Antivirus Software Configuration for the EdgeSight Agent Database Server

Symptoms

If you do not configure the antivirus software correctly on your computer, the performance of the Agent Database Server might decrease or not function correctly.

Following are the symptoms, which indicate that the antivirus software is interfering with the normal operation of the EdgeSight Agent Database Server:

You might observe that the Agent for VDA devices is unable to start up due to Database Shutdown. These devices depend on successful connection to the remote EdgeSight database, Firebird database, supplied by the EdgeSight Database Agent.

You might observe a prolonged high CPU usage or a significant increase in the Thread Queue Length associated with the following EdgeSight Agent Database process:
FBServer.exe

You might observe prolonged high CPU usage or a significant increase in the Thread Queue Length associated with the antivirus software processes.

You might observe a significant change in the Disk I/O performance. For example, if the percent of Disk Write time or Disk Write Queue Length increases significantly.

A real-time troubleshooting utility from any Internet Explorer Web console to the device slows down and Internet Explorer might not respond.

Cause

The EdgeSight Database Agent Server provides database hosting and log file mirroring for EdgeSight Agent for VDA devices. Each EdgeSight agent for VDA device connects directly to the EdgeSight Agent Database Server for persistent storage. The FB Monitor synchronizes the Agent’s data folder to the shared network. It maintains a copy of the Agent’s data folder.

Most antivirus products are configured to scan all the files on the disk. If an antivirus program scans the continuously active EdgeSight database, it impedes the normal functioning of EdgeSight.

The EdgeSight Agent for VDA or EdgeSight Agent Database Server might become very slow and consume more resources.

The EdgeSight Agent for VDA can also be prevented from initializing due to the Agent’s remote database being scanned or locked by the antivirus software.

This might have a negative impact on the overall performance of the device, which is being monitored.

Resolution

Configure the required antivirus software such as, TrendMicro, Symantec, Norton, or McAfee with specific settings to ensure that the antivirus software does not scan the EdgeSight data folder or processes. Ensure that this configuration is specified for all the devices that are running the EdgeSight agent. You might have to contact the security administration team of your organization to ensure that these exceptions are enforced enterprise-wide.

Use the following procedure to prevent the antivirus software from scanning EdgeSight data folder or processes:

Note: Regardless of whether you are currently experiencing any of the preceding symptoms, Citrix recommends you to complete the following procedure before deploying any EdgeSight Agents.

Exclude Agent File Share location.
The Agent Database Server specifies the Agent File Share location as the disk location to store copies of data of the Agent devices. Data stored in this location includes log files and INI files. If the Agent File Share is on another computer and not on the Agent Database Server then the antivirus exclusion details should be specified on the computer, which owns the actual storage disk.

Computer Details	Location
Computers with Window Server 2008 operating system	%ALLUSERSPROFILE%\Citrix\System Monitoring\Data\
All other computers	%ALLUSERSPROFILE%\Application Data\Citrix\System Monitoring\Data\

Exclude the following agent folders from being scanned.
Note: Check a few agent devices to confirm the exact folder locations. These folders contain the EdgeSight agent database file and many log files.
Following are the default locations of the data folder on the EdgeSight Agent Database Server :

Exclude the following EdgeSight agent executable files or processes from being scanned:

<Program Files>\Citrix\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe

<Program Files>\Citrix\System Monitoring\FBMonitor\FBMonitor.exe

More Information

Refer to the EdgeSight Installation Guide and the following Knowledge Center articles for more information about antivirus configuration settings:

CTX111062 – Required Antivirus Software Configuration for the EdgeSight Agent

CTX114906 – Required Antivirus Software Configuration for the EdgeSight Server

This document applies to:

Mcafee MOVE 2.0

Mcafee MOVE 2.0 is now available. This is a mayor release from Mcafee that fits perfect for securing the VDI environments.

If you want to know more about Mcafee MOVE 2.0 you should goto Citrix Synergy in Barcelona and check it out =O))

What is McAfee MOVE?

McAfee Management for Optimized Virtual Environments (MOVE) AntiVirus for virtual desktops and servers is uniquely designed to relieve the overhead of traditional endpoint security, yet provide the protection and performance essential for success.

Traditional anti-virus software has proven to be very resource intensive for virtual environments. Multiple virtual machines could perform anti-virus scanning at the same time, bringing the host machine to a crawl. Widely called anti-virus storms, they disrupt the business continuity of your mission-critical applications. Secure virtualization technologies tied to a specific hypervisor creates virtual environment silos and increases IT administrative overhead. Anti-virus scanning ignores the load on the hypervisor, compromising application performance when it’s needed the most. Traditional anti-virus software has a relatively large footprint, consuming precious shared resources. Signature files are not updated in offline virtual machines, leaving them vulnerable when they’re brought back online.

Why should I look at MOVE 2.0?

Vastly improved performance
Significant scalability improvements
Offloaded AV for Server Operating Systems
Substantial quality improvements

What is MOVE 2.0?

MOVE 2.0 includes two McAfee Management for Optimized Virtual Environments (MOVE) products:

McAfee MOVE AV 2.0 (MOVE AntiVirus 2.0)
McAfee MOVE Scheduler 2.0

The McAfee product suites are:

1. McAfee MOVE AntiVirus for Virtual Desktops 2.0 (Sales SKU: MOVCDE) which includes the following products (each product needs to be installed & managed separately):

McAfee MOVE AV 2.0
McAfee VirusScan Enterprise 8.8
McAfee Host Intrusion Prevention System 8.0
McAfee SiteAdvisor Enterprise Plus 3.5
McAfee ePolicy Orchestrator 4.5/4.6

2. McAfee MOVE AntiVirus for Virtual Servers 2.0 (Sales SKU: MOVCKE) includes the following products (each product needs to be installed & managed separately):

MOVE products (choose one deployment option)
McAfee MOVE Scheduler 2.0
McAfee MOVE AV 2.0
Other McAfee products
McAfee VirusScan Enterprise 8.8
McAfee VirusScan Enterprise for Offline Virtual Images (VSE for OVI)
McAfee ePolicy Orchestrator 4.5/4.6

IMPORTANT NOTE: See KB72839 For a detailed description of the MOVE 2.0 products.

What’s New in MOVE AV 2.0 ?

Improved protection

GTI File Reputation (Artemis) compatibility/support
Memory protection (Host IPS included)
Quarantine Support (similar to VSE)

Management improvements

ePO & MA 4.6 compatibility
MOVE AV events in the standard events table & Event purging
MOVE AV Scan Server has been updated to obtain VSEs OAS & AP trust
Integration with McTray & McAfee branded end-user notifications
Integration with Windows Security Center

Platform support improvements

Microsoft HyperV support
Support for VSE 8.8, Patch 1 (For the MOVE Offload Scan server), 8.7 is NOT Supported.
Install on Server Class virtual machines

Quality improvements

Significant quality improvements
Redesign of cache for better performance

Product Name Change

McAfee Optimized Virtual Environments – Antivirus for VDI (MOVE-AV for VDI) is now McAfee Management for Optimized Virtual Environments (MOVE) AntiVirus 2.0

What’s New in MOVE Scheduler 2.0 ?

The new features in MOVE Scheduler 2.0 include ….

Platform support improvements

Support for VSE 8.8
Support for VirusScan Enterprise for Offline Virtual Images (VSE for OVI) 2.1
Citrix XenServer 5.6 and VMware ESX/ESXi/vCenter 4.1 support

Management improvements

ePO & MA 4.6 compatibility
Ability to purge Scan Log Entries

Product Name Change

McAfee Optimized Virtual Environments (MOVE) for Servers 1.5 is now McAfee Management for Optimized Virtual Environments (MOVE) Scheduler 2.0