Antivirus Considerations in a Horizon Environment

Introduction

Using antivirus software in any computing environment is a very important security consideration. Unless your operating system is protected from malware, you leave it open to negative and potentially destructive software infection. However, one of the consequences of having an operating system that is fully protected from viruses is that its performance can decrease. There is a balance between an acceptable level of security and an acceptable level of performance, and this varies from one environment to the next.

This article discusses the use of antivirus software in an Omnissa Horizon environment, and changes that can be made to improve virtual machine performance without unduly compromising system security.

For the most up to date list of recommended exclusions, review the knowledgebase article: Antivirus executable exclusion list for Omnissa Horizon (2082045).

Caution: Before restricting your antivirus software settings in any way, seek guidance from your security team and your antivirus vendor to ensure that the restrictions are appropriate for you.

Virtual Machines

When looking at adjustments to all-inclusive antivirus scanning to increase performance, there are several areas to consider. These apply to both single-user virtual desktops, session-based desktops, and applications RDSH farms.

There are several general considerations to take into account with virtual machines where the Horizon Agent is installed.

  • Set real-time scanning to scan local drives only.
    Important: If you are using antivirus solutions to monitor all other remote locations that host file shares, user profiles, redirected folders, and remote peripherals, there is no need for end-user desktops to also be scanning these locations.
  • Always run a virus scan on golden images before putting them into production.
  • Use nonpersistent desktops where possible. This mitigates risk by ensuring each user session is refreshed to a known clean state on logout.
  • Turn off scan on read for nonpersistent desktop pools.
    Important: This assumes that the golden image has already been scanned and is known to be virus free. It also does not mean to turn off real-time scanning. Scan on write should still be enabled.
  • Remove any unnecessary antivirus actions or processes from the desktop’s startup or login routines.
    Important: Seek guidance from your security team or antivirus vendor if you are unsure what is unnecessary.
  • Turn off heuristic scanning on nonpersistent virtual machines (VMs).
  • Make frequent software updates to your golden images as needed. This ensures that if an end user needs their desktop refreshed or updated in order to clean a virus, they will lose as little software as possible.
  • Turn off auto-updates of antivirus software for nonpersistent desktop pools.
    Important: This actually applies to any installed software, not just antivirus software, as updates made during use of a nonpersistent desktop will be lost on logout and refresh anyway. Ensure that you keep golden images regularly updated with new antivirus software versions and signature files.
  • Scan Horizon Persistent Disks for viruses on a regular basis. Because this type of disk is persistent, a refresh or recompose operation will not remove any viruses.

File Exclusions for Virtual Machines with the Horizon Agent

Exclude low-risk files and folders from real-time scans on single-user Horizon virtual machines or RDSH machines, where the Horizon Agent is installed. Some locations include:

  • Page files
  • IIS log files
  • Windows event logs
  • %systemroot%\SoftwareDistribution\DataStore
  • %allusersprofile%\NTUser.pol
  • *.pst, *.pstx, and *.ost files
  • %systemroot%\System32\Spool\Printers
  • C:\Program Files\Omnissa\Horizon\
  • C:\Program Files\Omnissa\Horizon\Agent\bin
  • C:\Program Files\Omnissa\Horizon\Agent\Blast
  • %ProgramData%\Omnissa\Horizon\Logs

For the most up to date list of recommended exclusions, review the knowledgebase article: Antivirus executable exclusion list for Omnissa Horizon (2082045).

Important: Any low-risk files and folders excluded from real-time scans should still be scanned periodically, on a regular schedule.

Services

Review the Microsoft support article, Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows, for general guidance on Windows service exclusions.

Caution: Service exclusions can present a potential security risk. Seek guidance from your security team and your antivirus vendor to ensure that any restrictions are appropriate for you.

Horizon 8 Management Servers

There are several Omnissa Horizon 8 management servers that play a role in a VDI environment.

Connection Server

Horizon Connection Servers broker the connections from users to their allocated resources. Consider excluding the following folders from real-time scanning:

  • %ProgramFiles%\Omnissa\Horizon\bin
  • %ProgramData%\Omnissa\Horizon\Logs
  • %ProgramData%\Omnissa\Horizon\backups

Additionally, review the most up to date recommended exclusions in the knowledgebase article: Antivirus executable exclusion list for Omnissa Horizon (2082045).

Important: Any server folders that are excluded from real-time scanning should still be scanned periodically, on a regular schedule.

Enrollment Server

Horizon Enrollment servers are deployed to support the implementation of True SSO. Consider excluding the following folders from real-time scanning:

  • %ProgramFiles%\Omnissa\Horizon\bin
  • %ProgramData%\Omnissa\Horizon\Logs

Important: These server folders should still be scanned periodically, on a regular schedule.

Unified Access Gateway

Omnissa Unified Access Gateway is a hardened Linux virtual appliance that resides in the DMZ. Unified Access Gateway ensures that the only remote desktop and application traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user.

