficeScan 11 and the task status changes to Action Required, disable the Unauthorized Change Prevention service, as follows:

   1. On the OfficeScan server, double-click the OfficeScan Web Console (HTML) link on the desktop to open the OfficeScan Web Console.

   2. In the OfficeScan Web Console, select Agents > Agent Management.

   3. Right-click OfficeScan Server and select Settings > Additional service settings. The Additional service settings window opens.

   4. Under Unauthorized Change Prevention service, clear Enable service on the following operating systems.

   5. In the web console, select Agents > Agent Installation > Remote.

   6. In Search for endpoints, type the IP address of your Packaging Machine, and then press Enter.

   7. Type the local administrator user name and password for the Packaging Machine, and click Log in.

   8. Click Install to install the OfficeScan Agent to target computers, and then click OK in the confirmation dialog box. A confirmation message confirms the number of agents to which notifications were sent and the number that verified the receipt of those notices.

   9. In the OfficeScan Web Console, go to Agents > Agent Management. Click Workgroup, and then select the Packaging Machine name.

   10. Disable the Unauthorized Change Prevention service for the groups you are using. Right-click the Packaging Machine and select Settings > Additional service settings. The Additional service settings window opens.

3. Under Unauthorized Prevention Service, clear Enable service on the following operating systems.

4. If prompted, restart the Packaging Machine to allow the boot image to rebuild.

5. After the Packaging Machine restarts, copy the TCacheGen.exe file from the OfficeScan server. For more information, see the Trend Micro documentation. Typically, the file is located in the folder:

   \\TrendServerName\ofcscan\Admin\Utility\TCacheGen

6. Run the TCacheGen.exe. For more information, see the Trend Micro documentation.

7. Click delete GUID from the Template and then click OK.

8. Finalize the layer.

   Important

   Anytime you add a version to this Layer, you must run the TCacheGen.exe and delete the GUID again. Doing so ensures that the desktops that use this Layer operate correctly.