I get a headache when I have to go over anything Anti-Virus but non the less I a have compiled a list of articles that covers a best/good practice when it comes to AV and Citrix. This list is not scientific but hopefully a start. I will include the links when I get more of a chance but I found some notes to myself and figured I would share.

Summary of recommended Citrix

· Scan on write events or only when files are modified. It should be noted that this configuration is typically regarded as a high security risk by most antivirus vendors. In high-security environments, organizations should consider scanning on both read and write events to protect against threats that target memory, such as Conficker variants.

· Scan local drives or disable network scanning. This assumes all remote locations, which might include file servers that host user profiles and redirected folders, are being monitored by antivirus and data integrity solutions.

· Exclude the pagefile(s) from being scanned.

· Exclude the Print Spooler directory from being scanned.

· Exclude specific files and folders within the \Program Files\Citrix directory that are accessed or modified frequently. For example, the Local Host Cache (imalhc.mdb) and Application Streaming offline database (RadeOffline.mdb) files may need to be excluded from the \Independent Management Architecture sub-directory. The local Resource Manager Summary Database file (RMLocalDatabase.mdb) may also need to be excluded from the \Citrix Resource Manager\LocalDB sub-directory. If Application Streaming is used, the \RadeCache and \Deploy folders may need to be excluded as well. While entire directories can be excluded, it should be noted that this is not considered a best practice by most antivirus vendors. In high-security environments, organizations should consider excluding specific files using exact names, such as ‘imalhc.mdb’. If exact file names cannot be used, Citrix recommends using wildcard exclusions to limit the attack surface area.

· Remove any unnecessary antivirus related entries from the Run key (HKLM\Software\Microsoft\Windows\Current Version\Run).

· If pass-through authentication is being used, for example, in a XenDesktop or Shared Hosted desktop scenario, exclude the XenApp Online Plug-in bitmap cache directory (typically %AppData%\ICAClient\Cache).

· If using the streamed user profile feature of Citrix Profile management, ensure the antivirus solution is configured to be aware of Hierarchical Storage Manager (HSM) drivers. For more information, refer to Profile Streaming and Enterprise Antivirus Products

---

Citrix Provisioning AV Best practices

· Limit antivirus definition updates to the Target Device. Create a plan to upgrade the vDisk periodically using manual, automatic, or automated techniques, such as Automatic vDisk updates or by using something like WorkFlow Studio.

· Avoid scanning the disk write cache location regardless of where this file resides. In limited testing, it is observed that most scanners cannot detect a virus within this location, because of their inherent design and the methods used to determine a virus.

· Avoid scanning the BNDevice.exe process on the Target Device. There are a few drivers that should be excluded from scanning in the <systemroot>\Windows\System32\Drivers folder such as:

o Provisioning Server 5.6 exclude BNNS.sys, BNNF.sys, BNPort.sys, bnistack.sys, and BNITDI.sys

o Provisioning Server 6.0 or later exclude bnistack6.sys,CvhdBusP6.sys, CFsDep2 .sys

· Avoid scanning the following processes on the Provisioning Server

o StreamService.exe

o StreamProcess.exe

o soapserver.exe

NDIS Filter Driver from Third Party Product on Target Device Interferes with Connection to Provisioning Services
The load order of the NDIS filter driver from third party product might interfere with the connection to Provisioning Services. The Start type of the driver must be 0x0(Boot) to utilize Provisioning Services properly. Otherwise, Provisioning Services driver cannot send and receive packets at the time of OS start.

Important! Citrix recommends you to consult the third party before trying the following solution.

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

—

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\(driver name)]

"Type"=dword:00000001

"Start"=dword:00000000

"ErrorControl"=dword:00000001

"Tag"=dword:00000018

…

"Group"="NDIS"

"NdisMajorVersion"=dword:00000006

"NdisMinorVersion"=dword:00000000

—

Note: It is a necessary condition that Start type is set to 0x0(Boot). However, other factors in network driver of third party product could also cause an interference with Provisioning Services. See also CTX117395

---

EdgeSight client AV Best practices

Complete the following procedure to configure your antivirus software (TrendMicro, Symantec, Norton, McAfee and so on.) to NOT scan the EdgeSight data folder or processes. This should be done on all of the devices that are or will be running the EdgeSight agent. You might need to contact your security administration team to put these exceptions in place enterprise wide.

Note: Citrix recommends that you follow this procedure before the deployment of any EdgeSight agents.Exclude the following agent folders from being scanned. Check a few agent devices to confirm the exact folder locations in your environment. These folders contain the EdgeSight agent database file and many log files. Following is the default installation location:

<AllUserProfile>\Application Data\Citrix\System Monitoring\Data

Exclude the following EdgeSight agent executables (processes) from being scanned. Listed below are the default installation locations:

<ProgramFiles>\Citrix\System Monitoring\Agent\Core\rscorsvc.exe

<ProgramFiles>\Citrix\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe

---

Microsoft Recommendations (link below) AV Best Practices

Turn off scanning of Windows Update or Automatic Update related files

· Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore

· Turn off scanning of the log files that are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Specifically, exclude the following files: ◦ Res*.log
Edb*.jrs
Edb.chk
Tmp.edb
The wildcard character (*) indicates that there may be several files.

Turn off scanning of Windows Security files

Add the following files in the %windir%\Security\Database path of the exclusions list:
*.edb

*.sdb

*.log

*.chk

*.jrs

Note If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

Turn off scanning of Group Policy related files

Group Policy user registry information. These files are located in the following folder:

%allusersprofile%\

Specifically, exclude the following file:

NTUser.pol

Group Policy client settings file. This file is located in the following folder:

%Systemroot%\System32\GroupPolicy\

Specifically, exclude the following file:

Registry.pol

---

SEP Best practices on Terminal Servers

Symantec Endpoint Protection client will run acceptably on Windows Terminal Servers; however there are a few modifications than can be made in order to optimise the overall user experience.

AntiVirus and AntiSpyware protection

The following recommendations should be taken into account:

Configure Auto-Protect to:

· Scan when a file is modified

· Disable network scanning

Centralized Exceptions

It is recommended to:

· Exclude the pagefile

· Exclude the print spooler folder

· If the server is a license server, exclude the license server folder and databases

Some server administrators may wish to exclude their users roaming profiles and/or “My Documents” folders from being scanned for security risks. While this will improve performance, Symantec would not recommend this approach – in practice this is generally the location in which

security risks are discovered.

Scheduled Scans

If a scheduled scan is required then it should be run out of hours in order to minimise user impact. In addition, ActiveScans when new definitions arrive and startup scans should not be run as they could place unnecessary load on the terminal server during business hours.

Tamper Protection

There are no tamper protection recommendations for a server just running Terminal Services

Network Threat Protection

Although it is not recommended to run Network Threat Protection on terminal servers, it is entirely possible to do so. The default Symantec Endpoint Protection rule set will allow all terminal services functions to work correctly. However, it should be noted that if a custom rule set is

created, the following services and ports should be allowed:

In addition to the AntiVirus and AntiSpyware exclusions for standard terminal servers, the following exclusions are recommended for Citrix servers:

1. Citrix program files folder

2. Citrix configuration database if present on the server

It is recommended that the following process is excluded from Tamper Protection on Citrix servers, as it is known to cause problems:

· ctxcpusched.exe – for more details on this process and how to create an exclusion for it, please refer to Appendix E.

---

SEP in non persistent VDesktops

Step

Using Symantec Endpoint Protection in non-persistent virtual desktop infrastructures

Step 1

Set up the base image.

See Setting up the base image for non-persistent guest virtual machines in virtual desktop infrastructures.

Step

Setting up the base image for non-persistent guest virtual machines in virtual desktop infrastructures

Description

Step 1

Install Symantec Endpoint Protection on the base image.

See About client deployment methods.

Step 2

In Symantec Endpoint Protection Manager, disable Tamper Protection so that you can modify the registry.

See Changing Tamper Protection settings.

TO change Tamper Protection settings

1. In the console, click Clients.

2. On the Policies tab, under Settings, click General Settings.

3. On the Tamper Protection tab, check or uncheck Protect Symantec security software from being tampered with or shut down.

4. In the list box under Actions to take if an application attempts to tamper with or shut down Symantec security software, select one of the following actions:

5. Log only

6. Block and do not log

7. Block and log

8. Click the icon to lock or unlock the options on client computers. When you lock an option, you prevent user changes to the option.

9. 6.Click OK.

Step 3

Create a registry key on the base image to mark the GVMs as non-persistent clients.

See Creating a registry key to mark the base image Guest Virtual Machines (GVMs) as non-persistent clients.

To create a registry key to mark the base image GVMs as non-persistent clients

1. After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image.

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\.

3. Create a new key named Virtualization.

4. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1.

Step 4

In Symantec Endpoint Protection Manager, enable Tamper Protection again.

See Changing Tamper Protection settings.

Step 2

In Symantec Endpoint Protection Manager, configure a separate purge interval for offline non-persistent VDI clients.

See Configuring a separate purge interval for offline non-persistent VDI clients.
Configuring a separate purge interval for offline non-persistent VDI clients

To configure the purge interval for offline non-persistent VDI clients

1.In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.

2.In the Domains tree, click the desired domain.

3.Under Tasks, click Edit Domain Properties.

4.On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number.

The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.

5.Click OK.

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1

http://www.symantec.com/business/support/index?page=content&id=TECH173650

Too many to list

Symantec Endpoint Protection 12.1 – Non-persistent Virtualization Best Practices

Client Recommendations

The following configuration recommendations will ensure that SEP client installations in non-persistent VDI environments do not generate network and disk IO from advanced SEP client features which they will not benefit from.

1.Make the following changes to the Communications Settings policy:

1.Configure clients to download policies and content in Pull mode

2.Disable the option to Learn applications that run on the client computers

3.Set the Heartbeat Interval to no less than one hour

4.Enable Download Randomization, set the Randomization window for 4 hours

Make the following changes to the Virus and Spyware Protection policy:

1.Disable all scheduled scans

2.Disable the option to "Allow startup scans to run when users log on" (This is disabled by default)

3.Disable the option to "Run an ActiveScan when new definitions Arrive"

3.Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow

Image Maintenance

Add the following steps to the routine maintenance schedule for base images. Symantec recommends performing these maintenance tasks at least once a week.

1.Update all applicable definitions and security content on the base image with the latest content available

2.Confirm the SEP client on the base image is able to communicate with its SEPM server(s)

3.Confirm the SEP client is using the correct VDI-specific policies

Before redistributing the image:

1.Remove any temporary files associated with the SEP client, including

2.Remove hardware key information from the base image using How to prepare a Symantec Endpoint Protection 12.1 client for cloning

Follow the general best practices below for periodic image maintenance and testing.

1.Manually upgrade the SEP client on the base image rather than using auto-upgrade for the VM client policy groups

2.Test performance optimizations. For instance, reducing memory allocated to a VM can cause increased OS swapping and defeat hypervisor optimizations like memory page deduplication

3.To minimize the size of the base VM image, disable client install caching and set content cache revisions to 1. See http://www.symantec.com/business/support/index?page=content&id=TECH106042

4.Configure VM refreshes to occur on logoff. Set the pool of available VM’s large enough so that users can easily access a running image which was updated in the background

Symantec Endpoint Protection Manager settings

1.Configure SEPM to keep definitions at least as long as the minimum image refresh frequency. E.g. Keep 30 days if the maximum image age is 14 days

2.SEPM will ‘remember’ all new images attaching, which can build up quickly in a VDI environment. An admin can either reduce the interval required for clients to age out of SEPM or periodically run a cleanup script which purges the old client records.

Reference Articles

Citrix Guidelines for Antivirus Software Configuration

http://support.citrix.com/article/CTX127030

Provisioning Services Antivirus Best Practices

http://support.citrix.com/article/CTX124185

Required Antivirus Software Configuration for the EdgeSight Server

http://support.citrix.com/article/CTX114906

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

http://support.microsoft.com/kb/822158

NDIS Filter Driver from Third Party Product on Target Device Interferes with Connection to Provisioning Services

http://support.citrix.com/article/CTX137505

derived from this article

SEP Firewall does not function with Citrix’s Provisioning Server.

http://www.symantec.com/business/support/index?page=content&id=TECH205982

Here are the details about the new separate VDI purging interval:

http://www.symantec.com/business/support/index?page=content&id=HOWTO81133#v75342792 (step 2 has already been done in the manager)

Some documents on best practices (we’d have to chat about some of these… def updates are vitally important unfortunately, so updating only the base image won’t fly):

http://www.symantec.com/business/support/index?page=content&id=TECH173650 (virtualization in general)

http://www.symantec.com/business/support/index?page=content&id=TECH180229 (VDI non-persistent clients

Also

Issues with Citrix XenDesktop / PvD and Symantec Endpoint Protection 12.1

http://www.symantec.com/connect/forums/issues-xendesktop-pvd-and-symantec-endpoint-protection-121

leads to

Installing Symantec Endpoint protection on a VDI with Personal Vdisk

http://discussions.citrix.com/topic/330203-installing-symantec-endpoint-protection-on-a-vdi-with-personal-vdisk