Provisioning Services Antivirus Best Practices

Servers and targets may experience one or more of the following symptoms if antivirus software is not properly tuned for your Provisioning Services (PVS) environment:

• Target Device or Server appears sluggish or generally slower than normal.

• Prolonged, excessive CPU or memory utilization.

• Significant change in the Write Cache Disk I/O Performance. For example, when using Perfmon, the percentage of disk write time or disk write queue length increases significantly.

• Target device software indicates excessive retries in its console.

• In the console, Inventory shows that the replication status is incorrect for a vDisk.

• A target device fails to boot to the vDisk, however, it boots to the local disk and displays a red X on the client status tray.

• During boot, target device performance remains poor for a short time while antivirus definitions are updated.

Symptoms may vary greatly and are not limited to this brief list.

Limit Antivirus definition updates to only the Master Target Device or Update Target Device. Create a plan to upgrade the vDisk periodically using manual orvDisk自动更新. This can significantly reduce network bandwidth and overall performance. Avoid scanning the vDisk Write Cache file and streaming disk IO that makes up the operating system for a given Target. Disk IO that has been altered, tampered, or corrupted should cause an application or operating system to fail immediately.

Avoid scanning the following process and system drivers on PVS Target Devices:

• BNDevice.exe: handles client functions, licensing, etc
• BNIstack6.sys: IO protocol driver | UDP port 6911-6930
• CNicTeam.sys: network NIC teaming, if being used
• CFsDep2.sys: file system minifilter
• CVhdMp.sys: storage miniport driver

Avoid scanning, whitelist or permission the following processes on PVS Servers:

• Streamprocess.exe: Streaming engine | UDP port 6901-6910
• Streamservice.exe: Service manager for streaming services
• Soapserver.exe: handles Database connectivity and AD authentication
• Inventory.exe: vDisk Inventory | UDP port 6895
• MgmtDaemon.exe: Inter-server communication |UDP port 6898
• Notifier.exe: Inter-server communication | UDP port 6903
• BNTFTP.exe: TFTP service delivers bootstrap | UDP port 69
• PVSTSB.exe: Two Stage Boot delivers bootstrap | UDP port 6969
• BNPXE.exe: PXE service | Broadcast Protocol
• CdfSvc.exe: Citrix Diagnostic Facility COM Server
• CFsDep2.sys: file system minifilter
• CVhdMp.sys: storage miniport driver

Avoid scanning the vDisk Write Cache file on either the target or server side; the write cache file names for target local disk cache are .vdiskcache or vdiskdif.vhdx

1. In general, most antivirus product defaults are configured to scan all files IO and\or processes on a disk. Like an operating system that runs locally to its hardware, all PVS streaming IO operations are subject to real-time scanning until specified otherwise. If an antivirus program scans the continuously active data stream that consists of the operating system, then this impedes the normal operation of PVS by causing disk IO delays and read-write failures, HA problems, and so on. In extreme cases, the PVS target device and server can consume more resources than necessary or become inactive.

2. When a virtual disk is running in standard image mode or Read-Only mode, AV application and virus definition updates should be avoided. This is a common scenario that causes serious degradation when target devices are restarted in mass and immediately perform an update, often causing IO bottlenecks and slow server response times. Windows Updates can have this same effect and should be disabled in Read-Only mode. Update the Read-Write image with the latest definitions and perform a full scan before switching vdisk modes back to Read-Only.

在安装或升级防病毒客户端软ware or any other software that alters the target’s network stack, PVS 7.x. requires that you first uninstall the PVS Client Software and reinstall it last, the target software should be the last thing that gets installed prior to re-imaging. The PVS software becomes unusable if another software product alters or interferes with the target's BNistack.sys or Cvhdmp.sys. Windows Updates can have this affect and may require a reverse image to be performed prior to installation. Antivirus software varies from vendor to vendor. Check with your antivirus software vendor for specific instructions on configuring scanning exceptions. Citrix recommends that you test antivirus client software and its configuration prior to placing it into a provisioned environment. Obtaining a performance baseline early may help prove useful in the event future performance troubleshooting.

Windows Defender VDI Best Practices -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus

Citrix CVAD AV Guide -https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.