Tech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices

Overview

The article provides guidelines for configuring antivirus software in Citrix DaaS and Citrix Virtual Apps and Desktops environments.

Resources for configuring antivirus software on other Citrix technologies and features (for example, Cloud Connectors, Provisioning Services, and so on) are included.
Incorrect antivirus configuration is a common problem resulting in various issues ranging from performance issues or degraded user experiences to timeouts and failures of various components.

This Tech Paper covers topics relevant to optimal antivirus deployments in virtualized environments:

  • Agent provisioning and deprovisioning
  • Signature updates
  • A list of recommended exclusions and performance optimizations

Successful implementation of these recommendations depends upon your antivirus vendor and your security team. Consult them to get more specific recommendations.

Warning!
It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to various security threats.
The following guidelines typically represent the best trade-off between security and performance.

Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance.
Citrix also recommends that organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment.

Agent Registrations

Agent software that is installed on every provisioned virtual machine usually needs to register with a central site for management, reporting of status and other activities. For registration to be successful, each agent needs to be uniquely identifiable.

With machines provisioned from a single image using technologies such as Provisioning Services (PVS) or Machine Creation Services (MCS), it is important to understand how each agent is identified - and if there are any instructions required for virtualized environments.

Some vendors use dynamic information such as the MAC address or computer name for machine identification. Others use the more traditional approach of a random string generated during installation.

To prevent conflicting registrations, each machine needs to generate a unique identifier. Registration in non-persistent environments is often done using a startup script that automatically restores machine identification data from a persistent location.

In more dynamic environments, it is also important to understand how de-provisioning of machines behaves, if cleanup is a manual operation, or if it is performed automatically. Some vendors offer integration with hypervisors or even delivery controllers where machines can be automatically created or deleted as they are provisioned.

Recommendation: Ask your security vendor how the registration/unregistration of their agents is implemented. If registration requires more steps for environments with single-image management, include these steps in your image sealing instructions, preferably as a fully automated script.

Signature Updates

Timely, consistently updated signatures are one of the most important aspects of endpoint security solutions. Most vendors use locally cached, incrementally updated signatures that are stored on each of the protected devices.

With non-persistent machines, it is important to understand how signatures are updated and where they are stored. This knowledge enables you to understand and minimize the window of opportunity for malware to infect the machine.

Especially in a situation in which updates are not incremental and can reach significant size, you might consider a deployment in which persistent storage is attached to each of the non-persistent machines to keep the update cache intact between resets and image updates.
Using this approach, the window of opportunity and the performance impact of a definitions update is minimized.

Aside from signature updates for each of the provisioned machines, it is also important to define a strategy for updating the master image. Automating this process is recommended, so is updating the master image regularly with the latest signatures. This procedure is especially important for incremental updates in which you are minimizing the amount of traffic required for each virtual machine.

Another approach to managing signature updates in virtualized environments is to completely replace the nature of the decentralized signatures with a centralized scanning engine. While this scenario is primarily done to minimize the performance impact of an antivirus, it has the side benefit of centralizing signature updates as well.

Recommendation: Ask your security vendor how signatures are updated in your antivirus. What is the expected size and frequency, and are updates incremental? Are there any recommendations for non-persistent environments?

Performance Optimizations

An antivirus, especially if improperly configured, can have a negative impact on scalability and overall user experience. It is important to understand the performance impact to determine what is causing it and how it can be minimized.

Available performance optimization strategies and approaches are different for various antivirus vendors and implementations. One of the most common and effective approaches is to provide centralized offloading antivirus scanning capabilities. Rather than each machine being responsible for scanning (often identical) samples, scanning is centralized and performed only once. This approach is optimized for virtualized environments; however, make sure you understand its impact on high-availability.

Antivirus Offloading Offloading scans to a dedicated appliance can be highly effective in virtualized environments

Another approach is based on pre-scanning of read-only portions of the disks, done on the master images before provisioning.

Understand how this approach affects the window of opportunity (for example, what if a disk is already infected but signatures are not available during the pre-scan phase?).
This optimization is often combined with scanning for write-only events, as all reads will either originate from pre-scanned disk portions or from a session-specific write cache/differential disk that was already scanned during write operation.
Often, a good compromise is to combine real-time scans (optimized) with scheduled scans (full scans of the system).

Antivirus Write Scans The most common scan optimization is to focus only on the differences between virtual machines

Recommendation: Performance optimizations can greatly improve user experiences. However they can also be regarded as a security risk. A consultation with your vendor and your security team is recommended.
Most antivirus vendors with solutions for virtualized environments offer optimized scanning engines.

Antivirus Exclusions

The most common (and often the most important) optimization for antivirus is the proper definition of antivirus exclusions for all components.
While some vendors can automatically detect Citrix components and apply exclusions, most environments need a manual task to configure the antivirus in the management console.

Exclusions are typically recommended for real-time scanning.
To mitigate any potential performance impact, it is recommended to do scheduled scans during non-business or off-peak hours.

The integrity of excluded files and folders needs to be maintained always.
Organizations can consider using a commercial File Integrity Monitoring or Host Intrusion Prevention solution to protect the integrity of files and folders being excluded from real-time or on-access scanning.

Database and log files are excluded in this type of data integrity monitoring because these files are expected to change. If an entire folder must be excluded from real-time or on-access scanning, Citrix recommends closely monitoring the creation of new files in the excluded folders.

Scan only local drives - or disable network scanning. The assumption is that antivirus and data integrity solutions monitor all remote locations including file servers hosting user profiles and redirected folders.
It is recommended to exclude network shares accessed by all provisioned machines. An example includes shares hosting redirected folders or user profiles.

Another important consideration is the exclusion of processes. The goal is to prevent scanning of any activity done by such processes rather than preventing the scanning of the exe file. Some security solutions refer to defining trusted processes.

Recommendation: Review these recommendations with your vendor and security team.

  • Review all files, folders, and processes for exclusion and confirm they exist before you create an exclusion policy.
  • Implement different exclusion policies for different components.
  • To minimize the window of opportunity, implement a combination of real-time and scheduled scans.
  • Set real-time scanning to scan local drives only and not network drives.
  • Disable scan on boot.
  • Remove any unnecessary antivirus-related entries from the Run key.
  • Exclude one or more pagefiles from being scanned.
  • Exclude Windows event logs from being scanned.
  • Exclude IIS log files from being scanned.

Note

EDR solutions behave differently than traditional AV solutions.
They cause delays in Citrix processes, the performance can be affected, and the functionality can be compromised.
If exclusions are required with an EDR solution, the performance and functionality of the Citrix environment needs to be tested with and without the EDR solution. It needs to be evaluated whether the difference is acceptable.

Virtual Apps and Desktops

Delivery Controllers

Files (v1912+):

  • %SystemRoot%\ServiceProfiles\NetworkService\HaDatabaseName.mdf
  • %SystemRoot%\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf
  • %SystemRoot%\ServiceProfiles\NetworkService\HaDatabaseName_log.ldf
  • %SystemRoot%\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf

Folders (v1912+):

  • %ProgramData%\Citrix\Broker\Cache

Processes:

  • %ProgramFiles%\Citrix\Broker\Service\BrokerService.exe
  • %ProgramFiles%\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe

Processes (v1912+):

  • %ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe
  • %ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe

Virtual Delivery Agents

Updated June 2023

Files:

  • %SystemRoot%\System32\drivers\CtxUvi.sys
  • %ProgramFiles%\Citrix\HDX\bin\CitrixLogonCsp.dll
  • mcsdif.vhdx (When using MCS I/O)

Processes:

  • %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe
  • %ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe
  • %SystemRoot%\System32\drivers\CVhdFilter.sys (When using MCS I/O)

CVAD 1912 LTSR

  • %ProgramFiles(x86)%\Citrix\ICAService\CtxSvcHost.exe
  • %ProgramFiles%\Citrix\System32\ctxgfx.exe

CVAD 1912 LTSR - Single Session VDA only

  • %ProgramFiles%\Citrix\ICAService\picaSvc2.exe
  • %ProgramFiles%\Citrix\ICAService\CpSvc.exe
  • %ProgramFiles%\Citrix\HDX\bin\ctxgfx.exe

CVAD 2112+

  • %ProgramFiles%\Citrix\HDX\bin\CtxSvcHost.exe
  • %ProgramFiles%\Citrix\HDX\bin\ctxgfx.exe

CVAD 2112+ Single Session VDA only

  • %ProgramFiles%\Citrix\HDX\bin\picaSvc2.exe
  • %ProgramFiles%\Citrix\HDX\bin\CpSvc.exe

The WebSocketService.exe file can be found in different locations in various CVAD versions.
Here is a list of supported LTSR and CR releases. We recommend confirming the file location.

  • %ProgramFiles%\Citrix\HTML5 Video Redirection\WebSocketService.exe (CVAD 7.15 LTSR - both desktop and server OS)
  • %ProgramFiles(x86)%\Citrix\System32\WebSocketService.exe (CVAD 1912 LTSR - Multi Session VDA only)
  • %ProgramFiles%\Citrix\ICAService\WebSocketService.exe (CVAD 1912 LTSR - Single Session VDA only)
  • %ProgramFiles(x86)%\Citrix\HDX\bin\WebSocketService.exe (CVAD 2003+ - Single Session and Multi Session VDAs)

Virtual Delivery Agents - HDX RealTime Optimization Pack

Files:

  • %Temp%\Citrix\RTMediaEngineSRV\MediaEngineSRVDebugLogs**.txt
  • %Temp%\Citrix\HDXRTConnector**.txt

Processes:

  • %ProgramFiles(x86)%\Citrix\HDX RealTime Connector\AudioTranscoder.exe
  • %ProgramFiles(x86)%\Citrix\HDX RealTime Connector\MediaEngine.Net.Service.exe
  • %ProgramFiles(x86)%\Citrix\HDX RealTime Connector\MediaEngineService.exe

Workspace app

Updated January 2024

Files:

  • %UserProfile%\AppData\Local\Temp\Citrix\RTMediaEngineSRV\MediaEngineSRVDebugLogs**.txt
  • %ProgramFiles(x86)%\Citrix\ICA Client\ctxapclient32.dll (App Protection)
  • %ProgramFiles(x86)%\Citrix\ICA Client\ctxapclient64.dll (App Protection)
  • %ProgramFiles(x86)%\Citrix\ICA Client\ctxapinject.sys (App Protection)
  • %ProgramFiles(x86)%\Citrix\ICA Client\ctxapdotnet.dll

Processes:

  • %ProgramFiles(x86)%\Citrix\ICA Client\MediaEngineService.exe (HDX RealTime Optimization Pack)
  • %ProgramFiles(x86)%\Citrix\ICA Client\CDViewer.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\concentr.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\wfica32.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\bgblursvc.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\AuthManager\AuthManSvr.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe
  • %ProgramFiles(x86)%\Citrix\ICA Client\HdxTeams.exe (Optimization for Microsoft Teams for Workspace app 2009.5 or older)
  • %ProgramFiles(x86)%\Citrix\ICA Client\HdxRtcEngine.exe (Optimization for Microsoft Teams for Workspace app 2009.6 or higher)

    Note:

    Exclusions for the Citrix Workspace app are typically not required.
    A need arises in environments with antivirus configured with more strict than usual policies, or in situations in which multiple security agents are simultaneously in use (AV, DLP, HIP, and so on). When installing Citrix Workspace app using the Virtual Delivery Agent installer, an “Online plug-in” folder is present in the install path such as %ProgramFiles(x86)%\Citrix\online plugin\ICA Client\

Provisioning

Citrix Provisioning (PVS)

Updated February 2024

Files:

  • *.vhd
  • *.avhd
  • *.vhdx
  • *.avhdx
  • *.pvp
  • *.lok
  • %SystemRoot%\System32\drivers\CVhdMp.sys
  • %SystemRoot%\System32\drivers\CfsDep2.sys
  • %ProgramData%\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN
  • %ProgramFiles%\Citrix\Provisioning Services\Pvsnbpn64.efi (if using UEFI PXE boot)

Processes:

  • %ProgramFiles%\Citrix\Provisioning Services\BNTFTP.EXE
  • %ProgramFiles%\Citrix\Provisioning Services\PVSTSB.EXE
  • %ProgramFiles%\Citrix\Provisioning Services\StreamService.exe
  • %ProgramFiles%\Citrix\Provisioning Services\StreamProcess.exe
  • %ProgramFiles%\Citrix\Provisioning Services\soapserver.exe
  • %ProgramFiles%\Citrix\Provisioning Services\Inventory.exe
  • %ProgramFiles%\Citrix\Provisioning Services\Notifier.exe
  • %ProgramFiles%\Citrix\Provisioning Services\MgmtDaemon.exe
  • %ProgramFiles%\Citrix\Provisioning Services\BNPXE.exe (only if PXE is used)
  • %ProgramFiles%\Citrix\Provisioning Services\CdfSvc.exe
  • %ProgramFiles%\Citrix\Provisioning Services\BNAbsService.exe

Provisioning Target Device

Files:

  • .vdiskcache
  • vdiskdif.vhdx (When using RAM cache with overflow)

Processes:

  • %SystemRoot%\System32\drivers\bnistack6.sys
  • %SystemRoot%\System32\drivers\CfsDep2.sys
  • %SystemRoot%\System32\drivers\cnicteam.sys
  • %SystemRoot%\System32\drivers\CVhdMp.sys
  • %ProgramFiles%\Citrix\Provisioning Services\BNDevice.exe
  • %ProgramFiles%\Citrix\Provisioning Services\drivers\BNIstack6.sys
  • %ProgramFiles%\Citrix\Provisioning Services\drivers\CNicTeam.sys
  • %ProgramFiles%\Citrix\Provisioning Services\drivers\CFsDep2.sys
  • %ProgramFiles%\Citrix\Provisioning Services\drivers\CVhdMp.sys

StoreFront

Files:

  • %SystemRoot%\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\**\PersistentDictionary.edb

Processes:

  • %ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe
  • %ProgramFiles%\Citrix\Receiver StoreFront\Services\CredentialWallet\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe

Cloud Connector

Files:

  • %SystemRoot%\ServiceProfiles\NetworkService\HaDatabaseName.mdf
  • %SystemRoot%\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf
  • %SystemRoot%\ServiceProfiles\NetworkService\HaDatabaseName_log.ldf
  • %SystemRoot%\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf

Folders:

  • %SystemDrive%\Logs\CDF
  • %ProgramData%\Citrix\WorkspaceCloud\Logs

Processes:

  • %ProgramFiles%\Citrix\XaXdCloudProxy\XaXdCloudProxy.exe
  • %ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe
  • %ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe
  • %ProgramFiles%\Citrix\ConfigSync\ConfigSyncRun.exe
  • %ProgramFiles%\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe
  • %ProgramFiles(x86)%\Citrix\NetScaler Cloud Gateway\MetricsService.exe

Workspace Environment Management

Updated May 2023

Folders:

  • %ProgramFiles(x86)%\Citrix\Workspace Environment Management Agent (on 64-bit OS)
  • %Program Files%\Citrix\Workspace Environment Management Agent (on 32-bit OS)

Processes:

  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\AgentGroupPolicyUtility.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\AppInfoViewer.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\Agent Log Parser.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\AppsMgmtUtil.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\Citrix.Wem.Agent.EnrollmentUtility.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\Citrix.Wem.Agent.Service.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\Citrix.Wem.Agent.LogonService.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\PrnsMgmtUtil.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMAppCmd.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMAppCmdDbg.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMAppHide.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMCmdAgent.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMMaintMsg.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMRSAV.exe
  • %ProgramFiles%\Citrix\Workspace Environment Management Agent\VUEMUIAgent.exe

Session Recording - Server

Updated January 2024

Processes:

  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\SsRecStorageManager.exe
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\SsRecAnalyticsService.exe
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\SsRecWebSocketServer.exe
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\icldb.exe
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\iclstat.exe
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\SsRecServerConsole.exe
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\SsRecUtils.exe

Files:

  • %ProgramFiles%\Citrix\SessionRecording\Server\App_Data*.xml

Folders:

  • C:\SessionRecordings
  • C:\SessionRecordingsRestored
  • %SystemRoot%\System32\msmq
  • %ProgramFiles%\Citrix\SessionRecording\Server\Bin\log

Session Recording - Agent

Processes:

  • %ProgramFiles%\Citrix\SessionRecording\Agent\Bin\SsRecAgent.exe
  • %ProgramFiles%\Citrix\SessionRecording\Agent\Bin\SsRecAgentWrapper.exe
  • %ProgramFiles%\Citrix\SessionRecording\Agent\Bin\SsRecEventMonitorService.exe
  • %ProgramFiles%\Citrix\SessionRecording\Agent\Bin\SsRecSRGraphics.exe
  • %ProgramFiles%\Citrix\SessionRecording\Agent\Bin\SsRecSessionHelper.exe

Files:

  • %SystemRoot%\System32\drivers\ssrecdrv.sys
  • %SystemRoot%\System32\drivers\srminifilterdrv.sys

Folders:

  • %SystemRoot%\System32\msmq

Session Recording - Player

Processes:

  • %ProgramFiles(x86)%\Citrix\SessionRecording\Player\Bin\SsRecPlayer.exe
  • %ProgramFiles(x86)%\Citrix\SessionRecording\Player\Bin\iclstat.exe

Folders:

  • %UserProfile%\AppData\Local\Citrix\SessionRecording\Player\Cache

Antivirus Vendors

Bitdefender - Implementing Security Best Practices in the Virtual Data Center

Microsoft - Windows Defender in VDI environments

Microsoft - FSLogix Antivirus Exclusions

Trend Micro - Deep Security Recommended Exclusions

More Resources

Citrix Ready Workspace Security Program

Citrix Guidelines for Antivirus Software Configuration

Provisioning Services Antivirus Best Practices

Antivirus layering with Citrix App Layering

Microsoft SQL Server File Locations

Tech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices