Endpoint Security and Antivirus Best Practices
Author: Martin Zugec
This article provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments, and resources for configuring antivirus software on other Citrix technologies and features (for example, Cloud Connectors, Provisioning Services, and so on). Incorrect antivirus configuration is one of the most common problems that we see in the field. It can result in various issues, ranging from performance issues or degraded user experiences to timeouts and failures of various components.
In this Tech Paper, we cover a few major topics relevant to optimal antivirus deployments in virtualized environments: agent provisioning and deprovisioning, signature updates, a list of recommended exclusions and performance optimizations. Successful implementation of these recommendations depends upon your antivirus vendor and your security team. Consult them to get more specific recommendations.
Warning! This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to various security threats. However, the following guidelines typically represent the best trade-off between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance. Citrix also recommends that organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment.
Agent software that is installed on every provisioned virtual machine usually needs to register with a central site for management, reporting of status and other activities. For registration to be successful, each agent needs to be uniquely identifiable.
With machines provisioned from a single image using technologies such as Provisioning Services (PVS) or Machine Creation Services (MCS), it is important to understand how each agent is identified - and if there are any instructions required for virtualized environments. Some vendors use dynamic information such as the MAC address or computer name for machine identification. Others use the more traditional approach of a random string generated during installation. To prevent conflicting registrations, each machine needs to generate a unique identifier. This is often done using a startup script that automatically restores machine identification data from a persistent location.
In more dynamic environments, it is also important to understand how de-provisioning of machines behaves, if cleanup is a manual operation, or if it is performed automatically. Some vendors offer integration with hypervisors or even delivery controllers where machines can be automatically created or deleted as they are provisioned.
Recommendation: Ask your security vendor how registration/unregistration works with your specific product. If registration requires additional steps for environments with single-image management, include these steps in your image sealing instructions, preferably as a fully automated script.
Timely consistently updated signatures are one of the most important aspects of endpoint security solutions. Most vendors use locally cached, incrementally updated signatures that are stored on each of the protected devices.
With non-persistent machines, it is important to understand how signatures are updated and where they are stored. This enables you to understand the window of opportunity for malware to infect the machine. Also, it helps to design the environment to minimize this window.
Especially in a situation in which updates are not incremental and can reach significant size, you might consider a deployment in which persistent storage is attached to each of the non-persistent machines to keep the update cache intact between resets and image updates. Using this approach, the window of opportunity and the performance impact of a definitions update is minimized.
Aside from signature updates for each of the provisioned machines, it is also important to define a strategy for updating the master image. Automating this process is recommended, so is updating the master image on a regular basis with latest signatures. This is especially important for incremental updates in which you are minimizing the amount of traffic required for each virtual machine.
Another approach to managing signature updates in virtualized environments is to completely replace the nature of the decentralized signatures with a centralized scanning engine. While this is primarily done to minimize the performance impact of an antivirus, it has the side benefit of centralizing signature updates as well.
Recommendation: Ask your security vendor how signatures are updated in your antivirus. What is the expected size and frequency, and are updates incremental? Are there any recommendations for non-persistent environments?
An antivirus, especially if improperly configured, can have a negative impact on scalability and overall user experience. It is, therefore, important to understand the performance impact to determine what is causing it and how it can be minimized.
Available performance optimization strategies and approaches are different for various antivirus vendors and implementations. One of the most common and effective approaches is to provide centralized offloading antivirus scanning capabilities. Rather than each machine being responsible for scanning (often identical) samples, scanning is centralized and performed only once. This approach is optimized for virtualized environments; however, please make sure you understand its impact on high-availability.
Offloading scans to a dedicated appliance can be highly effective in virtualized environments
Another approach is based on pre-scanning of read-only portions of the disks, performed on the master images before provisioning. It is important to understand how this affects the window of opportunity (e.g., what if disk already contains infected files but signatures are not available during pre-scan phase?). This optimization often is combined with scanning for write-only events, as all reads will either originate from pre-scanned disk portions or from a session-specific write cache/differential disk that was already scanned during write operation. Often, a good compromise is to combine real-time scans (optimized) with scheduled scans (full scans of the system).
The most common scan optimization is to focus only on the differences between virtual machines
Recommendation: Performance optimizations can greatly improve user experiences. However it should be noted that they can be regarded as a security risks. Therefore, consultation with your vendor and your security team is recommended. Most antivirus vendors with solutions for virtualized environments offer optimized scanning engines.
The most common (and often the most important) optimization for antivirus is proper definition of antivirus exclusions for all components. While some vendors can automatically detect Citrix components and apply exclusions, for most environments, this is a manual task that needs to be configured for the antivirus in the management console.
Exclusions are typically recommended for real-time scanning. However Citrix recommends scanning the excluded files and folders regularly using scheduled scans. To mitigate any potential performance impact, it is recommended to perform scheduled scans during non-business or off-peak hours.
The integrity of excluded files and folders should be maintained at all times. Organizations should consider leveraging a commercial File Integrity Monitoring or Host Intrusion Prevention solution to protect the integrity of files and folders that have been excluded from real-time or on-access scanning. It is noteworthy that database and log files should not be included in this type of data integrity monitoring because these files are expected to change. If an entire folder must be excluded from real-time or on-access scanning, Citrix recommends closely monitoring the creation of new files in the excluded folders.
Scan only local drives - or disable network scanning. The assumption is that all remote locations that might include file servers that host user profiles and redirected folders are being monitored by antivirus and data integrity solutions. If not, it is recommended that network shares accessed by all provisioned machines be excluded. An example includes shares hosting redirected folders or user profiles.
Recommendation: Review these recommendations with your vendor and security team.
- Review all files/folders for exclusion and confirm they exist before you create an exclusion policy.
- Implement multiple exclusion policies for different components instead of creating one large policy for all of them.
- To minimize the window of opportunity, implement a combination of real time and scheduled scans.
Virtual Apps and Desktops
Virtual Delivery Agents
%ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe
%ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe
%ProgramFiles%\Citrix\ICAService\picaSvc2.exe(Desktop OS only)
%ProgramFiles%\Citrix\ICAService\CpSvc.exe(Desktop OS only)
Workspace app / Receiver for Windows
Please note that these exclusions for Receiver typically are not needed. We have only seen a need for these in environments when the antivirus is configured with policies that are more strict than usual, or in situations in which multiple security agents are in use simultaneously (AV, DLP, HIP, etc.)
%SystemRoot%\System32\drivers\CvhdBusP6.sys(Windows Server 2008 R2)
%SystemRoot%\System32\drivers\CVhdMp.sys(Windows Server 2012 R2)
%ProgramFiles%\Citrix\Provisioning Services\BNPXE.exe(only if PXE is used)
Provisioning Target Device
vdiskdif.vhdx(7.x and above when using RAM cache with overflow)
Workspace Environment Management - Server
Norskale Broker Service.exe
Norskale Broker Service Configuration Utility.exe
Norskale Database Management Utility.exe
Workspace Environment Management - Agent
Citrix.Wem.Agent.Service.exe(before on-premises release 1909 and cloud release 1903 this process was called
Norskale Agent Host Service.exe)