Below are the recommended antivirus exclusions, by Citrix product:
| CITRIX DIRECTOR & STOREFRONT | Director and StoreFront:
\inetpub\temp\IIS Temporary Compressed Files \Program Files\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService |
| CITRIX PROFILE MANAGER | Agent:
Do not scan on open or status-check operations |
| EDGESIGHT | Agent:
<AllUsersProfile>\Application Data\Citrix\System Monitoring\Data \CommonProgramFiles\Citrix\System Monitoring\Server\RSSH |
| PROVISIONING SERVICES | Server:
Exclude scanning of Local vDisk Store Exclude scanning of Write Cache CTXPVD.exe |
| XENAPP | Controller:
\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe \Windows\system32\spoolsv.exe |
| XENCLIENT | Synchronizer:
\Program Files\Citrix\Synchronizer |
| XENDESKTOP | Controller:
Controller – pre-XenDesktop 7.x: \Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe \Windows\system32\spoolsv.exe |
For more information, refer to the Citrix article: Citrix Consolidated List of Antivirus Exclusions.
Adding a policy to exclude the redirected or unwanted folders from roaming or synchronization is a common thing that is often overlooked. When using Citrix Profile Management, there is a GPO that can be specifically configured to block folders from profile synchronization. You should be adding all of the redirected folders to the folder exclusion list and you should also at a minimum add the following additional folders to the exclusion list:
- AppData (Roaming)
- Contacts
- Desktop
- Documents
- Downloads
- Favorites
- Links
- Music
- Pictures
- Saved Games
- Searches
- Start Menu
- Videos
For more information, refer to the Citrix article: Citrix Profile Management and VDI – Doing it Right!
General recommendations for Windows servers running Citrix components
- Set real-time scanning to scan on write operations only and not on read/access
- Set real-time scanning to scan local drives only and not network drives
- Disable scan on boot
- Remove any unnecessary antivirus related entries from the Run key
- Exclude the pagefile(s) from being scanned
- Exclude IIS log files from being scanned
- Exclude Windows event logs from being scanned
XenApp recommended exclusions
- Controller
- Program Files (x86)CitrixSystem32wfshell.exe
- Program Files (x86)Citrixsystem32ctxxmlss.exe
- Program Files (x86)CitrixSystem32CtxSvcHost.exe
- Program Files (x86)Citrixsystem32mfcom.exe
- Program Files (x86)CitrixSystem32CitrixImaImaSvc.exe
- Program Files (x86)CitrixSystem32CitrixImaIMAAdvanceSrv.exe
- Program Files (x86)CitrixHealthMonHCAService.exe
- Program Files (x86)CitrixStreaming ClientRadeSvc.exe
- Program Files (x86)CitrixStreaming ClientRadeHlprSvc.exe
- Program FilesCitrixIndependent Management ArchitectureRadeOffline.mdb
- Program FilesCitrixIndependent Management Architectureimalhc.mdb
- Session Host
- Windowssystem32spoolsv.exe
- Program FilesCitrixGroup PolicyClient-Side ExtensionCitrixCseEngine.exe
- Program Files (x86)CitrixSystem32wfshell.exe
- Program Files (x86)Citrixsystem32CpSvc.exe
- Program Files (x86)CitrixSystem32CtxSvcHost.exe
- Program Files (x86)Citrixsystem32mfcom.exe
- Program Files (x86)CitrixSystem32CitrixImaImaSvc.exe
- Program Files (x86)CitrixSystem32CitrixImaIMAAdvanceSrv.exe
- Program Files (x86)CitrixHealthMonHCAService.exe
- Program Files (x86)CitrixStreaming ClientRadeSvc.exe
- Program Files (x86)CitrixStreaming ClientRadeHlprSvc.exe
- Program Files (x86)CitrixXTEbinXTE.exe
- Program FilesCitrixIndependent Management ArchitectureRadeOffline.mdb
For more information, refer to this article: Anti-Virus Best Practices for Citrix Products.