Caution: The design of Unified Access Gateway ensures no weaknesses that a virus can exploit. The installation of antivirus software to Unified Access Gateway will stop it from functioning and is not supported.

Horizon Edge Gateway Appliance

The Omnissa Horizon Edge Gateway appliance is a hardened Linux virtual appliance that resides in a network segment that has visibility to Horizon Cloud Service and to Horizon 8 pod resources such as the Connection Server(s) and Unified Access Gateway(s). 

Caution: The Horizon Edge Gateway Appliance is considered a component that is managed by Omnissa. The appliance is hardened and monitored by Omnissa. Attempting to install antivirus software on the Horizon Edge Gateway Appliance is a violation of the terms of service of the Horizon Cloud Service and may cause it to stop functioning.

App Volumes

Omnissa App Volumes makes it easy to deliver, update, manage, and monitor applications, and users of those applications, across virtual desktop and published application environments. When working with App Volumes, consider the following when planning antivirus scanning.

App Volumes Manager

Consider excluding certain files and folders from real-time scanning on the machines running the App Volumes Manager.

  • C:\Program Files (x86)\CloudVolumes\Manager\bin

App Volumes Agent Machines

A machine with the App Volumes Agent allows App Volumes packages to be attached to it. These could be Horizon single-user and session-based RDSH virtual desktops, Citrix XenApp servers, Citrix XenDesktops, physical Windows desktops and more.

Consider excluding certain files and folders from real-time scanning on the machines running the App Volumes Agent.

  • C:\Program Files (x86)\CloudVolumes
  • C:\Program Files (x86)\CloudVolumes\Agent\svservice.exe
  • C:\SnapVolumesTemp
  • C:\SVROOT
  • C:\{00000000-0000-0000-0000-000000000000}\SVROOT

Important: These files and folders should still be periodically scanned on a regular schedule.

  • C:\Program Files (x86)\CloudVolumes
  • C:\SnapVolumesTemp
  • C:\SVROOT
  • C:\Program Files\Omnissa\
  • pagefile.sys
  • LDF files
  • MDF files
  • NDF files

Packaging Machine

The App Volumes packaging machine is used to create App Volumes packages.

The packaging machine should use a snapshot that is known to be virus free but also has no antivirus software installed. The presence of antivirus software can interfere with the proper creation of a package.

  • You can make sure it is virus free by installing the required operating system and base software programs without it being on the network and taking the snapshot.
  • Alternatively, you can install antivirus software to it, scan it, uninstall the antivirus software, and take the snapshot.
  • If possible, disconnect the provisioning machine from the network when creating a package.

Dynamic Environment Manager

Omnissa Dynamic Environment Manager delivers personalization and centrally managed policy configurations across virtual, physical, and cloud-based Windows desktop environments. Dynamic Environment Manager allows IT to control which settings users are allowed to personalize, and also maps environmental settings such as networks and location-specific printers.

In the examples below, replace \\server\ArchiveShare and \\server\ConfigShare with your values.

Dynamic Environment Manager Servers

Exclude the FlexEngine log path from real-time scans.

For example: \\server\ArchiveShare\%username%\Logs

FlexEngine Agent Machines

On clients, as with other network paths, exclude the following paths from real-time scans:

  • Configuration share path.
    For example: \\server\ConfigShare\general
  • Profile archive path
    For example: \\server\ArchiveShare\%username%\Archives
  • Profile archive backup path
    For example: \\server\ArchiveShare\%username%\Backups

Additionally, in nonpersistent desktop pools that have a clean golden image, you can exclude these Dynamic Environment Manager executables from real-time scans:

  • C:\Program Files\Omnissa\DEM\FlexEngine.exe
  • C:\Program Files\Omnissa\DEM\FlexService.exe
  • C:\Program Files\Omnissa\DEM\Flex+ Self-Support.exe
  • C:\Program Files\Omnissa\DEM\FlexSyncTool.exe
  • C:\Program Files\Omnissa\DEM\Flex+ Helpdesk Support Tool.exe

ThinApp

Omnissa ThinApp is a virtualization technology that isolates and encapsulates pre-installed applications. Virtualized applications are isolated from all other applications as well as from the underlying operating system. These packages can run on virtual or physical desktops, stream from a file share, or be placed on App Volumes 4 packages or App Volumes 2.x AppStacks.

When working with ThinApp, consider the following when planning antivirus scanning:

  • Your ThinApp capture machine should use a snapshot that is known to be virus free but also has no antivirus software installed. The presence of antivirus software can interfere with the proper creation of a ThinApp package. You can make sure it is virus free by installing the required operating system and base software without it being on the network and taking the snapshot. Alternatively, you can install antivirus software to it, scan it, uninstall the antivirus software, and take the snapshot.
  • If possible, do not have the capture machine connected to the network when capturing applications.
  • When using a network share to store ThinApp packages, exclude all of the files known to be virus free from real-time scans. Do not exclude the directory itself, as it is possible that an unknown file can be accidentally written to the share by an administrator.
  • Antivirus software has on occasion generated false-positives because of the signature used by ThinApp packages to store data. If the file actually is a ThinApp package, this is not an indication that the ThinApp package contains a virus.

