Anti-Virus 1

[TexExpat]

I am running MetaFrame 1.8 on Windows NT4, SP6a. Since I use it primarily to deliver a desktop rather than published apps, I want to put an antivirus solution on it.

We currently use Norton AntiVirus Corporate Edition v7.6. This version is supposed to work properly with Citrix, but I have not tried it out yet. I know I have read many places that previous versions of NAV, as well as most AV products, are problematic on a MetaFrame server. Does anyone have any insights on using this version of Norton AntiVirus Corporate Edition or on anti-virus products in general on MetaFrame? How should I install/configure it?

Thank you very much for your help.

 

[Illuvatar]

We do administration for several companies that have McAfee on their (Citrix) servers but we do not recommend it.

First of all, I would like to say that you actually don't want Antivirus on a citrix server. The server is busy enough handling usersessions. If it also has to virusscan every file a user is opening, then the processorload goes up very hard. A good solution to do this is to schedule on another server with antivirus installed (for example a File and Printserver) that it will check the citrixserver for example every night. That way you do not have to install Antivirus on a citrix server, but do have protection.

If you need to install a virusscanner on a citrix server, then install it but the settings should be in a way that the virusscanner is not functioning except for a scheduled time. You could schedule during breaktime that the server is being scanned. Do not apply active scanning so not all files are constantly scanned.

I hope this helps.

 

[TexExpat]

Thank you very much for your reply.

What you wrote makes sense, and I hadn't thought about scanning the file system from another machine. Would I map drives from the scanning maching to the Citrix server drives and scan those mapped drives? Would I scan the entire file system, or would I need to scan only specific file types in order to exclude system files, etc. from the scan? If I set the AV scan (from the other machine) for realtime protection, would that add very much overhead to the Citrix server? Or should I schedule it for a specific off time?

Also, would I need to have the scanning done on an NT machine, or would a Windows 98 machine work OK?

Thanks again very much for your suggestion.

 

[Illuvatar]

Hi,

You don't have to make a mapping if you are using administrative shares. for example: scan \\servername\c$ scan \\servername\d$ etc.
What you want to scan is up to you. In the evening we scan everything. If you want to perform a scan during breaktime, you want to scan the profiles (where people keep their temp internet files), winnt folder and folders where data is placed by users. Also the temp folder can be scanned. Do not include the pagefile or database files.
If you want to use a realtime scanner, then only scan the most urgent folders like the profiles. Citrix servers tend to be static servers. Best way is to schedule in the virusscanner that the citrix servers are scanned once a day. McAfee is able to do that; Netshield will protect the file server constantly and in the McAfee console, on the server, I schedule to check other (Citrix) servers.

 

[SeanFlynn]

You should use AV software on your Citrix servers if you are running a full desktop. You just have to set it up correctly.

We use ETrust InoculateIT from CA, but you can set the others up in a similar fashion:

Install it, set a system scan to run during off hours or slow times. Use the realtime monitor service, but take the realtime monitor executable away from everyone. This way you don't have multiple instances running. Update your sigs and run a full scan. Set the realtime to monitor "incoming files only" and you should not have to worry about performance.

John

 

[Illuvatar]

If you use antivirus software on your fileservers and for example groupshield (McAfee mailscanner) on your mailserver then you are pretty safe. But if you need to anyway then the settings make all the difference. But I don not advice it. Even with a desktop.

 

[CitrixEngineer]

You only need A/V on a Citrix server if you haven't locked it down properly, and you have users saving data to it (shudder!).

Nonetheless, most of my clients use Trend Server Protect, which carries very little overhead.

An ideal Citrix server is a dumb application server with "twiddly bits" (all the management tools).

Hope this helps CitrixEngineer@yahoo.co.uk

 

[SeanFlynn]

Illuvatar and CitrixEngineer - Good points, and I agree. I shouldn't have said "If you use a desktop you should use A/V." I should have said "If you HAVE to use A/V, you should do this:". I'm changing my stance, because I've set servers up both ways.

A lot of our clients require an AV solution, even if you do "have it set up right".

If it's any consolation, having it locked down and set up right is worth it's weight in gold. Of the servers that we've HAD to put A/V on, 95% of them never catch a virus in real-time because of the points that Illuvatar and CitrixEngineer made.

John

 

[Illuvatar]

That's what I miss sometimes in these forums: a good discussion about things like these. Often it's more or less a policy a company applies in which we (administrators and engineers) have to fit into. What is good for one company can be a disaster for an other. The often these discussions happen about what's good and what's not, the better people, who are looking for an answer, can apply the solutions we provide, into their own company.

 

[CitrixEngineer]

Well, one of the things that makes Tek-Tips such a great site is that you don't have to trawl through peoples' discussions to get to the facts you need.

There's always the Corporate Water Cooler forum - or there's the Yahoo! group I set up ages ago that I haven't bothered to do anything with - I don't mind that being used as a chat forum for Citrix Admins (as long as we're all nice to each other...)

CitrixEngineer@yahoo.co.uk

 

[enigma99]

TendMicro or InoculateIt work good with Citrix. With InoculateIt you have to delete an entry from the registry because it loads for every user.

I would recommend TrendMicro. It is easier to install and manage. InoculateIT gets to be real an*l about some options.

We have them to just scan incoming files for realtime scanning.

 

[Mellors]

Remember also that if you install Mcafee Antivirus you require a license for every client that can connect to the server even if your client devices are thin client devices such as Wyse winterms. This is also the case for your file servers. However you only need 1 per client no mater how many servers they connect to. If Mcafee is installed on the client then that is that clients licence.

This annoying interpretation caused us to need 380 licences rather than 160 despite our VAR arguing with Mcafee to try to sort it.

 

[DaSmee]

I have setup Citrix servers with both mcAfee and InnoculateIT, I have also setup Citrix servers with Sophos, and I have to say that Sophos was and indeed is in my humble opinion the best of the 3. Ease of setup, automatic updating, and very low resource overhead. They do all work though.

 

[TexExpat]

Thank you all for your opinions and advice.

I really don't want to run AV on my Citrix servers, but our new security officer insists that we do. We already own Symantec AntiVirus Corporate Edition 8.0, so I'm pretty much stuck with that unless there is a really compelling reason to purchase an additional AV solution just for MetaFrame.

Taking the ability to run scans away from users is a great point, and I will do that. The installation manual from Symantec also discusses that.

If you would please indulge me, I have one question left. To install it to the Citrix server, do I install it in installation mode? I assume that I do since there is the point about denying users the ability to perform scans, but I want to make sure.

 

[Illuvatar]

To make sure no errors occur, I always install software in install mode. It doesn't do any harm to do so, even if HKCU isn't used. However, if you do not use it and it does need it, then you can get a lot of trouble. So my advise is: if you do not know for sure... install using install mode ! Good luck ;-)

 

[JeffHicks]

Just to give you a warm fuzzy, we have NAV CE 7.6 on seven Citrix servers and have not had any issues. Your experience may differ, but it CAN work if you must make it work.

 

[polymath5]

We have NAVCE 7.6 running on our MF1.8 no issues and no apparent slow down. At least users haven't complained about anything. =============
Mens et Manus
=============