UPDATE (Sept 2013) – We finally got around to publishing more all-inclusive AV guidance for all products (not just XA) – check out the new article by my colleague here: /blogs/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/
It’s been a while since my inaugural post on virtualizing PVS, and I really meant to get this info out earlier because I’ve had no less than 50 people ask me about this topic over the last 6 months. But before I unveil the precious URL to the new AV Guidelines technote, a little background…
One of the most popular technotes on the Citrix Knowledge Center over the last 5 years (next to this technote which is still #1 after all these years!), was an article entitled “Antivirus Software Configuration Guidelines for Access Essentials/XenApp“. In this article we discussed several recommendations and exclusions for configuring the antivirus software of your choosing in a classic Citrix environment. Customers, partners and even our Consulting team here at Citrix leveraged these guidelines on hundreds of implementations over the years…and all was well in the universe. Until something bad happened – we pulled the article last October!
When you went to the infamous CTX114522 technote, all you got was a note saying that the article had been removed and we pointed you to Microsoft’s generic technote on virus scanning recommendations. That’s when I started getting emails…not only from partners and customers who demanded something in writing from Citrix, but also from my fellow field Consultants. Luckily this stuff had been regurgitated on the Internet enough times that people could find the exclusions if they knew how to use this thing called Google, but that wasn’t good enough for a lot of our customers…especially the enterprise customers where our Consulting teams were engaged and they were paying big bucks for our expertise and “official” recommendations.
So that’s when I reached out to our Security team at Citrix and began to rework the infamous technote that had been hit 50,000 times over the last few years. After 5 months of discussions, meetings and input from key people on our Security team such as Kurt Roemer and Rajiv Motwani (thanks again guys!), we were able to re-release this important technote so our customers, partners and field teams have this valuable information at their disposal. I give you the all new…
It should be noted that feedback from a couple of the major AV vendors in the enterprise space (you can probably guess who) has been incorporated into this new technote as well. I usually don’t get too excited about the release of a KB article, but this one took quite a bit of time and I’m very pleased we got this critical info back out there. If you’ve ever tried to implement EdgeSight or AppStreaming without excluding the Firebird database or RadeCache folders, you know how important these guidelines are.
Please keep in mind that these are only “guidelines” as the article indicates. By implementing any exclusions at all, you are opening yourself up to risk. But these guidelines typically represent the best tradeoff between security and performance – and that’s exactly what most customers are looking for. We all want a secure configuration, but we don’t want to take a 50% performance hit by having AV running and scanning every file and folder every second of the day.
I hope you find this info useful in your future travels. If you have any feedback or ways to improve our recommendations, please feel free to leave me a comment below. I’ll respond in between trips to SFO. 😉