Antivirus Considerations in a VMware Horizon EnvironmentVMware Horizon
Using antivirus software in any computing environment is a very important security consideration. Unless your operating system is protected from malware, you leave it open to negative and potentially destructive software infection. However, one of the consequences of having an operating system that is fully protected from viruses is that its performance can suffer. There is a balance between an acceptable level of security and an acceptable level of performance, and this varies from one environment to the next.
This article discusses the use of antivirus software in a VMware Horizon® environment, and changes that can be made to improve virtual machine performance without unduly compromising system security. If you are looking for information about a specific third-party antivirus vendor solution, see Additional Resources.
Caution: Before restricting your antivirus software settings in any way, seek guidance from your security team and your antivirus vendor to ensure that the restrictions are appropriate for you.
Areas of Consideration
When looking to adjustments to all-inclusive antivirus scanning in order to increase performance, there are several areas to consider. These apply to both single-user virtual desktops and session-based desktops and applications provided by RDSH.
There are several general considerations to take into account with virtual machines.
- Set real-time scanning to scan local drives only.
Important: If you are using antivirus solutions to monitor all other remote locations that host file shares, user profiles, redirected folders, and remote peripherals, there is no need for end-user desktops to also be scanning these locations.
- Always run a virus scan on master images before putting them into production.
- Use nonpersistent desktops. This mitigates risk by ensuring each user session is refreshed to a known clean state on logout.
- Disable scan on read for nonpersistent desktop pools.
Important: This assumes that the master image has already been scanned and is known to be virus free. It also does not mean to disable real-time scanning. Scan on write should still be enabled.
- Remove any unnecessary antivirus actions or processes from the desktop’s startup or login routines.
Important: Seek guidance from your security team or antivirus vendor if you are unsure what is unnecessary.
- Disable heuristic scanning on nonpersistent virtual machines (VMs).
- Make frequent software updates to your master images as needed. This ensures that if an end user needs their desktop refreshed or recomposed in order to clean a virus, they will lose as little software as possible.
- Disable auto-updates of antivirus software for nonpersistent desktop pools.
Important: This actually applies to any installed software, not just antivirus software, as updates made during use of a nonpersistent desktop will be lost on logout and refresh anyway. Ensure that you keep master images regularly updated with new antivirus software versions and signature files.
- Scan VMware View Composer persistent disks—formerly called user data disks (UDD)—for viruses on a regular basis. Because this type of disk is persistent, a refresh or recompose operation will not remove any viruses.
- Exclude low-risk files and folders from real-time scans on single-user View virtual machines or RDSH machines. Some locations include:
- Page files
- IIS log files
- Windows event logs
.pstx, and *
Important: Any low-risk files and folders excluded from real-time scans should still be scanned on a regular schedule.
Review the Microsoft support article, Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows, for general guidance on service exclusions.
Caution: Exclusions can present a security risk. Seek guidance from your security team and your antivirus vendor to ensure that any restrictions are appropriate for you.
Horizon Management Servers
There are several Horizon management servers that play a role in a VDI environment.
- Horizon Connection Servers broker the connections from users to their allocated resources.
- Enrollment servers are deployed to support the implementation of TrueSSO.
- Unified Access Gateway is a hardened Linux virtual appliance that resides in the DMZ. Unified Access Gateway ensures that the only remote desktop and application traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user.
Caution: The design of Unified Access Gateway ensures no weaknesses that a virus can exploit. The installation of antivirus software to Unified Access Gateway will stop it from functioning.
Consider excluding the following certain server folders from real-time scanning:
- Horizon Connection Servers:
C:\Documents and Settings\All Users\Application Data\VMware\VDM\backups
- For Enrolment Servers,
- For View Composer,
Important: These server folders should still be scanned on a regular schedule.
VMware App Volumes makes it easy to deliver, update, manage, and monitor applications, and users of those applications, across virtual desktop and published application environments. When working with App Volumes, consider the following when planning antivirus scanning:
- The App Volumes 4 packaging machine (called the provisioning machine in App Volumes 2.x) is used to create App Volumes 4 packages (or App Volumes 2.x AppStacks).
The packaging machine should use a snapshot that is known to be virus free but also has no antivirus software installed. The presence of antivirus software can interfere with the proper creation of a package or AppStack. You can make sure it is virus free by installing the required operating system and base software programs without it being on the network and taking the snapshot. Alternatively, you can install antivirus software to it, scan it, uninstall the antivirus software, and take the snapshot. If possible, disconnect the provisioning machine from the network when creating a package or AppStack.
- Consider excluding certain files and folders from real-time scanning on the App Volumes Manager.
C:\Program Files (x86)\CloudVolumes
- Important: These files and folders should still be scanned on a regular schedule.
C:\Program Files (x86)\CloudVolumes
- LDF files
- MDF files
- NDF files
- The App Volumes client is a machine that can have App Volumes 4 packages (or App Volumes 2.x AppStacks) attached; that is, Horizon single-user and session-based RDSH virtual desktops, Citrix XenApp servers, Citrix XenDesktops, and physical Windows desktops.
- On the App Volumes client, exclude
C:\Program Files (x86)\CloudVolumes\Agent\svservice.exefrom real-time scans.
Dynamic Environment Manager Scan Exclusions
VMware Dynamic Environment Manager delivers personalization and centrally managed policy configurations across virtual, physical, and cloud-based Windows desktop environments. Dynamic Environment Manager allows IT to control which settings users are allowed to personalize, and also maps environmental settings such as networks and location-specific printers.
On servers, exclude the FlexEngine log path from real-time scans. For example:
On clients, as with other network paths, exclude the following paths from real-time scans:
- Dynamic Environment Manager configuration share path
- Profile archive path
- Profile archive backup path
Additionally, in nonpersistent desktop pools that have a clean master image, you can exclude these Dynamic Environment Manager executables from real-time scans because they are known to be virus free:
Helpdesk Support Tool.exe
VMware ThinApp is a virtualization technology that isolates and encapsulates pre-installed applications. Virtualized applications are isolated from all other applications as well as from the underlying operating system. These packages can run on virtual or physical desktops, stream from a file share, or be placed on App Volumes 4 packages or App Volumes 2.x AppStacks.
When working with ThinApp, consider the following when planning antivirus scanning:
- Your ThinApp capture machine should use a snapshot that is known to be virus free but also has no antivirus software installed. The presence of antivirus software can interfere with the proper creation of a ThinApp package. You can make sure it is virus free by installing the required operating system and base software without it being on the network and taking the snapshot. Alternatively, you can install antivirus software to it, scan it, uninstall the antivirus software, and take the snapshot.
- If possible, do not have the capture machine connected to the network when capturing applications.
- When using a network share to store ThinApp packages, exclude all of the files known to be virus free from real-time scans. Do not exclude the directory itself, as it is possible that an unknown file can be accidentally written to the share by an administrator.
- Antivirus software has on occasion generated false-positives because of the signature used by ThinApp packages to store data. If the file actually is a ThinApp package, this is not an indication that the ThinApp package contains a virus.
VMware Horizon Cloud on Azure
Exclude VHD files for Horizon Cloud on Azure when using App Volumes.
Windows Defender Non Persistent Sample Configuration
The following Group Policy settings are a sample configuration for Windows Defender.
- Windows Components/Windows Defender Antivirus
- Randomize scheduled task times – Enabled
- Turn off Windows Defender Antivirus – Disabled
- Windows Components/Windows Defender Antivirus/Client Interface
- Suppress all notifications – Enabled
- Windows Components/Windows Defender Antivirus/Exclusions
- Extension Exclusions – Enabled
- Path Exclusions – Enabled
%Program Files (x86)%\CloudVolumes 0
- Process Exclusions – Enabled
%Program Files (x86)%\CloudVolumes\Agent\svservice.exe 0
%Program Files%\Immidio\FlexProfiles\FlexEngine.exe 0
%Program Files%\Immidio\FlexProfiles\FlexSyncTool.exe 0
%Program Files%\Immidio\FlexProfiles\Flex+ Helpdesk Support Tool.exe 0
%Program Files%\Immidio\FlexProfiles\Flex+ Self-Support.exe 0
- Windows Components/Windows Defender Antivirus/MAPS
- Configure the ‘Block at First Sight’ feature – Disabled
- Join Microsoft MAPS – Disabled
- Send file samples when further analysis is required – Disabled
- Windows Components/Windows Defender Antivirus/Reporting
- Turn off enhanced notifications – Enabled
To deploy the VMware Carbon Black sensor with VMware Horizon, refer to the following Knowledge Base article: Interoperatbility of VMware Carbon Black and Horizon.
This section lists third-party antivirus software vendors and Microsoft guides, and provides other links.
Antivirus Software Vendors
There are several antivirus software vendor articles that might be useful.
Note: VMware does not endorse or recommend any particular third-party antivirus software vendor, nor is this list meant to be exhaustive.
Microsoft provides the following guide on antivirus protection:
The following updates were made to this guide.
Description of Changes
About the Authors
Hilko Lantinga, Staff Architect, End User Computing, VMware wrote this paper.
Hilko specializes in 3D, Horizon Windows Desktops & RDSH, Linux and Applications. Previously he was a Senior Consultant in VMware Professional Services, leading large-scale EUC deployments in EMEA and has 20+ years of experience in end-user computing.
Alex Birch, VMware alumni
Gina Daly, Technical Marketing Manager, End-User Computing, VMware.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org.