Profile streaming and enterprise antivirus products
The streamed user profiles feature of Citrix Profile Management makes use of advanced NTFS features to simulate the presence of files missing from users' profiles. In that respect, the feature is very similar to a class of products known as Hierarchical Storage Managers (HSMs), which are typically used to archive infrequently used files on to slow mass-storage devices such as magnetic tape or rewritable optical storage. When such files are required, HSM drivers intercept the first file request, suspend the process making the request, fetch the file from the archive storage, and then allow the file request to continue. Given this similarity, the streamed user profiles driver, upmjit.sys, is in fact defined as an HSM driver.
In such an environment, it is very important to configure antivirus products to be aware of HSM drivers, and the streamed user profiles driver is no different. In order to defend against the most sophisticated threats, antivirus products must perform some of their functions at the device driver level and, like HSM drivers, they work by intercepting file requests, suspending the originating process, scanning the file, and resuming.
It is relatively easy to misconfigure an antivirus program to interrupt an HSM such as the streamed user profiles driver, preventing it from fetching files from the user store, and causing the logon to hang.
Fortunately, enterprise antivirus products are usually written with the possibility of sophisticated storage products, such as HSMs, in mind and can be configured to delay their scanning until the HSM has done its work. Note that home antivirus products are generally less sophisticated in this respect, so the use of home and SoHo (small office/home office) antivirus products is not supported with streamed user profiles.
To configure your antivirus product for use with streamed user profiles, look for one of the following product features. Feature names are indicative only:
- Trusted process list. This identifies HSMs to the antivirus product, which allows the HSM to complete the file retrieval process. The antivirus product scans the file when it is first accessed by a non-trusted process.
- Do not scan on open or status-check operations. This configures the antivirus product to only scan a file when data is accessed (for example, when a file is executed or created). Other types of file access (for example, when a file is opened or its status checked) are ignored by the antivirus product. HSMs generally activate in response to file-open and file-status-check operations, so disabling virus scans on these operations eliminates potential conflicts.
Citrix tests streamed user profiles with versions of the leading enterprise antivirus products to ensure that they are compatible with Profile Management. These versions include:
- McAfee Virus Scan Enterprise 8.7
- Symantec Endpoint Protection 11.0
- Trend Micro OfficeScan 10
Earlier versions of these products are not tested.
If you are using an enterprise antivirus product from other vendors, ensure that it is HSM-aware, that is, it can be configured to allow HSM operations to complete before performing scans.
Some antivirus products allow administrators to choose to only scan-on-read or scan-on-write. This choice balances performance against security. The streamed user profiles feature is unaffected by the choice.
Troubleshoot Profile Management in streaming and antivirus deployments
If you encounter issues, such as logons hanging or taking a very long time, there may be a misconfiguration between Profile Management and your enterprise antivirus product. Try the following procedures, in this order:
- Check that you have the latest version of Profile Management. Your issue may already have been found and fixed.
- Add the Profile Management service (UserProfileManager.exe) to the list of trusted processes for your enterprise antivirus product.
- Turn off virus checking on HSM operations such as open, create, restore, or status check. Only perform virus checks on read or write operations.
- Turn off other sophisticated virus checking features. For example, antivirus products may perform a quick scan of the first few blocks of a file to determine the actual file type. These checks match the file contents with the declared file type but can interfere with HSM operations.
- Turn off the Windows search-indexing service, at least for the folders where profiles are stored on local drives. This service causes unnecessary HSM retrievals, and has been observed to provoke contention between streamed user profiles and enterprise antivirus products.
If none of these steps work, turn off streamed user profiles (by disabling the Profile streaming setting). If this works, re-enable the feature and disable your enterprise antivirus product. If this also works, gather Profile Management diagnostics for the non-working case and contact Citrix Technical Support. They will need to know the exact version of enterprise antivirus product.
To continue using Profile Management, do not forget to re-enable the enterprise antivirus and turn off streamed user profiles. Other features of Profile Management continue to function in this configuration; only the streaming of profiles is disabled.