Created: 04/11/2012
Last updated: 09.22.2013
WARNING This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and can expose computers to a variety of threats to real security. However, the following guidelines generally represent the best compromise between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations to rigorous testing was conducted in a lab environment to understand the tradeoffs between security and performance. Citrix also recommends that organizations engage their antivirus and security teams to consider the following guidelines before making any type of production deployment.
Background
During most of my supply services commitments I find that most implementations lack the correct antivirus exclusions for stability and optimum speed. Unfortunately, it happens more often than one would expect and so I decided to document the time that most people are missing.
It should be noted that there are different filenames for different OS, and some files doesn 't exist for certain versions
I have tried to document everything as well as possible on the base notes I've taken over the years - .. but I always recommend that you review the following recommendation so they actually fit your system
It should also be noted that some of the exclusions depends for example of the configuration used, default paths, the operating systems in combination with the product version, etc.
impact
So what could happen if you choose not to exclude these files and processes? Well, it could have a major impact or anything. But what I saw in general is time to slow start, many attempts - sometimes over 500-00 within hours, leading to a server stops responding, and finally slow down the response time applications (latency applications)
There. is also interesting to say that all the above usually happens sporadically, making it extremely difficult troubleshooting. For example, the same server image can cause a server to fail while the other operates in a correct state.
What triggers this behavior is the antivirus software, but we do not know why it does not happen constantly and intermittently.
A file some aside recommended Server exclusions
- C :. Windows System32 drivers CVhdBusP6.sys => (PVS 6.1)
C: Windows System32 drivers CVhdBus2.sys => (PVS 5.6)
C: Windows System32 drivers CFsDep2.sys => (PVS PVS 5.6 and 6.1)
C: Program Files Citrix Provisioning services BNTFTP.EXE => (PVS PVS 5.6 and 6.1)
C: ProgramData Citrix Provisioning services tftpboot ARDBP32.BIN => (PVS PVS 5.6 and 6.1)
D: store => (ie vdisk local store)
some recommended server side process to exclude
- C :. Program Files Citrix Provisioning Services StreamService.exe => (All versions)
C: Program Files Citrix Provisioning Services StreamProcess.exe => (All versions)
C: Program Files Citrix Provisioning services soapserver.exe => (All versions)
some exclusions recommended target devices
- C :. Windows System32 drivers bnistack.sys => (Only targets, Win03 / XP)
C: Windows System32 drivers bnistack6.sys => (Only target, 08 / Win7)
C: Windows System32 drivers BNNF .sys => (Only targets, Win03 / XP)
C: Windows System32 drivers BNNS.sys => (Only targets, Win03 / XP)
C: Windows System32 drivers BNNS6.sys => (Stop exists with 'PVS6.1 agent)
C: Windows System32 drivers BNPort.sys => (Only targets, Win03 / XP)
C: Windows System32 drivers CFsDep2.sys => (Win03 / XP & 08 / Win7)
C: Windows System32 drivers CVhdBusP52.sys => (Only targets, Win03 / XP)
C: Windows System32 drivers CVhdBusP6.sys => (08 / Win7)
C: Program Files Citrix Provisioning services BNDevice.exe => (Only targets, 08 / Win7)
C: Program Files Citrix Provisioning services TargetOSOptimizer.exe => (Only targets, 08 / Win7)
An even easier approach would be to exclude the complete record of procurement services.
Please note:
The above list contains antivirus general recommendations that should be considered before applying any kind of exclusion or optimizations:
- • If organizations choose to exclude files or folders in real time or frame-access scanning, Citrix recommends scanning files and folders excluded on a regular basis using scheduled scans . It is recommended to perform scheduled scans during non-business or non-peak hours to minimize any potential impact on performance.
- • Integrity of excluded files and folders should be maintained at all times. Organizations should consider taking advantage of monitoring the integrity of business files or host intrusion prevention solution to protect the integrity of files and folders that have been excluded from real-time or on access. Note that the database and log files should not be included in this type of monitoring data integrity, because these files are subject to change.
- • If a complete dossier must be excluded from real time or access scanning, Citrix recommends following closely the creation of new files in excluded folders.
Appropriations
I would also like to give a big thank you to the following people to check a few settings in this blog Martin Latteier & Ivan Rodriguez Santos (Citrix Consulting) and Magnus R (Swedish public sector) and as always James Gordon (Citrix Consulting).
0 Komentar