Citrix Guidelines for Antivirus Software Configuration
This article provides guidelines for configuring antivirus software in Citrix XenApp environments. This article also provides resources for configuring antivirus software on other Citrix technologies and features (EdgeSight, Provisioning Services, and so on). These antivirus guidelines are not vendor-specific and are independent of the version of XenApp deployed, except where explicitly stated.
WARNING! This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to a variety of real security threats. However, the following guidelines typically represent the best tradeoff between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance. Citrix also recommends organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment.
General Antivirus Recommendations
The following list contains general antivirus recommendations that should be reviewed prior to implementing any type of exclusions or optimizations:
- If organizations choose to exclude particular files or folders as part of real-time or on-access scanning, Citrix recommends scanning the excluded files and folders on a regular basis using scheduled scans. It is recommended to perform scheduled scans during non-business or off-peak hours to mitigate any potential performance impact.
- Integrity of excluded files and folders should be maintained at all times. Organizations should consider leveraging a commercial File Integrity Monitoring or Host Intrusion Prevention solution to protect the integrity of files and folders that have been excluded from real-time or on-access scanning. It should be noted that database and log files should not be included in this type of data integrity monitoring because these files are expected to change.
- If an entire folder must be excluded from real-time or on-access scanning, Citrix recommends monitoring very closely the creation of new files in the excluded folders.
Recommended Optimizations and Exclusions for Citrix XenApp
Based on Citrix Consulting’s field experience, organizations might wish to consider configuring antivirus software on XenApp servers with the settings below.
- Scan on write events or only when files are modified. It should be noted that this configuration is typically regarded as a high security risk by most antivirus vendors. In high-security environments, organizations should consider scanning on both read and write events to protect against threats that target memory, such as Conficker variants.
- Scan local drives or disable network scanning. This assumes all remote locations, which might include file servers that host user profiles and redirected folders, are being monitored by antivirus and data integrity solutions.
- Exclude the pagefile(s) from being scanned.
- Exclude the Print Spooler directory from being scanned.
- Exclude specific files and folders within the Program FilesCitrix directory that are accessed heavily or modified frequently. For example, the Local Host Cache (imalhc.mdb) and Application Streaming offline database (RadeOffline.mdb) files might need to be excluded from the Independent Management Architecture sub-directory. The local Resource Manager Summary Database file (RMLocalDatabase.mdb) might also need to be excluded from the Citrix Resource ManagerLocalDB sub-directory. If Application Streaming is used, the RadeCache and Deploy folders might need to be excluded as well. While entire directories can be excluded, it should be noted that this is not considered a best practice by most antivirus vendors. In high-security environments, organizations should consider excluding specific files using exact names, such as ‘imalhc.mdb’. If exact file names cannot be used, Citrix recommends using wildcard exclusions to limit the attack surface area.
- Remove any unnecessary antivirus related entries from the Run key (HKLMSoftwareMicrosoftWindowsCurrent VersionRun).
- If pass-through authentication is being used, for example in a XenDesktop or Shared Hosted desktop scenario, exclude the XenApp Online Plug-in bitmap cache directory (typically %AppData%ICAClientCache).
- If using the streamed user profile feature of Citrix Profile management, ensure the antivirus solution is configured to be aware of Hierarchical Storage Manager (HSM) drivers. For more information, refer to Profile Streaming and Enterprise Antivirus Products.
Recommended Settings for Other Citrix Technologies
In addition to the XenApp-specific antivirus configurations detailed in the previous section, Citrix recommends applying the settings outlined in the following articles if applicable.
Provisioning Services Antivirus Best Practices: CTX124185 – Provisioning Services Antivirus Best Practices
Required Antivirus Software Configuration for the EdgeSight Agent: CTX111062 – Required Antivirus Software Configuration for the EdgeSight Agent
Required Antivirus Software Configuration for the EdgeSight Server: CTX114906 – Required Antivirus Software Configuration for the EdgeSight Server
This section contains links to additional resources from third parties that should be reviewed before configuring antivirus software on Citrix XenApp servers.