Vendor Specific Guidance

This section lists and links to third-party antivirus vendor specific guidance.

Antivirus Software Vendors

There are several antivirus software vendor articles that might be useful.

Note: We do not endorse or recommend any particular third-party antivirus software vendor, nor is this list meant to be exhaustive.

Microsoft Guides

Microsoft provides the following guide on antivirus protection:

Windows Defender Non-Persistent Sample Configuration

The following Group Policy settings are a sample configuration for Windows Defender.

For more information on configuring Windows Defender exclusions, see the Microsoft documentation, Configure and validate exclusions based on file extension and folder location.

Windows Components/Windows Defender Antivirus

  • Randomize scheduled task times – Enabled
  • Turn off Windows Defender Antivirus – Deactivated

Windows Components/Windows Defender Antivirus/Client Interface

  • Suppress all notifications – Enabled

Windows Components/Windows Defender Antivirus/Exclusions

  • Extension Exclusions – Enabled
  • vhd 0

Path Exclusions – Enabled

  • \\dc?.domain.com\SYSVOL\domain.com\config\general
  • \\domain.com\SYSVOL\domain.com\config\general 0
  • \\dc?.domain.com\profiles\%username%\Archives 0
  • \\dc?.domain.com\profiles\%username%\Backups 0
  • %ProgramFiles(x86)%\CloudVolumes 0
  • %SystemDrive%\SnapVolumesTemp 0
  • %SystemDrive%\SVROOT 0
  • %SystemDrive%\{00000000-0000-0000-0000-000000000000}\SVROOT 0

Note: Windows Defender configuration syntax permits the use of an asterisk (*) as a wildcard symbol. This allows you to modify the path exclusions given above to replace %username% with this wildcard symbol.

  • \\dc?.domain.com\profiles\*\Archives 0
  • \\dc?.domain.com\profiles\*\Backups 0

Process Exclusions – Enabled

  • %ProgramFiles(x86)%\CloudVolumes\Agent\svservice.exe 0
  • %ProgramFiles%\Omnissa\DEM\FlexEngine.exe 0
  • %ProgramFiles%\Omnissa\DEM\FlexService.exe 0
  • %ProgramFiles%\Omnissa\DEM\Flex+ Self-Support 0
  • %ProgramFiles%\Omnissa\DEM\FlexSyncTool.exe 0
  • %ProgramFiles%\Omnissa\DEM\Flex+ Helpdesk Support Tool.exe 0

Windows Components/Windows Defender Antivirus/MAPS

  • Configure the ‘Block at First Sight’ feature – Deactivated
  • Join Microsoft MAPS – Deactivated
  • Send file samples when further analysis is required – Deactivated

Windows Components/Windows Defender Antivirus/Reporting

  • Turn off enhanced notifications – Enabled

Carbon Black

To deploy the Carbon Black sensor with Omnissa Horizon 8, refer to the following knowledge base article:  Interoperability of Carbon Black and Horizon (79180).

Summary and Additional Resources.

Changelog

The following updates were made to this guide.

Date

Description of Changes

2024-12-03

  • Code references (paths, registry, etc) updated to align with rebranding and updating of products.

2024-11-11

  • Fixed incorrect environment variables for %ProgramFiles% and %ProgramFiles(x86)%

2024-08-15

  • Reorganized and rewritten for clarity.
  • Added link to KB article that contains the most up to date exclusion recommendations.

2024-06-011

  • Updated Windows Defender Non-Persistent Sample Configuration

2024-06-06

  • Updated for Omnissa docs, KB, and Tech Zone links.

2021-03-22

  • Updated Horizon Cloud on Azure section with Unified Agent path locations
  • Updated App Volumes with 4.x paths

2020-07-22

  • Added Carbon Black section

2020‑07‑15

  • Updated App Volumes section to include App Volumes 4 information

2020‑07‑08

  • Removed What is Horizon?
  • Updated Access Point to Unified Access Gateway
  • Updated Horizon 7 to Horizon 8
  • Updated View Connection Server to Horizon Connection Server
  • Added excluded files to App Volumes section
  • Added Horizon Cloud on Azure section
  • Added Windows Defender non persistent sample configuration
  • Updated list of antivirus vendors

About the Author and Contributors

This document was written by:

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.


Filter Tags

Horizon App Volumes Dynamic Environment Manager Horizon Horizon Apps Document Deployment Considerations Intermediate Optimize Windows Delivery