we installes ENS to different Citrix-Servers. Now ePO/ENS presents us with this:
We already assigned exclusions in the "Endpoint Security Common" policy like this:
Self protection process exclusions (which will not work, because of *.dll - right?!)
ALso these exclusions
And we trusted different citrix certificates (all we found relevant).
Why are these processes blocked yet, what's the solution to get them whitelisted?
Correct, the set items won't be effective. Firstly because they are dll's, secondly because they aren't the process causing the event. So what you can look at is one of those events themselves and see what is the source process. Only based on this could you create an exclusion - the correct place for this is the ENS Common policy - Self Protection.
well - I can't tell you, what the source process is, because I don't see anything else than what
McAfee logs. As you can see, I already configured, what is plausible to me in the common policy.
So, how may I get the "real source" if McAfee does not log it?
Further hints appreciated.
Can you click on one of those events please and share the details? The screenshot shared is just an overview. You should see more inside the event itself.
Citrix already has list of recommended exclusions list for AV.
Did you apply those already?
Thanks for sharing. Now I see that those dll files are actually being reported as the source process. This is because the event is a "DLL Injection" Event.
One thing you can do to trust Citrix certificate is to export the Citrix certs and import these into your ENS Common policy as described in KB88085. If you import and select allow trust, you will be trusting these certificates and you will no longer see the injection events.
Thank you for your feedback.
We already did all you proposed before:
As we are upgrading servers in groups of five, we put them directly in the designated group, where
all the citrix policies are active.
When the servers are then rebooted, the events occured ... in the meantime, I speculate, that the warning appeared, *before* the policy was active for the servers and then, when they have been assigned to the right policy, it was solved.
So finaly - regarding your replies - i feel safe, we configured everything correct.
I will observe the behaviour.
The process exclusions should only list .exe and not .dll. It won't do anything if you list the .dll.
What Citrix app is running on the server?
Are you installing it on XenApp, XenDesktop, Director, Storefront, Provisioning Services, etc? Each one has some different and specific folders and processes which need to be excluded.
It used to be really easy to add exclusions and troubleshoot issues in VSE. ENS has muddied the waters and confused the configurations.
If you need additional assistance, my engineers are available to assist. Or I can continue to try and help here.