cancel
Showing results for 
Search instead for 
Did you mean: 
xaba_sg
Level 8
Report Inappropriate Content
Message 1 of 62

Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

We are installing ENS 10.6.1 on the new citrix servers with XenApp 7.15 LTSR CU1.

After installation and reboot, users can't login and the connection freeze on "Please Wait for User Profile Service" and on server there are two warnings for winlogon Event 6001 and 6004 .

Immagine.jpg

Disabling the on-access scan on ENS the problem does not occur (Even removing ENS from the server the problem does not occur)

There are no events in any ENS log files.

I cant understand what happens or if there is a "bug".

3 Solutions

Accepted Solutions
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 28 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

@mr @xaba_sg

It is worth noting that we seem to be discussing two, possibly related, but different issues here.

1.  The ability for applications to "hook" McAfee processes, aka perform dll injection

2.  Configuring the On-Access Scanner to ignore disk activity of a given process, and thereby prevent scanning of everything that process performs (disk read/write).

@xaba_sg

Citrix allows for excluding certain applications from being "hooked" by their processes, but as I understand it, this is only for child processes of the Citrix application.  The core, or parent, processes cannot be configured to prevent their injection...the application would lose functionality.  Every so often, McAfee has to gather the certificates for these parent dll's used by Citrix, and then add them to the McAfee Trust Certificate store, in order for McAfee products to "trust" that the injected Citrix dll's are indeed legitimate dll's, allowing use in some way of McAfee processes, and also confirming that the dll injection is non-malicious (not Malware).  Note, that, dll injection into a McAfee process doesn't necessarily mean that either the McAfee application, nor the injecting application, may experience an issue; It is too difficult to project what might occur when allowing 3rd-party applications to inject into a McAfee process.  Generall, though, for Citrix it does not cause a product functionality loss for their software, nor McAfee software, when allowing the injection, but if we do not already trust the dll that is attempting injection, you could experience things such as McAfee software patch/upgrade/install failures (due to routine installer checks that occur during install).  If there are any unstrusted-by-McAfee dll's within your environment that you feel should be trusted by McAfee, or that might be causing an issue, we can start the review of those dll's through opening a support service request.  We will need the digitial certificate of the dll's which are injecting, to start the review process and determine whether or not we can sucessfully add them to the McAfee Trust Certificate Store.

@mr

The issue described has to do with logon performance.  One of the common items related to logon performance with Citrix, and McAfee software that performs scanning (VSE/ENS/MOVE), is due to the scanners monitoring the disk activity of UserProfileManager.exe.  In fact, some years back, we went ahead and added this process as a process exclusion within MOVE default policies (in ePO), as support would commonly help customers perform this process exclusion with MOVE, and all logon performance degredation would cease.  This isn't something we have done with product such as VSE/ENS, and as such we must manually configure it.  I would be curious to see all of the details regarding this specific support case, as there are a couple of aspects regarding the usage of "low-risk" that I find are misinterpreted, or perhaps just overlooked, commonly.  

In order to sucessfully use low-risk process polices (for what they are normally intended, aka a "process" exclusion) we must:

--Enable the feature to use Default, Low, and High-risk process policies (this is within the Default Processes policy for VSE, and within the On-Access Scan advanced options for ENS)
--Add the process name to the low-risk processes policy (example:  test.exe)
--Within the low-risk processes policy, disable scan on read and scan on write (NOTE:  for UserProfileManager.exe, we could probably just disable scan on read, as I believe most of the logon disk activity is read activity).

Personally, I commonly find that either item 1 was never enabled, but since ePO allows for modifying the low-risk settings without enabling the option, the low-risk settings never apply to the systems for which they are intended).  Or, I commonly find that the exe is added as a file exclusion within the Default Process Policy.  The latter, simply tells the product to ignore that single file on disk, whereas performing the "process exclusion" using low-risk, tells the scanners to ignore all disk read/write activity for the added processes.

Hopefully, this helps explain a bit more in detail.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?




McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 49 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

@xaba_sg At this point in time, I believe that it would be best if you could give Support a call regarding your SR and focus on working through the case rather than in a forum format in order to review your concerns live and collect comparison data. This way, a more amicable resolution and understanding can be reached on all sides. There is likely a complete explanation for the differences in behavior that can be found through detailed, data driven investigation.

The recommendations made here are the best available based on the circumstance described, past and current experience, as well as limited information and no performance/activity data reviewed. Chealey and others that have responded are doing their best to provide assistance given the above. If this is ever insufficient for any reason, and you truly desire further progress and/or resolution, then it is time to open a Service Request with Support.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 59 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

@Mcafee_SWISS Everyone is welcome (and highly encouraged) to come back to this forum and update the thread with the results of their investigation with Support so all can benefit. However, the only viable, extensive, and effective way that you will get traction on a true review of this type of concern is to work with Support via a Service Request (SR). You cannot engage Engineering (if needed) via the forums, but can via an SR. We can't do investigative remote troubleshooting sessions and data collection via a forum, but we can via a SR.
Everyone here wants to be as helpful as possible. However, there are channels that are more appropriate for different types of issues and assistance than others.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

61 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

Please check you have the recommended Citrix exclusions in place - you'll need to use high/low risk processes to define the citrix processes as low risk:

Citrix Guidelines for Antivirus Software Configuration (https://support.citrix.com/article/CTX127030)

Citrix Consolidated List of Antivirus Exclusions (https://www.citrix.com/blogs/2016/12/02/citrix-recommended-antivirus-exclusions/)

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
xaba_sg
Level 8
Report Inappropriate Content
Message 3 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

Thanks for the reply.

I have already set the recommended exclusions.

I do not understand why no logs are generated if there is any process or service that is blocked by ENS.

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

You've narrowed it down to the on access scanner component. This feature doesn't report any errors as it doesn't "block" a process or service per say. In cases where OAS is causing issues, it is generally caused by us having a hold on the file when another process also wants it - in this case, we might be performing a scan activity whilst Citrix also wants to access the file resulting in the denied access.

You can potenitally use our Profiler tool to analyse what we are scanning at time of the issue. Otherwise I would suggest gathering a procmon, amtrace and MER with ENS in debug logging whilst reproducing the issue and submitting these to our Support Team. (KB86691 provides you with info on these mentioned data collection tools)

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
mr
Level 8
Report Inappropriate Content
Message 5 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

Working on the same problem.  10.5 was fine, 10.6 hangs the various profile processing steps at logon.  As with you, all exclusions are in place.

I'm opening a ticket as suggested above, I have not pinned down what exact scanning process/target changed from 10.5 to 10.6.

xaba_sg
Level 8
Report Inappropriate Content
Message 6 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

The same for me. I opened an SR, but Mcafee answered me after 3 weeks.
In the next week I will send the logs collected.

I will wait for them to do their checks...

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution
Please post your finding here as well if you get any.
I have witnessed a similar cirtix behavior as well, but without a visible ENS logging it is difficult to connect this issue directly to antivirus software. Passing of the issue one time after turning off ENS might be a coincidence, personally I request repeated evidence to confirm the link.
mr
Level 8
Report Inappropriate Content
Message 8 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

HugsNotDrugs - I'm not sure what point you are trying to make.

In case we weren't clear enough -

We had Endpoint Security 10.5 installed and working correctly.

The upgrade to 10.6 came out and the profile processing delays started.  This was demonstrated over multiple days as the system would behave normaly each morning after nightly reset to the image which had not been updated to 10.6.  Once the upgrade ran, the logon failed.  We updated some of our images to 10.6 just to verify it wasn't an update without reboot issue and found they are now broke even at boot time.  As noted earlier, disabling On Access solves the problem.  No policy changes were made.  So we can say without question it is related to the McAfee update.  Is there a system setting rather than a McAfee setting that could solve the issue?  Is there a new set of exclusions or some other setting required for 10.6?  Could be either but seems likely McAfee should be our first stop.

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 9 of 62

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

If there are a new set of exclusions needed, this would need to be advised by Citrix. These have however remained the same for years and therefore I would not expect these to have changed.

I just had a look at your open SR's and other SR's raised by people in this thread and  we don't have any data to check. As advised earlier in this thread, the best data you can give Support to assist you is the following:

A procmon, amtrace and MER with ENS in debug logging whilst reproducing the issue (KB86691 provides you with info on these mentioned data collection tools).

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Problem with ENS 10.6.1+November Update and Citrix XenApp 7.15

Jump to solution

As I had already indicated, I uploaded the logs today (Amtrace and ProcMon).

I removed viruscan 8.8 and reinstalled 10.6.1 to replicate the problem.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.