exclusions vdi non-persistent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

exclusions vdi non-persistent

L3 Networker

Hello, does anyone know if there is any document that tells us which folders and subfolders we should exclude from XDR when using Citrix and VMware Horizon with non-persistent VDI?

 

In Palo Alto's documentation, I don't see anything specific except for the app layers. However, both Citrix and VMware request the exclusion of many folders from the AV system. Can someone help?

Best regards
Tiago Marques
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @tlmarques ,

 

Thank you for writing to live community!

 

Besides what @aspatil mentioned, it really depends on Citrix variants that are available in your infrastructure. For example, there are some types of Citrix devices as below:

  • Storefront

  • Cloud Connector

  • Receiver for Windows

  • HVD Servers etc.

Based on the above and there could be many more, some whitelists that are generally made in Pre-execution modules of Cortex XDR Malware Profiles could be under the Citrix folders(eg. C:\ProgramData\Citrix\*,C:\Program Files (x86)\Citrix\*,C:\Program Files\Citrix\*)

 

However, we know that these are very broad whitelists and hence, you can ask your vendor to provide you with more granular whitelists which would definitely be a good use case to make under scanning and pre-execution allowlists.

 

Hope this helps. Please mark the response as "Accept as Solution" if it answers your query.

 

Regards

View solution in original post

3 REPLIES 3

L4 Transporter

Hello Tiago,

 

Thank you for writing to Live community.

 

Could you please refer below article and discussion and let me know if that helps.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.7/Cortex-XDR-Agent-Administrator-Guide/Corte...

 

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/non-persistent-vdi-shows-up-as-golden-im...

 

Please mark the response as "Accept as Solution" if it answers your query.

 

Regards.

Ashutosh Patil

L5 Sessionator

Hi @tlmarques ,

 

Thank you for writing to live community!

 

Besides what @aspatil mentioned, it really depends on Citrix variants that are available in your infrastructure. For example, there are some types of Citrix devices as below:

  • Storefront

  • Cloud Connector

  • Receiver for Windows

  • HVD Servers etc.

Based on the above and there could be many more, some whitelists that are generally made in Pre-execution modules of Cortex XDR Malware Profiles could be under the Citrix folders(eg. C:\ProgramData\Citrix\*,C:\Program Files (x86)\Citrix\*,C:\Program Files\Citrix\*)

 

However, we know that these are very broad whitelists and hence, you can ask your vendor to provide you with more granular whitelists which would definitely be a good use case to make under scanning and pre-execution allowlists.

 

Hope this helps. Please mark the response as "Accept as Solution" if it answers your query.

 

Regards

L3 Networker

I've put the whitelist you share (eg. C:\ProgramData\Citrix\*,C:\Program Files (x86)\Citrix\*,C:\Program Files\Citrix\*) on "Portable Executable and DLL Examination"

Best regards
Tiago Marques
  • 1 accepted solution
  • 900 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!