Tech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices
This article provides guidelines for configuring antivirus software in Citrix DaaS and Citrix Virtual Apps and Desktops environments. It also includes resources for configuring antivirus software on other Citrix technologies and features (for example, Cloud Connectors, Provisioning Services, and so on). Incorrect antivirus configuration is one of the most common problems that Citrix Consulting sees in the field. It can result in various issues, ranging from performance issues or degraded user experiences to timeouts and failures of various components.
In this Tech Paper, we cover a few major topics relevant to optimal antivirus deployments in virtualized environments: agent provisioning and deprovisioning, signature updates, a list of recommended exclusions and performance optimizations. Successful implementation of these recommendations depends upon your antivirus vendor and your security team. Consult them to get more specific recommendations.
Warning! This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to various security threats. However, the following guidelines typically represent the best trade-off between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance. Citrix also recommends that organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment.
Agent software that is installed on every provisioned virtual machine usually needs to register with a central site for management, reporting of status and other activities. For registration to be successful, each agent needs to be uniquely identifiable.
With machines provisioned from a single image using technologies such as Provisioning Services (PVS) or Machine Creation Services (MCS), it is important to understand how each agent is identified - and if there are any instructions required for virtualized environments. Some vendors use dynamic information such as the MAC address or computer name for machine identification. Others use the more traditional approach of a random string generated during installation. To prevent conflicting registrations, each machine needs to generate a unique identifier. Registration in non-persistent environments is often done using a startup script that automatically restores machine identification data from a persistent location.
In more dynamic environments, it is also important to understand how de-provisioning of machines behaves, if cleanup is a manual operation, or if it is performed automatically. Some vendors offer integration with hypervisors or even delivery controllers where machines can be automatically created or deleted as they are provisioned.
Recommendation: Ask your security vendor how the registration/unregistration of their agents is implemented. If registration requires more steps for environments with single-image management, include these steps in your image sealing instructions, preferably as a fully automated script.
Timely, consistently updated signatures are one of the most important aspects of endpoint security solutions. Most vendors use locally cached, incrementally updated signatures that are stored on each of the protected devices.
With non-persistent machines, it is important to understand how signatures are updated and where they are stored. This enables you to understand and minimize the window of opportunity for malware to infect the machine.
Especially in a situation in which updates are not incremental and can reach significant size, you might consider a deployment in which persistent storage is attached to each of the non-persistent machines to keep the update cache intact between resets and image updates. Using this approach, the window of opportunity and the performance impact of a definitions update is minimized.
Aside from signature updates for each of the provisioned machines, it is also important to define a strategy for updating the master image. Automating this process is recommended, so is updating the master image regularly with the latest signatures. This is especially important for incremental updates in which you are minimizing the amount of traffic required for each virtual machine.
Another approach to managing signature updates in virtualized environments is to completely replace the nature of the decentralized signatures with a centralized scanning engine. While this is primarily done to minimize the performance impact of an antivirus, it has the side benefit of centralizing signature updates as well.
Recommendation: Ask your security vendor how signatures are updated in your antivirus. What is the expected size and frequency, and are updates incremental? Are there any recommendations for non-persistent environments?
An antivirus, especially if improperly configured, can have a negative impact on scalability and overall user experience. It is, therefore, important to understand the performance impact to determine what is causing it and how it can be minimized.
Available performance optimization strategies and approaches are different for various antivirus vendors and implementations. One of the most common and effective approaches is to provide centralized offloading antivirus scanning capabilities. Rather than each machine being responsible for scanning (often identical) samples, scanning is centralized and performed only once. This approach is optimized for virtualized environments; however, make sure you understand its impact on high-availability.
Offloading scans to a dedicated appliance can be highly effective in virtualized environments
Another approach is based on pre-scanning of read-only portions of the disks, performed on the master images before provisioning. It is important to understand how this affects the window of opportunity (for example, what if a disk already contains infected files but signatures are not available during pre-scan phase?). This optimization often is combined with scanning for write-only events, as all reads will either originate from pre-scanned disk portions or from a session-specific write cache/differential disk that was already scanned during write operation. Often, a good compromise is to combine real-time scans (optimized) with scheduled scans (full scans of the system).
The most common scan optimization is to focus only on the differences between virtual machines
Recommendation: Performance optimizations can greatly improve user experiences. However they can also be regarded as a security risks. Therefore, consultation with your vendor and your security team is recommended. Most antivirus vendors with solutions for virtualized environments offer optimized scanning engines.
The most common (and often the most important) optimization for antivirus is the proper definition of antivirus exclusions for all components. While some vendors can automatically detect Citrix components and apply exclusions, for most environments, this is a manual task that needs to be configured for the antivirus in the management console.
Exclusions are typically recommended for real-time scanning. However Citrix recommends scanning the excluded files and folders regularly using scheduled scans. To mitigate any potential performance impact, it is recommended to perform scheduled scans during non-business or off-peak hours.
The integrity of excluded files and folders needs to be maintained always. Organizations can consider using a commercial File Integrity Monitoring or Host Intrusion Prevention solution to protect the integrity of files and folders that have been excluded from real-time or on-access scanning. Database and log files are excluded in this type of data integrity monitoring because these files are expected to change. If an entire folder must be excluded from real-time or on-access scanning, Citrix recommends closely monitoring the creation of new files in the excluded folders.
Scan only local drives - or disable network scanning. The assumption is that all remote locations that might include file servers that host user profiles and redirected folders are being monitored by antivirus and data integrity solutions. If not, it is recommended that network shares accessed by all provisioned machines be excluded. An example includes shares hosting redirected folders or user profiles.
Another important consideration is the exclusion of processes. When process exclusions are recommended, the goal is to prevent scanning of any activity performed by such processes rather than preventing the scanning of the exe file. In some security solutions this is referred to as defining trusted processes.
Recommendation: Review these recommendations with your vendor and security team.
- Review all files, folders, and processes for exclusion and confirm they exist before you create an exclusion policy.
- Implement multiple exclusion policies for different components instead of creating one large policy for all of them.
- To minimize the window of opportunity, implement a combination of real time and scheduled scans.
- Set real-time scanning to scan local drives only and not network drives.
- Disable scan on boot.
- Remove any unnecessary antivirus related entries from the Run key.
- Exclude the pagefile(s) from being scanned.
- Exclude Windows event logs from being scanned.
- Exclude IIS log files from being scanned.
%ProgramFiles%\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe
Updated June 2023
mcsdif.vhdx(When using MCS IO)
%ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe
%ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe
%SystemRoot%\System32\drivers\CVhdFilter.sys(When using MCS IO)
CVAD 1912 LTSR
CVAD 1912 LTSR - Single Session VDA only
CVAD 2112+ Single Session VDA only
WebSocketService.exe file can be found in different locations in various CVAD versions. Below is a list of supported LTSR releases and the latest CR release. If you are running any other version of CVAD, we recommend confirming the file location first.
%ProgramFiles%\Citrix\HTML5 Video Redirection\WebSocketService.exe(CVAD 7.15 LTSR - both desktop and server OS)
%ProgramFiles(x86)%\Citrix\System32\WebSocketService.exe(CVAD 1912 LTSR - Multi Session VDA only)
%ProgramFiles%\Citrix\ICAService\WebSocketService.exe(CVAD 1912 LTSR - Single Session VDA only)
%ProgramFiles(x86)%\Citrix\HDX\bin\WebSocketService.exe(CVAD 2003+ - Single Session and Multi Session VDAs)
%ProgramFiles(x86)%\Citrix\HDX RealTime Connector\AudioTranscoder.exe
%ProgramFiles(x86)%\Citrix\HDX RealTime Connector\MediaEngine.Net.Service.exe
%ProgramFiles(x86)%\Citrix\HDX RealTime Connector\MediaEngineService.exe
Updated May 2023
%ProgramFiles(x86)%\Citrix\ICA Client\epclient32.dll(App Protection)
%ProgramFiles(x86)%\Citrix\ICA Client\epclient64.dll(App Protection)
%ProgramFiles(x86)%\Citrix\ICA Client\epinject.sys(App Protection)
%ProgramFiles(x86)%\Citrix\ICA Client\MediaEngineService.exe(HDX RealTime Optimization Pack)
%ProgramFiles(x86)%\Citrix\ICA Client\HdxTeams.exe(Optimization for Microsoft Teams for Workspace app 2009.5 or older)
%ProgramFiles(x86)%\Citrix\ICA Client\HdxRtcEngine.exe(Optimization for Microsoft Teams for Workspace app 2009.6 or higher)
These exclusions for the Citrix Workspace app are typically not required. We have only seen a need for these in environments when the antivirus is configured with policies that are more strict than usual, or in situations in which multiple security agents are in use simultaneously (AV, DLP, HIP, and so on).
When installing Citrix Workspace app using the Virtual Delivery Agent installer, an “Online Plugin” folder will be present in the install path such as
%ProgramFiles(x86)%\Citrix\online plugin\ICA Client\
%SystemRoot%\System32\drivers\CvhdBusP6.sys(Windows Server 2008 R2)
%SystemRoot%\System32\drivers\CVhdMp.sys(Windows Server 2012 R2)
%ProgramFiles%\Citrix\Provisioning Services\BNPXE.exe(only if PXE is used)
vdiskdif.vhdx(7.x and above when using RAM cache with overflow)
%SystemRoot%\System32\drivers\CVhdBusP6.sys(Windows Server 2008 R2)
%ProgramFiles%\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe
%ProgramFiles(x86)%\Citrix\NetScaler Cloud Gateway\MetricsService.exe
Updated May 2023
%ProgramFiles(x86)%\Citrix\Workspace Environment Management Agent(on 64-bit OS)
%Program Files%\Citrix\Workspace Environment Management Agent(on 32-bit OS)
%ProgramFiles%\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\AgentGroupPolicyUtility.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\AppInfoViewer.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\Agent Log Parser.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\AppsMgmtUtil.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\Citrix.Wem.Agent.EnrollmentUtility.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\Citrix.Wem.Agent.Service.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\Citrix.Wem.Agent.LogonService.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\PrnsMgmtUtil.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMAppCmd.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMAppCmdDbg.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMAppHide.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMCmdAgent.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMMaintMsg.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMRSAV.exe
%ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMUIAgent.exe
In this article
- Agent Registrations
- Signature Updates
- Performance Optimizations
- Antivirus Exclusions
- Antivirus Vendors
- Additional Resources