by Nishith Gupta
Even if any third party Antivirus solutions are installed on Windows Server 2016 and 2019, Microsoft Defender, unless manually disabled, remains in Active Mode. On windows 10, it disables itself when a Non-Microsoft antivirus product is installed. It becomes extremely important to apply CVAD exclusions, if Citrix Delivery Controllers are installed on Windows server 2016 and 2019, to avoid disruptions similar to CTX279897 where Defender virus definition 1.321.1319.0 detected HighAvailabilityService.exe and BrokerService.exe as Trojan and quarantined both processes. If Microsoft Defender is disabled and exclusions for CVAD components have been added to the third-party antivirus solution, then the immunity from 1.321.1319.0 is evident.
I do not want to discuss this any further here, as I have covered it in a separate article that I would recommend you to read first. I want to spend some time today exhibiting a comprehensive and uncomplicated understanding about how best to use Microsoft Defender in Citrix environment, apparently in alignment with AV Best Practices from Citrix Tech Zone.
Using Microsoft Defender with ATP (Advanced Threat Protection) comes with additional benefits like Antivirus signal sharing, Threat analytics, and secure score for devices, but it does not mean you cannot use Microsoft Defender as a standalone solution. Similarly, Defender ATP can be used with a third-party antivirus solution. Microsoft Defender can be managed and configured through Configuration Manager along with System center endpoint protection, Microsoft Intune, Group Policy, PowerShell cmdlets and WMI.
Not just with Microsoft Defender, but also with any other Antivirus solution, the most critical and challenging part is to effectively manage virus definition or signature updates for non-persistent VMs. In the Microsoft Defender world, it is called security intelligence update. There are two type of updates related to Microsoft Defender antivirus:
- Security intelligence updates
- Product updates
In the below screenshot, 4.18.2007.8 is the product or platform version, 1.1.17300.4 is the Engine version and 1.321.1602.0 is the virus definition version or security intelligence update version.
- Engine updates – They are included with the security intelligence updates and are released on a monthly cadence.
- Product updates – Just like Engine updates, product updates are released on a monthly cadence.
- Security Intelligence updates – Typically published once every three to four hours.
Check for Security Intelligence Updates
By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Scheduling the checking process for Security Intelligence updates disables this feature.
Checking for Security intelligence updates can be scheduled using Configuration Manager, GPO, PowerShell and even WMI. Here is the screenshot from Configuration Manager where Check for Endpoint Protection security intelligence updates at a specific interval is set to 0 and Check for Endpoint Protection security intelligence updates daily at is set to 2:00 A.M. It means that every day at 2 A.M, security intelligence updates will be checked and downloaded at one of the source (see next topic).
As mentioned earlier, following GPO settings can also be used to schedule security intelligence updates.
Computer Configuration/Policies/Administrative templates/Windows components/Windows Defender Antivirus/Security Intelligence updates:
- Specify the interval to check for security intelligence updates – Enable and then enter number of hours
- Specify the day of the week to check for security intelligence updates – Enable and then enter day of the week
- Specify the time to check for security intelligence updates – Enable and then enter the time
Set the Source of Security Intelligence Updates
Source is a location from where endpoints obtain security intelligence updates. There are five such locations. They can be set in a fallback order using GPO, Configuration Manager, PowerShell and WMI.
- Microsoft Updates – Start > Settings > Update & Security > Windows Update
- Endpoint Configuration Manager
- Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware aka MMPC (Microsoft Malware Protection Center)
- File Share – This is the topic (not this particular option) of our interest. More on this later.
Notice the Set Source button in above screenshot. This is where sources need to be defined, if you are using Configuration Manager to update endpoints. As you can see in the below image that four sources have been set that will be contacted in order they are specified.
Also, notice the next setting “If Configuration Manager is used as a source for security intelligence updates, clients will only update from alternative sources if security intelligence is older than (hours),” which is quite self-explanatory.
As mentioned earlier, GPO settings are also be used to define the order of source for downloading definition updates.Computer Configuration/Policies/Administrative templates/Windows components/Windows Defender Antivirus/Security Intelligence updates/Define the order of sources for downloading security intelligence updates
MAPS (Microsoft Advanced Protection Service) also known as Cloud-delivered Protection
Cloud-delivered protection or MAPS can be enabled or disabled using Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app (Windows security app is the new GUI for windows defender).
It’s a collection of multiple protection engines that provide near-instant, automated protection against new and emerging threats. It utilizes machine learning to deliver protection to the endpoints. Read more about it right here. The cloud-delivered protection is always on and requires an active connection to the Internet to function. To ensure proper network connectivity is in place, visit configure and validate network connections. There are bunch of URLs that need to be allowed on the firewall towards internet.
Below screenshot is from the same Antimalware policy in Configuration Manager where settings related to Security Intelligence updates are configured.
- Cloud Protection Service membership type – Available options are “Do not join cloud protection service,” “Basic membership” and “Advanced membership.” Determines what level of information you want to send to Microsoft Defender Antivirus cloud service like list of detected malwares, list of detected malwares and file paths plus memory dumps or you do not want to participate into sending any information.
- Allow users to modify Cloud Protection Service settings – Determines whether users can enable/disable Cloud protection inside windows security. See the second screenshot of current topic.
- Level for blocking suspicious files – Available options are Normal, High, “High with extra protection” and “Block unknown programs.” The last option blocks all unknown programs. “High” aggressively blocks unknown programs, “High with extra protection” also aggressively blocks programs but there may be some performance impact.
- Allow extended cloud check to block and scan for up to (seconds) – Time duration for a file to remain blocked while cloud protection service checks that the file is not known to be malicious. This value is in addition to the default value of 10 seconds. Here zero means that Cloud Protection Service can block a file for 10 seconds.
Have a look at the impact of setting “Allow users to modify Cloud Protection Service setting” to No. This screenshot is from Windows Security app of windows server 2019.
As mentioned earlier, GPO can also be used to enable Cloud-delivered protection.
Computer Configuration/Policies/Administrative templates/Windows components/Windows Defender Antivirus/MAPS
Distribute/Deliver/Deploy Security Intelligence Updates
Suppose, source for Security Intelligence Updates (heading no. 2), does not matter where it is configured (GPO, Configuration Manager, PowerShell or WMI), and are defined as follows:
- Microsoft Endpoint Configuration Manager
- Microsoft Updates
- File Shares
Quite obviously, there is no compulsion on using all five. I have mentioned all of them just for the sake of entirety.
The next step is to create a deployment method for the delivery of security intelligence and engine updates to the endpoints. Since Endpoint Configuration Manager is at the top, it will be contacted first. If it fails, next source in order, which is WSUS, will be contacted, then Microsoft Updates, MMPC and finally File Shares.
Configuration Manager Software Updates can be used to automatically deliver security intelligence updates to endpoints. This includes, at a higher level, creating a Deployment package and an ADR (Automatic Deployment Rule).
Deployment package is like a container that is used to download updates on a file share folder. Then source files of the updates are copied over to the content library on site servers and on distribution points. Below images represent a Deployment package that we will use in the ADR.
As the name suggests, ADR or Automatic Deployment Rule is used for Automatic deployment of software and definition updates to a target Collection (a group of devices). Below screenshots represent an ADR that uses a Deployment package from above screenshots.
Similarly, other sources should be configured.
- WSUS – https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus
- Microsoft Updates – Endpoints will directly connect to Microsoft Update to download security intelligence and engine updates. Endpoints will check the Microsoft Update site at the interval defined in the Security Intelligence updates section of the antimalware policy (2nd screenshot at the beginning of this article).
- File Share – A network file share is set up to download security intelligence updates from the MMPC site by using a scheduled task. Endpoints can then access the shared folder on the network to install the updates.
- MMPC – This method will download definition updates from the Microsoft Malware Protection Center.
In the second screenshot at the beginning of this article and 1st screenshot of Cloud-delivered Protection heading, you can see that settings related to Security Intelligence updates and Cloud Protection services were configured. There are many other settings, along with Security Intelligence and Cloud Protection, which make up an Antimalware Policy like Scheduled scan, Scan, Exclusions and Threat overrides. Below screenshots represent those settings.
Deploy Microsoft Defender
Since Microsoft Defender Antivirus is installed as a core component of Windows 10, Windows Server 2016 and 2019, traditional deployment of Defender Antivirus client is not required. All you have to do is manage Microsoft Defender Antivirus on the endpoints.
With that said, Endpoint Configuration Manager allows to deploy Endpoint protection client to manage Microsoft Defender. This is useful for windows 8.1 and earlier computers. Windows 10 and Windows server 2016 and Windows Server 2019 do not require any additional client. For these operating systems, a management client for Windows Defender is installed when the Configuration Manager client is installed.
Below screenshot represents default client setting for Endpoint Protection. You can choose to create custom client settings.
- Manage Endpoint Protection client on client computers – Choose Yes if Endpoint Protection client is already installed on the endpoints, and you want to manage it with Configuration Manager. As I mentioned above, Windows 10, Windows Server 2016 and 2019 do not need to have the Endpoint Protection agent installed. However, those devices will still need Manage Endpoint Protection client on client computers
- Install Endpoint Protection client on client computers – Select Yes to install and enable the Endpoint Protection client on endpoints. Selecting No will not uninstall the Endpoint Protection client.
CVAD Non-persistent VMs
Everything we have seen so far is sufficient to protect manually provisioned servers and persistent desktops. PVS (Citrix Provisioning) and MCS provisioned non-persistent machines present a new set of challenges as the base disk is read-only and the traditional monthly patching of the base disk is not enough to ensure protection against emerging threats.
The frequency of Defender definition updates is at least once or even more than once per day. Letting updates to occur (write-cache or differential disk) every time a non-persistent VM is rebooted has an adverse effect on performance as unpacking of downloaded security intelligence updates consumes CPU and Memory on individual machines. Although security intelligence updates are incremental and short in size due to the frequency of release, it has an impact on Network usage, as the size of the delta (difference between latest update and the update installed on the base image) may be huge. In short, the older the updates on an endpoint, the larger the download will be. It is also important to understand that the reboot process of a non-persistent VM is a window of opportunity for malware to infect the machine because the VM is only protected against the malware, which are known to security intelligence updates that are installed on the base disk.
The best way to contend with all of these obstacles pertaining to Non-persistent VMs is to have a VM, a host machine, which can download and un-package security intelligence updates, at a regular interval, on a file share to be consumed by non-persistent VMs. This is called Shared security intelligence update feature. This way, non-persistent VMs do not have to download and un-package security intelligence updates every time they are rebooted because this CPU/Memory/Disk/Bandwidth intensive process of downloading and unpackaging has been offloaded to a host machine. You can enable Shared security intelligence update feature by enabling “Define security intelligence location for VDI clients” GPO and then defining the path to the file share.
The last hurdle is to minimize window of opportunity. This can be very well dealt with the help of “Initiate Security Intelligence on startup” and “Check for the latest virus and spyware security intelligence on startup” GPO. These GPO settings inform VMs to update security intelligence on startup when there is no antimalware engine present and check for the latest AV and spyware updates at startup respectively.
Final, and most important, cadence is to configure Startup, shared security, order of source and other optimization GPOs like “Disable scans after an update,” “Enable headless UI mode,” etc. on Master vDisk or golden image.
The procedure to implement Microsoft Windows Defender for Citrix Virtual Apps and Desktops non-persistent VMs is already available at this tech community article by Jesse Esquivel, therefore, I have decided not to re-write or re-phrase the instructions here. In addition to that, I don’t think I can build a better mousetrap, because when I first deployed this solution, I followed the same article.
Please feel free to post your queries in the comment section or reach out to me directly.