- Server
- Exclude scanning of Local vDisk Store
- WindowsSystem32driversCvhdBusP6.sys
- WindowsSystem32driversCfsDep2.sys
- Program FilesCitrixProvisioning ServicesBNTFTP.EXE
- ProgramDataCitrixProvisioning ServicesTftpbootARDBP32.BIN
- Program FilesCitrixProvisioning ServicesStreamService.exe
- Program FilesCitrixProvisioning ServicesStreamProcess.exe
- Program FilesCitrixProvisioning Servicessoapserver.exe
- Target
- Don’t scan your Write Cache Disk
- Program FilesCitrixProvisioning ServicesBNDevice.exe
- WindowsSystem32Drivers Directorybnistack6.sys
- Program FilesCitrixProvisioning ServicesTargetOSOptimizer.exe
- WindowsSystem32driversCfsDep2.sys
- WindowsSystem32driversCVhdBusP6.sys
- Target – Personal vDisk
- CTXPVD.exe
- CTXPVDSVC.exe
- Program FilesCitrixPersonal vDiskBINWIN7
EdgeSight recommended exclusions
- Server
- CommonProgramFilesCitrixSystem MonitoringServerRSSH
- ProgramFilesCitrixSystem MonitoringServerEdgeSightscriptsrssh
- ProgramFilesCitrixSystem MonitoringServerEdgeSightPages
- ProgramFilesMicrosoft SQL ServerMSSQLReporting Services
- ProgramFilesMicrosoft SQL ServerMSSQLData
- SystemRootSYSTEM32Logfiles
- Agent
- <AllUsersProfile>Application DataCitrixSystem MonitoringData
- ProgramFilesCitrixSystem MonitoringAgentCorerscorsvc.exe
- ProgramFilesCitrixSystem MonitoringAgentCoreFirebirdbinfbserver.exe
Citrix Profile Manager recommended exclusions
- Agent
- Do not scan on open or status-check operations
- UserProfileManager.exe
XenDesktop recommended exclusions
- Controller
- Program FilesCitrixGroup PolicyClient-Side ExtensionCitrixCseEngine.exe
- Program Files (x86)CitrixSystem32wfshell.exe
- Program Files (x86)Citrixsystem32ctxxmlss.exe
- Program Files (x86)CitrixSystem32CtxSvcHost.exe
- Program Files (x86)Citrixsystem32mfcom.exe
For more information, refer to the Citrix article: Provisioning Services Antivirus Best Practices.
Limit Antivirus definition updates to only the Master Target Device or Update Target Device. Create a plan to upgrade the vDisk periodically using manual or Automatic vDisk updates. This can significantly reduce network bandwidth and overall performance. Avoid scanning the vDisk Write Cache file and streaming disk IO that makes up the operating system for a given Target. Disk IO that has been altered, tampered, or corrupted should cause an application or operating system to fail immediately.
Avoid scanning the following process and system drivers on PVS 6.x\7.x Target Devices:
- bndevice.exe: handles client functions, licensing, etc
- bnistack6.sys: IO protocol driver | UDP port 6911-6930
- CVhdBusP6.sys: disk enumerator
- CNicTeam.sys: network teaming if being used
- CFsDep2.sys: system minifilter
- CVhdMp.sys: mtorage miniport driver
Avoid scanning, whitelist, or permission the following processes on PVS Server 6.x\7.x:
- Streamprocess.exe: IO delivery | UDP port 6901-6910
- Streamservice.exe: watchdog for the streamprocess
- Soapserver.exe: handles Database connectivity and AD authentication
- Inventory.exe: vDisk Inventory | UDP port 6895
- MgmtDaemon.exe: inter-server communication | UDP port 6898
- Notifier.exe: inter-server communication | UDP port 6903
- BNTFTP.exe: PVS TFTP delivers bootstrap | UDP port 69
- PVSTSB.exe: Two Stage Boot delivers bootstrap | UDP port 6969
- BNPXE.exe: PVS PXE service | Broadcast Protocol
- BNAbsService.exe: PVS Ramdisk Server
- CdfSvc.exe: Citrix Diagnostic Facility COM Server
Avoid scanning the vDisk Write Cache file on either Target or Server side; the WC file names for target local disk cache are:
- 6.x: .vdiskcache
- 7.x: vdiskdif.vhdx or .vdiskcache
For more information, refer to the Citrix article: Provisioning Services Antivirus Best Practices.
Based on Citrix Consulting’s field experience, organizations may wish to consider configuring antivirus software on XenApp servers with the following settings.
- Scan on write events or only when files are modified. It should be noted that this configuration is typically regarded as a high security risk by most antivirus vendors. In high-security environments, organizations should consider scanning on both read and write events to protect against threats that target memory, such as Conficker variants.
- Scan local drives or disable network scanning. This assumes all remote locations, which might include file servers that host user profiles and redirected folders, are being monitored by antivirus and data integrity solutions.
- Exclude the pagefile(s) from being scanned.
- Exclude the Print Spooler directory from being scanned.
- Exclude specific files and folders within the \Program Files\Citrix directory that are accessed or modified frequently. For example, the Local Host Cache (imalhc.mdb) and Application Streaming offline database (RadeOffline.mdb) files may need to be excluded from the \Independent Management Architecture sub-directory. The local Resource Manager Summary Database file (RMLocalDatabase.mdb) may also need to be excluded from the \Citrix Resource Manager\LocalDB sub-directory. If Application Streaming is used, the \RadeCache and \Deploy folders may need to be excluded as well. While entire directories can be excluded, it should be noted that this is not considered a best practice by most antivirus vendors. In high-security environments, organizations should consider excluding specific files using exact names, such as ‘imalhc.mdb’. If exact file names cannot be used, Citrix recommends using wildcard exclusions to limit the attack surface area.
- Remove any unnecessary antivirus related entries from the Run key (HKLM\Software\Microsoft\Windows\Current Version\Run).
- If pass-through authentication is being used, for example, in a XenDesktop or Shared Hosted desktop scenario, exclude the XenApp Online Plug-in bitmap cache directory (typically %AppData%\ICAClient\Cache).
- If using the streamed user profile feature of Citrix Profile management, ensure the antivirus solution is configured to be aware of Hierarchical Storage Manager (HSM) drivers.
For more information, refer to the Citrix article: Citrix Guidelines for Antivirus Software Configuration.