Recommendations on configuring Kaspersky Security 10.x for Windows Server on the same server as Citrix XenApp

Latest update: September 29, 2020 ID: 9839

This article concerns:

  • Kaspersky Security 10.1.2 for Windows Server
  • Kaspersky Security 10.1.1 for Windows Server
  • Kaspersky Security 10.1.0 for Windows Server

This article provides Citrix experts' recommendations on configuring the antivirus application installed on the same server as Citrix XenApp. The recommendations have been adapted for Kaspersky Security for Windows Server.

  • If Citrix uses pass-through authentication, in the Real-time file protection and File Threat Protection tasks (tasks can be named differently, see the documentation for the antivirus application on the client device), exclude the following folders from scanning:
    • %ProgramFiles%\Citrix\ICA Client\Presentation Server Client
    • %UserProfile%\Application Data\ICAClient\Cache
  • If users are connecting to a server's published desktop, delete the kavtray.exe parameter from the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run system registry key on a server.
  • In the Trusted Zone of Kaspersky Security, disable scanning of files that are accessed during the backup copy creation. To do so, go to the Trusted processes tab and select the Do not check files backup operations checkbox. Exclude the following files from scanning:
    • %SystemRoot%\system32\drivers\BNNS.sys
    • %SystemRoot%\system32\drivers\BNNF.sys
    • %SystemRoot%\system32\drivers\BNPort.sys
    • %SystemRoot%\system32\drivers\BNNS6.sys
    • %SystemRoot%\system32\drivers\bnistack.sys
    • ctxcpusched.exe
    • BNDevice.exe

We recommend the following settings for the Real-time file protection task:

  • Select the Smart mode of protection. To do so:
    1. Open the Kaspersky Security for Windows Server Console.
    2. Right-click the Real-time file protection node and select Properties.
    3. Go to the Protection mode tab and select Smart mode.
  • Set scanning of local drives only. To do so, in the Real-time file protection section, add the Local hard drives protection scope and remove My computer.
  • Add the pagefile.sys file to the exclusions. For instructions on how to add files or folders to exclusions, see this article.
  • Add the %SystemRoot%\System32\spool\PRINTERS folder to the exclusions.
If during the installation of Kaspersky Security for Windows Server you agreed to add some system folders to the Trusted Zone (according to Microsoft recommendations), that folders are already excluded from scanning for all tasks.
  • Add the %ProgramFiles%\Citrix folder to the exclusions.
    It stores the access cache of local hosts and the Resource Manager database. We also recommend to exclude from scanning the following internal folders:
    • %ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB
    • %ProgramFiles%\Citrix\RadeCache
    • %ProgramFiles%\Citrix\Deploy
  • If you are using EdgeSight Agent, exclude from scanning the following files and folders:
    • %AllUsersProfile%\Application Data\Citrix\System Monitoring\Data
    • %ProgramFiles%\Citrix\System Monitoring\Agent\Core\rscorsvc.exe
    • %ProgramFiles\Citrix%\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe
We recommend performing a full test cycle on a test rig prior to installing the application on the main server.

For more information and recommendations on managing exclusions for other applications, see the Citrix support website.

Did you find what you were searching for?
Thank you for your feedback!