Anti-Virus Exclusion

The purpose of this document is to describe "best practices" regarding anti-virus exclusions to ensure good user experience. The following exclusions can behave a security risk so that we recommend to scan periodically of this files. All of these recommendations are public by Microsoft, Citrix, and Flexxible.

The integrity of the files and folders must be maintained at all times. It is recommended to use a File Integrity Monitoring (FIM) or Host Intrusion Prevention (HIP) solution to protect the integrity of files and folders that have been excluded from real-time.


Virtual Desktops (VDI) or AppServers

Flexxible VDIClient

Folders to exclude: C:\Program Files\Flexxible\VDIClientService

Processes: VDIClientService.exe


Windows Update

Disable real-time scan of: 

Windows Update's database: %windir%\SoftwareDistribution\Datastore\DataStore.edb

Registry's files: edb*.jrs, edb.chk and tmp.edb on path %windir%\SoftwareDistribution\Datastore\Logs


Windows security files

Exclude following extensions in this folder %windir%\Security\Database:

*.edb

*.sdb

*.log

*.chk

*.jrs


Group policies

Exclude files:

NTUser.pol on %AllUsersProfile%

Registry.pol on %SystemRoot%\System32\GroupPolicy


System

Exclude page file (Default path: C:\pagefile.sys)

Exclude Print spooler folder (%systemroot%\system32\spoolsv.exe)


Citrix Services

Exclude the following folders:

%UserProfile%\AppData\Local\Temp\Citrix\RTMediaEngineSRV\MediaEngineSRVDebugLogs**.txt

%UserProfile%\AppData\Local\Temp\Citrix\HDXRTConnector\*\*.txt


Processes to exclude:

UserProfileManager.exe

%ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe

%ProgramFiles%\Citrix\Virtual Desktop Agent\BrokerAgent.exe

%SystemRoot%\System32\spoolsv.exe

%SystemRoot%\System32\winlogon.exe

%SystemRoot%\System32\ userinit.exe

%SystemRoot%\System32\ smss.exe

%ProgramFiles%\Citrix\ICAService\picaSvc2.exe (Desktop OS only)

%ProgramFiles%\Citrix\ICAService\CpSvc.exe (Desktop OS only)


%ProgramFiles(x86)%\Citrix\HDX RealTime Connector\AudioTranscoder.exe

%ProgramFiles(x86)%\Citrix\HDX RealTime Connector\MediaEngine.Net.Service.exe

%ProgramFiles(x86)%\Citrix\HDX RealTime Connector\MediaEngineService.exe


%ProgramFiles%\Citrix\HTML5 Video Redirection\WebSocketService.exe (CVAD 7.15 LTSR - both desktop and server OS)

%ProgramFiles(x86)%\Citrix\System32\WebSocketService.exe (CVAD 1912 LTSR - Server OS only)

%ProgramFiles%\Citrix\ICAService\WebSocketService.exe (CVAD 1912 LTSR - Desktop OS only)

%ProgramFiles(x86)%\Citrix\HDX\bin\WebSocketService.exe (CVAD 2003+ - both desktop and server OS)           


Infrastructure Virtual Machines

Flexxible

Folders:

C:\Program Files (x86)\Flexxible

C:\Program Files\Flexxible


Processes:

VDIClientService.exe

VDIQueueListener.exe

VDIWorkerClient.exe

VDIWorkerBackupServer.exe

VDIWorkerAux.exe

VDIWorkerActiveDirectory.exe

VDIWorkerAlerts.exe

VDIWorkerDesktopOperations.exe

VDIWorkerStructure.exe


Communications:

Allow inbound and outbound of TCP1236 and TCP1237


Domain Controllers

Apply settings described on "Running antivirus software on domain controllers" of this article: https://support.microsoft.com/es-es/kb/822158


Hyper-V

Processes to exclude:

Vmms.exe

Vmwp.exe

VmmAgent.exe

CLUSSVC.EXE


Folders to exclude:

C:\ClusterStorage\*

C:\Windows\Cluster\*

C:\ProgramData\Microsoft\Windows\Hyper-V

C:\Users\Public\Documents\Hyper-V\Virtual hard disks

C:\Program Files\Hyper-V


Extensions to exclude of real-time scan:

*.VHD

*.VHDX

*.AVHD

*.VSV

*.BIN


SQL Server

Extensions to exclude of real-time scan:

*.mdf

*.ldf

*.ndf

*.bak

*.trn


Processes to exclude:

SQLAGENT.EXE

SQLSERVR.EXE

SSMS.EXE

SQLWRITER.EXE

CLUSSVC.EXE


Exclude the following folders:

C:\Program Files\Microsoft SQL Server\*


IIS

Process:

w3wp.exe


Folders:

%systemroot%\Inetsrv

**\IIS Temporary Compressed Files\ 


System Center (VMM)

Folder to exclude:

C:\Program Files\Microsoft System Center 2016\Virtual Machine Manager\bin

C:\ClusterStorage\*

C:\Windows\Cluster\*


Processes to exclude:

vmmservice.exe

Vmms.exe

vmmAgent.exe

Vmwp.exe

CLUSSVC.EXE


Citrix Delivery Controller (XenDesktop)

Processes:

%ProgramFiles%\Citrix\Broker\Service\BrokerService.exe

%ProgramFiles%\Citrix\Broker\Service\HighAvailabilityService.exe 

%ProgramFiles%\Citrix\ConfigSync\ConfigSyncService.exe 


    Exclude the following folders:

%SystemRoot%\ServiceProfiles\NetworkService\HaDatabaseName.mdf 

%SystemRoot%\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf 

%SystemRoot%\ServiceProfiles\NetworkService\HaDatabaseName_log.ldf

%SystemRoot%\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf

%ProgramData%\Citrix\Broker\Cache


Storefront

Processes to exclude:

%systemroot%\SysWOW64\inetsrv\w3wp.exe

%systemroot%\system32\inetsrv\w3wp.exe

%ProgramFiles%\Citrix\Receiver StoreFront\Services\SubscriptionsStoreService\Citrix.DeliveryServices.SubscriptionsStore.ServiceHost.exe

%ProgramFiles%\Citrix\Receiver StoreFront\Services\CredentialWallet\Citrix.DeliveryServices.CredentialWallet.ServiceHost.exe


Exclude the following folders:

%SystemRoot%\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\**\PersistentDictionary.edb


Bibliography

https://support.microsoft.com/es-es/kb/822158

https://support.microsoft.com/en-us/kb/309422

http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html

http://support.citrix.com/article/CTX127030