Antivirus Strategy for Citrix Servers

by Jeremy Saunders on January 1, 2008

Although most antivirus products work 100% without needing any modification and tuning, there are architectural and business decisions to be made about how it should be configured, with a focus on performance; the most important part of a Terminal/Citrix Server deployment.

I remove the following values from the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key:

McAfee Deployments:

  • McAfeeUpdaterUI – McAfee Common User Interface Updater (UpdaterUI.exe)
  • ShStatEXE – McAfee/NAI On-access scanner statistics (shstat.exe)
  • TBMON – Network Associates Error Reporting Talk Back Tool (TBMon.exe). Version 8.5i does not contain this value.

Trend Micro OfficeScan Deployments:

  • OfficeScanNT Monitor – Trend Micro OfficeScan Real-Time Monitor (PccNTMon.exe)

Symantec Deployments:

  • ccApp – Symantec Common Client User Session Process. ccApp calls the different program features in the Symantec products and makes sure that those programs are running, such as the Auto-Protect and E-mail Scanning mechanisms.
  • vptray – Symantec Gold Shield Tray Icon. This is the Taskbar Icon and User Interface.

Version 11 of Symantec has now be renamed to Symantec Endpoint Protection and contains a new process called SmcGui.exe, which runs in every user session, replacing the old vptray.exe. However, this process does not run from the “Run” key. I believe you can disable this via a Symantec policy, but am not 100% sure, and have not tried this yet. If not, you could always try changing the permissions on the executable so that it cannot be launched by a user.

***Updated May 2008***

There has been some feedback in relation to two comments…

  1. Changing the permissions on the SmcGui.exe executable works.
  2. Disabling of the Symantec ccApp process – Terminating CCApp.exe will cause the Symantec system tray icon to disappear and will disable the user notifications regarding Auto-Protect actions. But the system continues to be protected by the underlying Auto-Protect capability of RTVScan.exe, which runs as a service. The protection mechanism of the Symantec AntiVirus application is not affected. If a user downloads malicious code to a system while the CCApp.exe process is not running, the user would NOT receive an Auto-Protect alert pop-up notification. However, the malicious code would be detected by Symantec’s AntiVirus Auto-Protect function, as part of the RTVScan.exe process, and would be prevented from being written to file or executed on the targeted system.

More information: ccApp is used as a framework by SCF (Symantec Client Firewall) and as a plug-in for SAV e-mail protection. 99% of deployments will typically either be using the full Exchange/Outlook combination or Notes, which is all managed at the server end. Only deployments that use pop3, etc, really need this.

***End of Update*** 

All these processes run in every session using valuable system resources.

Far too often excessive virus scanning will cause performance issues. All file servers are scanned for incoming data (write events), including the users home and profile folders. Profiles are unloaded and deleted when the user logs off, including temporary Internet cache, etc. So how aggressive does one really need to be on a Terminal/Citrix Server?

I would advise a customer to create a new group for the Terminal/Citrix Servers in the antivirus management tool/console and configure the following:

  1. Scan local drives only. DO NOT scan network drives.
  2. Only scan “Incoming” files (ie. write events).
  3. Exclude the pagefile(s) from being scanned.
  4. The “%ProgramFiles%\Citrix” folder contains many configuration and log files that are always changing, especially the Local Host Cache (imalhc.mdb) and Resource Manager Local Database (RMLocalDatabase.mdb). You could exclude the whole folder. More specifically, the main ones are:
    – “%ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB”
    – “%ProgramFiles%\Citrix\Citrix Resource Manager\SummaryFiles”
    – “%ProgramFiles%\Citrix\Independent Management Architecture”
    – “%ProgramFiles%\Citrix\logs”
  5. Exclude the Print Spooler (%SystemRoot%\System32\spool\PRINTERS) folder. Note that in our deployments we typically place these folders on the non-System Drive. 
  6. We would recommend excluding as much of the user’s profile (%UserProfile%) as possible. In fact, the only folder that is of major concern is the Temporary Internet Cache (“%UserProfile%\Local Settings\Temporary Internet Files”).
  7. If you do not exclude the Profiles, then exclude the user‘s Presentation Server Client bitmap cache (“%UserProfile%\Application Data\ICAClient\Cache” or “%AppData%\ICAClient\Cache”) used for ICA pass-through connections by the locally installed PNClassic and PNAgent.

