- This topic is empty.
20. July 2006 at 15:15 #158AnonymousMember
- Total Post: 162
- Jacked into The Matrix
To install AV on XPe clients, or not. That is the question.
No?–It appears many if not most people do not install as it uses up memory, adds overhead, degrades performance. If your network and server farm are protected and users have no access to local device resources, is it really necessary?
yes?–devices could still be compromised by a threat that gets into memory….a reboot would get rid of it via EWF, but in the meantime you could have zombies running. Updates would have to be scripted and pushed with rapport or i’ve heard it is possible to set up a non-EWF partition so that any auto-updates (like mcafee ePO) can be applied as usual.
Interested in any discussion anybody out there might have. Best practices? etc. I’m at least interested in not using AV on clients, but I don’t know if I could convince my bosses that it is safe/prudent. Thanks!25. July 2006 at 23:20 #8735
Great Question! Here is a bit of a blurb about XPe security to get the discusion going…
If a Wyse Windows XPe terminal were loaded with all the applications locally, had all the core binaries included and was a AD domain member then it would essentially have the same attack vector as a Windows XP PC. In this scenario you would be bound to run by the Microsoft Operations Framework (MOF) as a minimum of good practice.
Thin computing is different, the security moves to the network and authentication and network traversal become the security end points, in brief here is a common customer deployment of Wyse XPe with a security focus:
– A customer configures a custom image with only the required components built into the image, this can be done from a modified Wyse image or built from the ground up as specific appliance firmware.
– The terminals are deployed in the network on a separate VLAN with only the minimum required ports to the Citrix Secure Gateway server and the Rapport server. 802.1x authentication can be carried out via MAC authentication or a proprietary client application. Essentially the terminals are treated as untrusted, all data and information will reside server side only.
– Clients authenticate to the secure network with smartcard or token, this is done via the ICA session and not by local domain credentials being stored on the terminal. Although the Wyse terminals can be domain members this is not recommended. The OS is really a host for drivers and low level networking protocols.
Some additional lock down of the terminal is provided by the write filter that prevents permanent changes to the OS. If we look however at a terminal that is compromised its interesting to asses the risks:
Virus Infection: It is possible to run some anti virus products on terminals however it is generally viewed as only adding complexity and expense to a deployment. If a device was to get a virus a simple reboot of the terminal would remove it, the risk then becomes that the terminal will become re-infected and then become an infection source its self. Placing the terminals on the edge of the network outside the trusted network stops the trusted network being placed at risk. Also terminals can be fire walled to stop network borne viruses cross infecting other terminals, Windows XPe SP2 includes the Windows firewall or third party products such as the Sygate enhanced firewall product can be used. Additionally removing un used services and applications greatly lowers the attack surface for viruses, it is rare for terminals to contract viruses when configured this way. Internet Kiosks that use Internet Explorer generally are at the greatest risk.
Network Attacks: similarly to viruses fire walling and reducing the attack surface are very effective for mitigating this risk. If a unit is compromised however no date is stored locally, only the core OS and ICA client software is on the terminal and this software is freely available. As only keyboard, mouse clicks and screen updates are being sent to the terminal via a ICA session there is little of use to an attacker.
Administrative privilege: Gaining admin rights on a device is of little use, damage may be done to render the device inoperable but once again no data is stored on the unit. As the devices are outside the trusted network they can not be used as a platform to launch an attack.
The above is a summary not meant to detract from security however highlight that the focus moves in Server based computing. Network access becomes critical and does network traversal, if an attacker gains access to authenticate and launch an ICA session they have now moved from the perimeter to the centre of the network and this is where the main focus should be. Citrix have a number of excellent resources around these issues.
-TT2. August 2006 at 12:23 #8740AnonymousMember
- Total Post: 162
- Jacked into The Matrix
i had the same project in 2004. We are currently using Symantec Antivirus on all our XPe Devices.
Best Practice from my view:
Install a Symantec Antivirus Server –> For Pattern File Update
Create a custom installation for the SAV Client, which shows to your SAV Server.
If you need more information, give me a sign. Our Environment works very stable and safe. 8)1. November 2006 at 11:59 #8884peter1969Member
- Total Post: 42
- Frequent Flyer
How do you get the Wyse to install latest virus definition? Do you use a script where you disable/enable write filter? As far as I know the parent server distribute the update automatically to the client. How do you know when to disable/enable write filter, I presume you don’t know when the update is distributed?
/Peter1. November 2006 at 12:07 #8885
What many do is create a third partion on the flash and format this as the D: drive. Do not protect this drive with the EWF, only protect the C: drive.
When you install the AV instal it to the D: drive,
-TT31. August 2007 at 0:51 #10120jmccammondMember
- Total Post: 5
I am using XPE and mcafee EPO and having no problemsâ€¦ the thing that I am sure is different that what you are doing is that I am using the latest version of the write filter and yes Wyse can give it to you its on version 621 not 503 that you can download from the site. What I did was exclude the folder for mcafee from the write filter. That way I have only one partition and still able to get my updates. Before that I was updating the defs every time the unit would reboot. But I have to tell youâ€¦ if you leave them without an antivirus and you get a virus on your network it will be a rÃ©sumÃ© producing event31. August 2007 at 8:55 #10121
Yes the new WFR1 (Wyse Feature Release 1) has introduced the file based write filter so 2 partitions are no longer required for the AV dat file. I am in the process of writing an article on all of the current firmware releases as there have been quite a few changes,
-TT24. September 2007 at 10:49 #10271peter1969Member
- Total Post: 42
- Frequent Flyer
I have installed Symantec Antivirus 10.2 on my V90 XPE. I have 660MB of free space on the C: drive.
When I start the Wyse V90 I get the error message “Scan failure: not enough free disk space to perform a scan” – Symantec Antivirus folders are on the exclusion list, using WFR1
If possible, please help me installing Symantec Antivirus
Thanks24. September 2007 at 11:41 #10273
A guess here, the temp folder is set to the Z: drive which is only 16MB – if the scan is using this space up maybe this is where the “out of disk space” message is coming from (Z: looks like a disk to Windows)
As a test of this try increasing the RamDisk in the control panel or see if the AV program can be set up to not use the temp drive but a specific location like C:temp.
The problem with nearly all AV programs is they were never written with XPe in mind,
-TT15. October 2007 at 15:24 #10450tjselMember
- Total Post: 23
- Regular Joe
I am using XPE and mcafee EPO and having no problemsâ€¦
Same here.. Currently EPO3.6.1/McAfee8.0i. Got it going by using the “McAfee 8.0 AV Install on an XPe” document and registry keys.
Wondering if there are documents/registry keys available for an 8.5 install as I’m preparing to upgrade to 8.5 accross the enterprise.2. January 2008 at 21:18 #11186
Hey, is there some reference material on how to exclude certain folders from the write filter on the new image?3. January 2008 at 2:01 #11187
Not really 🙁
Log in as administrator and double click the write filter icon in the task tray, there is a GUI where you can add folders to exclude,
-TT3. January 2008 at 13:35 #11199
Oh…and here I thought it was going to be complicated and command line driven, lol. Thanks for the info. 😀3. January 2008 at 14:27 #11201ConfGenKeymaster
- Total Post: 9890
- Jedi Master
Hey, that is a contradiction in itself. Wyse and complicate?? Never.
Ahhh, OK, almost never
Ahhhhhh, OK, only sometimes
😉3. January 2008 at 20:06 #11209
Had anyone been able to get McAfee Virus Scan 8.5 to work using the new FBWF?
- You must be logged in to reply to this topic.