With multiple CTX articles available on antivirus exclusions, and a couple great blogs on antivirus exclusions, Antivirus Guidelines from Citrix are Back! by Nick Rintalan and PVS and the forgotten antivirus exclusions by Dimitrios Samorgiannidis, I decided to create a consolidated list of recommended antivirus exclusions in a Citrix environment.

 

WARNING! This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to a variety of real security threats. However, the following guidelines typically represent the best tradeoff between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance. Citrix also recommends organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment.

 

General Antivirus Recommendations:

The following list contains general antivirus recommendations that should be reviewed prior to implementing any type of exclusions or optimizations:

  • If organizations choose to exclude particular files or folders as part of real-time or on-access scanning, Citrix recommends scanning the excluded files and folders on a regular basis using scheduled scans. It is recommended to perform scheduled scans during non-business or off-peak hours to mitigate any potential performance impact.
  • Integrity of excluded files and folders should be maintained at all times. Organizations should consider leveraging a commercial File Integrity Monitoring or Host Intrusion Prevention solution to protect the integrity of files and folders that have been excluded from real-time or on-access scanning. It should be noted that database and log files should not be included in this type of data integrity monitoring because these files are expected to change.
  • If an entire folder must be excluded from real-time or on-access scanning, Citrix recommends monitoring very closely the creation of new files in the excluded folders.

 

The following antivirus exclusions should be applied to all Citrix infrastructure servers:

Set real-time scanning to scan local drives only and not network drives

Disable scan on boot

Remove any unnecessary antivirus related entries from the Run key

Exclude the pagefile(s) from being scanned

Exclude IIS log files from being scanned

Exclude Windows event logs from being scanned

 

Below are the recommended antivirus exclusions, by Citrix product:

Citrix Profile Manager Agent:

Do not scan on open or status-check operations

UserProfileManager.exe

 

EdgeSight Agent:

<AllUsersProfile>\Application Data\Citrix\System Monitoring\Data

\ProgramFiles\Citrix\System Monitoring\Agent\Core\rscorsvc.exe

\ProgramFiles\Citrix\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe

 

Server:

\CommonProgramFiles\\Citrix\System Monitoring\Server\RSSH

\ProgramFiles\Citrix\System Monitoring\Server\EdgeSight\scripts\rssh

\ProgramFiles\Citrix\System Monitoring\Server\EdgeSight\Pages

\ProgramFiles\Microsoft SQL Server\MSSQL\Reporting Services

\ProgramFiles\Microsoft SQL Server\MSSQL\Data

\SystemRoot\SYSTEM32\Logfiles

 

Provisioning Services Server:

Exclude scanning of Local vDisk Store

\Windows\System32\drivers\CvhdBusP6.sys

\Windows\System32\drivers\CfsDep2.sys

\Program Files\Citrix\Provisioning Services\BNTFTP.EXE

\ProgramData\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN

\Program Files\Citrix\Provisioning Services\StreamService.exe

\Program Files\Citrix\Provisioning Services\StreamProcess.exe

\Program Files\Citrix\Provisioning Services\soapserver.exe

 

Target:

Exclude scanning of Write Cache

\Program Files\Citrix\Provisioning Services\BNDevice.exe

\Windows\System32\drivers\bnistack6.sys

\Program Files\Citrix\Provisioning Services\TargetOSOptimizer.exe

\Windows\System32\drivers\CfsDep2.sys

\Windows\System32\drivers\CVhdBusP6.sys

 

Target – Personal vDisk:

CTXPVD.exe

CTXPVDSVC.exe

\Program Files\Citrix\Personal vDisk\BIN\WIN7\

 

XenApp Controller:

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\ctxxmlss.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\ImaSrv.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe

\Program Files (x86)\Citrix\HealthMon\HCAService.exe

\Program Files (x86)\Citrix\Streaming Client\RadeSvc.exe

\Program Files (x86)\Citrix\Streaming Client\RadeHlprSvc.exe

\Program Files\Citrix\Independent Management Architecture\RadeOffline.mdb

\Program Files\Citrix\Independent Management Architecture\imalhc.mdb

 

Session Host:

\Windows\system32\spoolsv.exe

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\CpSvc.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\ImaSrv.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe

\Program Files (x86)\Citrix\HealthMon\HCAService.exe

\Program Files (x86)\Citrix\Streaming Client\RadeSvc.exe

\Program Files (x86)\Citrix\Streaming Client\RadeHlprSvc.exe

\Program Files (x86)\Citrix\XTE\bin\XTE.exe

\Program Files\Citrix\Independent Management Architecture\RadeOffline.mdb

%AppData%\ICAClient\Cache (if using pass-through authentication)

 

XenClient Synchronizer:

\Program Files\Citrix\Synchronizer

 

XenDesktop Controller:

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

 

Controller – pre-XenDesktop 7.x:

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\ctxxmlss.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

 

Windows Server OS Machines – XenDesktop 7.x:

\Windows\system32\spoolsv.exe

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\CpSvc.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

 

 

For additional information on antivirus exclusions, please reference the following articles:

Citrix Profile Management – Profile Management 5.x – eDocs

EdgeSight – CTX111062, CTX114906

Provisioning Services – CTX124185

XenApp – CTX127030

 

Additionally, I would like to thank the following Citrix Consultants for their contributions: Nick Rintalan, Andy Winiarski, Sarah Steinhoff, Beau Dolinsky, Kavish Nursimulu, Hanny Tadros, Kevin Chan, Danielle Vaughan, Dan Allen, Tom Reed, and Pablo Legorreta.

 

Thanks,

Steven Krueger

Citrix Consulting