Most of these suggestions follow Citrix Knowledge Base document CTX114522 accept for the exclusion of the user’s profile folder.

The exclusion of the user’s profile folder may be considered rather radical by some. So consider the following payoffs:

  1. We implement folder redirection on several of the profile folders anyway, so these are being scanned by the File Servers.
  2. Web and e-mail traffic should be scanned at the border. ie. the proxy and messaging servers. So the user’s “Temporary Internet Cache” area SHOULD be clean.
  3. We set the user’s TEMP area to be “NonSystemDrive\Temp”, instead of the default “%UserProfile%\Local Settings\Temp” location. The “NonSystemDrive\Temp” area, and all folders within, will still be part of the real-time scanning process.
  4. The profiles are unloaded and deleted when the user logs off.

We would always continue to implement a regular (at least weekly) full scan on all Citrix servers, and one can certainly be forced should an outbreak occur.

If the Citrix EdgeSight Agent is deployed to the servers, Citrix recommend further exclusions as per Knowledge Base document CTX111062.

It’s worth noting that version 10.x of the Symantec Event Notification service has caused a lot of issues for many Terminal/Citrix Server deployments. I can’t give you specifics, as I haven’t documented them, but they will grind servers to a halt and blue screen them. So please be cautious here.

As of Patch 2 (build 1189) released on 27th December 2007, OfficeScan Corporate Edition version 8.0 is now compatible with Citrix Presentation Server 4.0 and 4.5 (32-bit and 64-bit).

From experience I have found that Trend Micro’s ServerProtect has always been the most stable, with the lowest footprint of all products I’ve worked with. Although Trend stated a couple of years ago that there would be no further development for ServerProtect, they released 5.7 last September to support 64-bit environments.

Aside from that, I’ve also read that both NOD32 and F-Secure also perform well in a Citrix environment. But I haven’t had the opportunity to try out either product yet.

One last thing…I tend to use a tool called cmdow.exe in many of my scripts to hide the command window from users. Most antivirus software vendors classify cmdow.exe as a hacking tool because it can hide windows. Since I use it for good, and not evil, I advise customers to exclude it from their scheduled and realtime scans.

As with all antivirus configurations and changes, you can test the functionality yourself by using the Eicar test virus.

I hope you find this information helpful.

Jeremy Saunders

Jeremy Saunders

Independent Consultant | Contractor | Microsoft & Citrix Specialist | Desktop Virtualization Specialist at J House Consulting
Jeremy is a highly respected, IT Professional, with over 30 years’ experience in the industry. He is an independent IT consultant providing expertise to enterprise, corporate, higher education and government clients. His skill set, high ethical standards, integrity, morals and attention to detail, coupled with his friendly nature and exceptional design and problem solving skills, makes him one of the most highly respected and sought after Microsoft and Citrix technical resources in Australia. His alignment with industry and vendor best practices puts him amongst the leaders of his field.
Jeremy Saunders
Jeremy Saunders
Jeremy Saunders
  • You might want to consider disabling the OfficeScan NT Proxy Service which breaks all sorts of HTTP services.

    Cheers,

    Jamie.

  • Siegfried

    Hi,

    Thanx for the tips.

    i've changed the permissions on smcgui.exe ans now the sessions could be closed without problem.

    Have a nice day.

    Regards,

    Siegfried

  • Pingback: J House Consulting / Tuning and Tweaking Tips for Terminal/Citrix Server Environments()

  • jeremy

    Thanks for the info Siegfried. I've updated the article to state this.

    Cheers,

    Jeremy.

  • jeremy

    Hi Jeff,

    Read point 2 again. “…the system continues to be protected by the underlying Auto-Protect capability of RTVScan.exe, which runs as a service…” So you’re not exposing your systems by remving ccapp.exe. You could indeed run a nightly scan at say 2 or 3am, if you wished.

    Cheers,
    Jeremy.

  • Jeff

    If you remove the ccapp.exe then what do you do for terminal servers running sysmantec antivirus? Do you just run scheduled scans more frequently instead of auto protect? I have antivirus corporate version 10.1 and would like ccapp.exe to stop running on my citrix servers for all sessions, but I am afraid of exposing them without the auto protect.

    Thanks,

    Jeff

  • Jeff

    Thank you for the assistance. This is great information. It makes sense now that I have read it again.

    Thanks,

    Jeff

Previous post:

Next post: