Layer antivirus apps
This article provides the fundamental guidelines for deploying antivirus software in an App Layering or User Personalization Layer (UPL) environment. For additional antivirus-specific details, see the vendor’s documentation for VDI deployments.
Recommendations for all antivirus software
Create a new App Layer to install and maintain your chosen antivirus solution. Citrix does not recommend installing antivirus software directly on an OS Layer as this makes maintenance more difficult and often leads to contamination of the antivirus state among packaged app and platform layers.
Note:
This does not apply to the UPL images where the antivirus software is required to be installed in the base image.
The following are key points common to most antivirus deployments in app layering (some apply to UPL too):
- If you have already installed antivirus software on your OS Layer, it must be uninstalled and reinstalled in a new app layer.
- Windows Defender is an exception to this layer advice and is automatically prevented from contaminating other layers by filters built into the App Layering and UPL software.
- Avoid combining other applications with antivirus software on the same app layer.
- Follow the vendor’s guidance for VDI deployment (including for UPL).
- Consider disabling automatic updates of the core antivirus software. These updates are better managed through app layer revisions or, with UPL, backups of the base image.
- Daily updates of virus definitions are fine and must not be affected by disabling major updates.
- Add a UserExclusion file to the antivirus layer to block files and directories from persisting in user layers (including for UPL). See the antivirus vendor’s guidelines for non-persistent VDI deployments, for files and/or folders that must not be persisted.
- Add any vendor-recommended registry exclusions to the antivirus layer (including UPL). These are relatively rare, but if necessary, contact Citrix support.
In general, Citrix recommends making a new version of the app layer when the antivirus software has a major update. Once the layer has been updated, assign it to all the templates that use that antivirus app, and redeploy new images to take advantage of the changes in the antivirus software.
Published images, including the UPL master images, can be started outside of the desktop environment to allow antivirus pre-scanning of the assembled image, depending on the antivirus software used.
Elastic layer not enabled
If you are deploying images without elastic layering enabled, consider whether your images are non-persistent or persistent:
For persistent machines, you might want to enable auto-updates to keep the antivirus software up-to-date. For non-persistent machines, you might not want to turn on auto updates, because the updates occur on the images after every reboot. (The non-persistent machine is reverted when it reboots.)