Created: 2012-11-04
Last Updated: 2013-09-22

WARNING! This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to a variety of real security threats. However, the following guidelines typically represent the best tradeoff between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance. Citrix also recommends organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment.

Background
During most of my Provisioning services engagements I found that most implementations lack the correct antivirus exclusions for optimal stability and speed. Unfortunately it happens more often than one would expect and I have therefore decided to document the once that most people are missing.

It should be noted that there are some different file names for various OS, and that some files doesn’t exist for some versions.
I have tried to document everything as good as possible based upon some notes that I have taken over the years – however I still recommend that you review the recommendation below so they actually match your system.
It should also be noted that some of the exclusions depends for example on the setup used, default paths, operating systems in combination with product version etc.

Impact
So what could happen if you choose to not exclude these files and processes? Well it could cause a major impact or nothing at all. But what I have seen in general is slow boot times, a lot of retries – sometimes over 500-900 in a few hours, which leads to a server that stops responding and finally slow application response time (application latency).
It is also worth saying that all of the above generally happen sporadically, which makes troubleshooting extremely difficult. For example, the same server image could cause one server to fail whilst the other operates in an okay state.
What triggers this behaviour is the antivirus software but it is unknown why it doesn’t happen constantly and only intermittently.

A few recommended Server Side file exclusions.

    C:\Windows\System32\drivers\CVhdBusP6.sys => (PVS 6.1)
    C:\Windows\System32\drivers\CVhdBus2.sys => (PVS 5.6)
    C:\Windows\System32\drivers\CFsDep2.sys => (PVS 5.6 and PVS 6.1)
    C:\Program Files\Citrix\Provisioning Services\BNTFTP.EXE => (PVS 5.6 and PVS 6.1)
    C:\ProgramData\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN => (PVS 5.6 and PVS 6.1)
    D:\Store => ( i.e. local vdisk store)

A few recommended Server Side processes to be excluded.

    C:\Program Files\Citrix\Provisioning Services\StreamService.exe => (All versions)
    C:\Program Files\Citrix\Provisioning Services\StreamProcess.exe => (All versions)
    C:\Program Files\Citrix\Provisioning Services\soapserver.exe => (All versions)

A few recommended Target Device exclusions.

    C:\Windows\System32\drivers\bnistack.sys => (Only targets, Win2003/XP)
    C:\Windows\System32\drivers\bnistack6.sys => (Only targets, 2008/Win7)
    C:\Windows\System32\drivers\BNNF.sys => (Only targets, Win2003/XP)
    C:\Windows\System32\drivers\BNNS.sys => (Only targets, Win2003/XP)
    C:\Windows\System32\drivers\BNNS6.sys => (Doesn’t exist anymore with PVS6.1 Agent)
    C:\Windows\System32\drivers\BNPort.sys => (Only targets, Win2003/XP)
    C:\Windows\System32\drivers\CFsDep2.sys => (Win2003/XP & 2008/Win7)
    C:\Windows\System32\drivers\CVhdBusP52.sys => (Only targets, Win2003/XP)
    C:\Windows\System32\drivers\CVhdBusP6.sys => (2008/Win7)
    C:\Program Files\Citrix\Provisioning Services\BNDevice.exe => (Only targets, 2008/Win7)
    C:\Program Files\Citrix\Provisioning Services\TargetOSOptimizer.exe => (Only targets, 2008/Win7)

An even easier approach would be to exclude the complete Provisioning services folder.

Please note:
The above list contains general antivirus recommendations that should be reviewed prior to implementing any type of exclusions or optimizations:

    • If organizations choose to exclude particular files or folders as part of real-time or on-access scanning, Citrix recommends scanning the excluded files and folders on a regular basis using scheduled scans. It is recommended to perform scheduled scans during non-business or off-peak hours to mitigate any potential performance impact.
    • Integrity of excluded files and folders should be maintained at all times. Organizations should consider leveraging a commercial File Integrity Monitoring or Host Intrusion Prevention solution to protect the integrity of files and folders that have been excluded from real-time or on-access scanning. It should be noted that database and log files should not be included in this type of data integrity monitoring because these files are expected to change.
    • If an entire folder must be excluded from real-time or on-access scanning, Citrix recommends monitoring very closely the creation of new files in the excluded folders.

Credits
I would also like to give a big thank you to the following persons for verifying a few settings in this blog post, Martin Latteier & Ivan Rodriguez Santos (Citrix Consulting) and Magnus R (Swedish Public Sector) and as always James Gordon (Citrix Consulting).