cancel
Showing results for 
Search instead for 
Did you mean: 

ePO / ENS Citrix process exclusion

Hi,

we installes ENS to different Citrix-Servers. Now ePO/ENS presents us with this:

1.jpg

We already assigned exclusions in the "Endpoint Security Common" policy like this:

 

Self protection process exclusions (which will not work, because of *.dll - right?!)

2.jpg

ALso these exclusions

3.jpg

 

And we trusted different citrix certificates (all we found relevant).

Why are these processes blocked yet, what's the solution to get them whitelisted?

 

Regards
Daniel

8 Replies
chealey McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: ePO / ENS Citrix process exclusion

Hi Daniel

Correct, the set items won't be effective. Firstly because they are dll's, secondly because they aren't the process causing the event. So what you can look at is one of those events themselves and see what is the source process. Only based on this could  you create an exclusion - the correct place for this is the ENS Common policy - Self Protection.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: ePO / ENS Citrix process exclusion

Hello Chealey,

 

well - I can't tell you, what the source process is, because I don't see anything else than what
McAfee logs. As you can see, I already configured, what is plausible to me in the common policy.

So, how may I get the "real source" if McAfee does not log it?
Further hints appreciated.

Regards
Daniel

Highlighted
chealey McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: ePO / ENS Citrix process exclusion

Can you click on one of those events please and share the details? The screenshot shared is just an overview. You should see more inside the event itself.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
patrakshar McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: ePO / ENS Citrix process exclusion

@anyWARE 

Citrix already has list of recommended exclusions list for AV.
 https://www.citrix.com/blogs/2016/12/02/citrix-recommended-antivirus-exclusions/

Did you apply those already?

Re: ePO / ENS Citrix process exclusion

@patrakshar 
Yes, we already implemented the citrix processes as exclusions, but as you see: .dll files trigger a blocking rule

@chealey 

 

11.jpg

 

12.jpg

chealey McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: ePO / ENS Citrix process exclusion

Thanks for sharing. Now I see that those dll files are actually being reported as the source process. This is because the event is a "DLL Injection" Event.

One thing you can do to trust Citrix certificate is to export the Citrix certs and import these into your ENS Common policy as described in KB88085. If you import and select allow trust, you will be trusting these certificates and you will no longer see the injection events.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: ePO / ENS Citrix process exclusion

Thank you for your feedback.
We already did all you proposed before:
1.PNG

 

As we are upgrading servers in groups of five, we put them directly in the designated group, where
all the citrix policies are active.

When the servers are then rebooted, the events occured ... in the meantime, I speculate, that the warning appeared, *before* the policy was active for the servers and then, when they have been assigned to the right policy, it was solved.

So finaly - regarding your replies - i feel safe, we configured everything correct.
I will observe the behaviour.


Thanks
Daniel

Re: ePO / ENS Citrix process exclusion

The process exclusions should only list .exe and not .dll.  It won't do anything if you list the .dll.

What Citrix app is running on the server? 

Are you installing it on XenApp, XenDesktop, Director, Storefront, Provisioning Services, etc?  Each one has some different and specific folders and processes which need to be excluded.

It used to be really easy to add exclusions and troubleshoot issues in VSE.  ENS has muddied the waters and confused the configurations.

If you need additional assistance, my engineers are available to assist.  Or I can continue to try and help here.

"The electric light did not come from the continuous improvements of candles." - Oren Harari
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community