Symantec Endpoint Protection (SEP) 12.1.5 Antivirus Exclusion – Windows Server 2012 R2 – Citrix XenApp 7.6

Antivirus exclusions are an important step in deploying server based technologies.  Organization’s performance needs are just as critical as security.  Antivirus protection on physical XenApp servers hosting applications and shared desktops can be a challenge when the appropriate exclusions are not set up because performance and availability can suffer drastically.  Some of the issues that can be avoided by exclusion include hanging user sessions, long delays at logon and logoff, long delays launching apps, server unresponsiveness, etc.

Looking at a deployment of XenApp 7.6 VDA on Windows Server 2012 R2 platform for a healthcare organization, the following resources were reviewed in identifying what to add to the exclusion policy in Symantec Endpoint Protection Manager.  The following links refer to best practices as recommended by Symantec, Citrix, Microsoft and in the case of a healthcare organization using Intergy, Sage.

(SEP) 12.1.5 Antivirus Exclusion – Windows Server 2012 R2 – Citrix XenApp 7.6

SEP_12.1.5_Exceptions

SEP_12.1.5_Exceptions

https://support.symantec.com/en_US/article.TECH91070.html

https://www.citrix.com/blogs/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/

https://support.citrix.com/article/CTX127030

http://social.technet.microsoft.com/wiki/contents/articles/18439.terminal-server-antivirus-exclusions.aspx

http://www.millennium-mb.com/files/Sage_Intergy_EHR_EMR_New_Jersey_York_Medical_Billing.pdf

Note that the registry fix described in the first link is performed after the SEP 12.1.5 client is installed on the XenApp 7.6 VDA server.

The fourth link down refers to Antivirus Exclusions recommended by Microsoft for Terminal Servers.  We were unable to find an updated list for Remote Desktop Services on Windows Server 2012 R2 but some of the previous exclusions will still apply.

The same is true for Intergy/ Intergy EHR exclusions.  Previous exclusions for earlier versions of Intergy still apply for newer versions.

Lastly, while all of the previous file exclusion recommendations come from the product vendors mentioned earlier, it is worth noting that some exclusions will technically make your server more vulnerable to attacks.  Thus, antivirus software on XenApp 7.6 VDA servers should only be part of a larger, more robust enterprise security plan.

#antivirus-2, #citrix, #exception-policy, #security-2, #sep-12-1-5, #sep-manager, #sepm, #shared-desktop, #symantec-endpoint-protection, #vda-7-6-0, #virtualization-2, #windows-server, #xenapp-7-6-2

Verify Symantec Endpoint Protection Manager Created Exception Policy is Applied to Client

Consider the following scenario:

You recently deployed a couple of Citrix XenApp servers. You created a new group in SEP 12.1.5 manager and modified an exception policy to exclude individual files, extensions and processes from being harassed by SEP 12.1.5. Then, you created an unmanaged client install package using that new group so that the exception policy would be included. You installed the client on the server and under User defined Exceptions the window is blank. How can you know for sure that the exception policy you applied to the group in SEP 12.1.5 Manager carried over and is being applied on the machine?

Thx to Reddit Symantec gurus we know that user defined exceptions section in the SEP client is for user added exception only and not the SEP Manager. Thus, that section will not show you what you configured in the exclusion policy created in SEP Manager and included in the install package.

To verify that Symantec Endpoint Protection Manager created exception policies are being applied to the client:

Open SEP on client machine and at the top-right, go to Help and select Troubleshooting from the drop-down menu that appears.  In the Management window, click on Export under the Policy Profile. This will allow you to export an XML file that you can then search for the exclusions.

Yet another way to verify that Symantec Endpoint Protection Manager created exception policy is applied to client is to open regedit and manually inspect those exclusions through registry.  Browse to the registry key: •HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS

Note: On 64bit window machines the registry path is: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions

https://support.symantec.com/en_US/article.TECH105814.html

 

 

#antivirus-2, #exception-policy, #security-2, #sep-12-1-5, #sep-manager, #sepm, #symantec-endpoint-protection, #windows-server