In a hunt for complete best practices guide I found the following considerations:

ePo Agent recommendations:

Delete the Agent GUID for McAfee EPO agent; otherwise all machines deployed came up in EPO server as the same computer. So, if you are going to use the Provisioning Services image in Shared Image mode, Citrix recommends stopping the McAfee framework service and deleting the following registry key, just before your create your Provisioning Services image.
  • Stop the McAfee Framework service (but leave on Automatic start up) and delete the AgentGUID registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\
Additional registry keys may need to be cleared or deleted before rolling out an image in Standard Image mode. To run McAfee 8.5i and EPO on a vDisk in Standard Image mode, the values for the following registry keys must be deleted before imaging the Master Target Device (this could also be done after building the image by putting the image back into Private Image Mode):
  • Associates\ePolicy Orchestrator\Agent\AgentGUID
  • Associates\ePolicy Orchestrator\Agent\MACADDRESS
  • (if using Host Intrusion)
Make sure there is not a policy applied to this PC on EPO that restarts the framework service after X seconds…. (Otherwise this key might be recreated before you start the Provisioning Services image creation process).
The problem here is that each time a PC restarts in Shared Image Mode, a different GUID is recreated. It might be necessary to set EPO to delete stale entries from its Asset database. The results might also not provide a true reflection in reports of a particular PCs infection history, as it will have a new record in the EPO database each time a reboot occurs. This is preferable over having lots of PCs with only one of them having updated antivirus at a time.
Virusscanning recommendations:
  • Scan local drives only. DO NOT scan network drives.
  • Only scan “Incoming” files (ie. write events).
  • Exclude the pagefile(s) from being scanned.
  • The “%ProgramFiles%\Citrix” folder contains many configuration and log files that are always changing, especially the Local Host Cache (imalhc.mdb) and Resource Manager Local Database (RMLocalDatabase.mdb). You could exclude the whole folder. More specifically, the main ones are:
  • “%ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB”
  • “%ProgramFiles%\Citrix\Citrix Resource Manager\SummaryFiles”
  • “%ProgramFiles%\Citrix\Independent Management Architecture”
  • “%ProgramFiles%\Citrix\logs”
  • Exclude the Print Spooler (%SystemRoot%\System32\spool\PRINTERS) folder. Note that in our deployments we typically place these folders on the non-System Drive.
  • We would recommend excluding as much of the user’s profile (%UserProfile%) as possible. In fact, the only folder that is of major concern is the Temporary Internet Cache (”%UserProfile%\Local Settings\Temporary Internet Files”).
  • If you do not exclude the Profiles, then exclude the user‘s Presentation Server Client bitmap cache (”%UserProfile%\Application Data\ICAClient\Cache” or “%AppData%\ICAClient\Cache”) used for ICA pass-through connections by the locally installed PNClassic and PNAgent.
  • Exclude .dat and .tmp files.
  • Disable the heuristics mode of scanning, this setting can be very intensive on the system
  • Exclude smss.exe, winlogon.exe, userinit.exe, csrss.exe and wfshell.exe
  • Exclude the Softgrid folders (especially the cache)
Provisioning Services recommendations:

Limit antivirus definition updates to the Target Device. Create a plan to upgrade the vDisk periodically using manual, automatic or automated techniques such as Automatic vDisk updates or by using something like WorkFlow Studio.
  • Avoid scanning your disk write cache location if that write cache is hosted on the Provisioning Services server. In limited testing it has been observed that most scanners cannot detect a virus within this location because of their inherit design and the methods used to determine a virus.
  • Do not scan your Targets I/O stream in real-time. This can cause excessive retries when the Target expects it’s I/O and that process is delayed by real-time scanning, there is good potential for a second and maybe more requests for the same packet fragment.
  • Avoid scanning the BNDevice.exe process on the Target. There are a few drivers that should be excluded from scanning, as well, in the <systemroot>\windows\system32\drivers directory you can exclude BNNS.sys, BNNF.sys, BNPort.sys, and bnistack.sys


General server recommendations

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder: %windir%\SoftwareDistribution\Datastore
  • Turn off scanning of the log files that are located in the following folder:
  • “%windir%\SoftwareDistribution\Datastore\Logs” Specifically, exclude the following files: