cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
anyWARE
Level 9
Report Inappropriate Content
Message 1 of 12
‎02-11-2020 11:32 PM

ePO / ENS Citrix process exclusion

Jump to solution

Hi,

we installes ENS to different Citrix-Servers. Now ePO/ENS presents us with this:

1.jpg

We already assigned exclusions in the "Endpoint Security Common" policy like this:

 

Self protection process exclusions (which will not work, because of *.dll - right?!)

2.jpg

ALso these exclusions

3.jpg

 

And we trusted different citrix certificates (all we found relevant).

Why are these processes blocked yet, what's the solution to get them whitelisted?

 

Regards
Daniel

0 Kudos
Reply
1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 12
‎02-13-2020 12:27 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

Thanks for sharing. Now I see that those dll files are actually being reported as the source process. This is because the event is a "DLL Injection" Event.

One thing you can do to trust Citrix certificate is to export the Citrix certs and import these into your ENS Common policy as described in KB88085. If you import and select allow trust, you will be trusting these certificates and you will no longer see the injection events.

View solution in original post

0 Kudos
Reply
11 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 12
‎02-12-2020 04:54 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

Hi Daniel

Correct, the set items won't be effective. Firstly because they are dll's, secondly because they aren't the process causing the event. So what you can look at is one of those events themselves and see what is the source process. Only based on this could  you create an exclusion - the correct place for this is the ENS Common policy - Self Protection.

0 Kudos
Reply
anyWARE
Level 9
Report Inappropriate Content
Message 3 of 12
‎02-12-2020 06:51 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

Hello Chealey,

 

well - I can't tell you, what the source process is, because I don't see anything else than what
McAfee logs. As you can see, I already configured, what is plausible to me in the common policy.

So, how may I get the "real source" if McAfee does not log it?
Further hints appreciated.

Regards
Daniel

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 12
‎02-12-2020 07:01 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

Can you click on one of those events please and share the details? The screenshot shared is just an overview. You should see more inside the event itself.

0 Kudos
Reply
patrakshar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 12
‎02-12-2020 08:17 PM

Re: ePO / ENS Citrix process exclusion

Jump to solution

@anyWARE 

Citrix already has list of recommended exclusions list for AV.
 https://www.citrix.com/blogs/2016/12/02/citrix-recommended-antivirus-exclusions/

Did you apply those already?

0 Kudos
Reply
anyWARE
Level 9
Report Inappropriate Content
Message 6 of 12
‎02-12-2020 11:30 PM

Re: ePO / ENS Citrix process exclusion

Jump to solution

@patrakshar 
Yes, we already implemented the citrix processes as exclusions, but as you see: .dll files trigger a blocking rule

@Former Member 

 

11.jpg

 

12.jpg

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 12
‎02-13-2020 12:27 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

Thanks for sharing. Now I see that those dll files are actually being reported as the source process. This is because the event is a "DLL Injection" Event.

One thing you can do to trust Citrix certificate is to export the Citrix certs and import these into your ENS Common policy as described in KB88085. If you import and select allow trust, you will be trusting these certificates and you will no longer see the injection events.

0 Kudos
Reply
anyWARE
Level 9
Report Inappropriate Content
Message 8 of 12
‎02-13-2020 12:58 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

Thank you for your feedback.
We already did all you proposed before:
1.PNG

 

As we are upgrading servers in groups of five, we put them directly in the designated group, where
all the citrix policies are active.

When the servers are then rebooted, the events occured ... in the meantime, I speculate, that the warning appeared, *before* the policy was active for the servers and then, when they have been assigned to the right policy, it was solved.

So finaly - regarding your replies - i feel safe, we configured everything correct.
I will observe the behaviour.


Thanks
Daniel

0 Kudos
Reply
londonsec
Level 10
Report Inappropriate Content
Message 9 of 12
‎02-13-2020 01:57 PM

Re: ePO / ENS Citrix process exclusion

Jump to solution

The process exclusions should only list .exe and not .dll.  It won't do anything if you list the .dll.

What Citrix app is running on the server? 

Are you installing it on XenApp, XenDesktop, Director, Storefront, Provisioning Services, etc?  Each one has some different and specific folders and processes which need to be excluded.

It used to be really easy to add exclusions and troubleshoot issues in VSE.  ENS has muddied the waters and confused the configurations.

If you need additional assistance, my engineers are available to assist.  Or I can continue to try and help here.

"The electric light did not come from the continuous improvements of candles." - Oren Harari
0 Kudos
Reply
LauraJ
Level 8
Report Inappropriate Content
Message 10 of 12
‎03-06-2020 02:03 AM

Re: ePO / ENS Citrix process exclusion

Jump to solution

@londonsec Would I be able to ask you where you get the Citrix certificates from? Do they come from the Citrix servers?

I have the issue where we have citrix processes blocked, and we have located where to add the certs in, however we're a little unsure where the certs are obtained from.

There appear to be 3 already added but we didnt add them in, are they added automatically? or do you need to manually import them?

Sorry if this is an obvious question, but we've been struggling.

Thanks

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC