No formal documentation as far as I'm aware. Citrix offers several articles on AV exclusions that you really should read and consider.
With ENS 10.5, you can use TIE 10.2 and deploy that to Citrix and other endpoints. I'm no Citrix specialist but what I do know is that if you use Xen, you already have a form of application whitelisting at your disposal. You could leverage that instead of TIE to meet any performance considerations you may have. Also, I would recommend to test it well before you deploy.
This will strugle MAYBE to date because WE think to get TIE running right and together with the ATD SANDBOX
you will need to use Mcafee ENS 10.5.1 (And not VSE). We had problems in running 10.5 in general in heavy Terminal Server.
Thus currently all our Terminal Servers customers are running VSE 8.8 Patch 9. And thus they are protected
less against actual threats.
Also i see a problem of managment and change management with those people. The typical CITRIX is used to
do 85% of the things he needs himself. Often this is why they USE Terminal Servers. They often have no real change
management in Citrix Servers. There are excpetions like banks or large enterprise but thats how we see it with customers
up to 2'000 clients. If there is a Software Deployment they are used to change managment and they test things 20 times on a VM before they release
a package to all clients. Often CITRIX guys JUST install and if it works they install it on the other Citrix Servers once. If it breaks well they do a new Citrix server. ;-(
The problem is to get those people INTO the change managment you NEED with TIE. At least if you want to get protected real
and DONT run anything that us UNKNOWN (Not only Mailicious).
If anyone else sees it in any other awy with ENS 10.5.1 and TERMINAL Server please mention it here...
In your customer pool did/have you have any issues with ENS 10.5.2 on Citrix servers? I upgraded 10.5.1 -> 10.5.2 and there was an unspecified hang (the admin respawned the server before I could troubleshoot it).