antivirus on XPe devices

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 26 total)
  • Author
    Posts
  • #158
    AvatarAnonymous
    Member
    • Total Post: 162
    • Jacked into The Matrix
    • ★★★★★★

    To install AV on XPe clients, or not. That is the question.

    No?–It appears many if not most people do not install as it uses up memory, adds overhead, degrades performance. If your network and server farm are protected and users have no access to local device resources, is it really necessary?

    yes?–devices could still be compromised by a threat that gets into memory….a reboot would get rid of it via EWF, but in the meantime you could have zombies running. Updates would have to be scripted and pushed with rapport or i’ve heard it is possible to set up a non-EWF partition so that any auto-updates (like mcafee ePO) can be applied as usual.

    Interested in any discussion anybody out there might have. Best practices? etc. I’m at least interested in not using AV on clients, but I don’t know if I could convince my bosses that it is safe/prudent. Thanks!

    #8735
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Great Question! Here is a bit of a blurb about XPe security to get the discusion going…

    If a Wyse Windows XPe terminal were loaded with all the applications locally, had all the core binaries included and was a AD domain member then it would essentially have the same attack vector as a Windows XP PC. In this scenario you would be bound to run by the Microsoft Operations Framework (MOF) as a minimum of good practice.

    Thin computing is different, the security moves to the network and authentication and network traversal become the security end points, in brief here is a common customer deployment of Wyse XPe with a security focus:

    – A customer configures a custom image with only the required components built into the image, this can be done from a modified Wyse image or built from the ground up as specific appliance firmware.

    – The terminals are deployed in the network on a separate VLAN with only the minimum required ports to the Citrix Secure Gateway server and the Rapport server. 802.1x authentication can be carried out via MAC authentication or a proprietary client application. Essentially the terminals are treated as untrusted, all data and information will reside server side only.

    – Clients authenticate to the secure network with smartcard or token, this is done via the ICA session and not by local domain credentials being stored on the terminal. Although the Wyse terminals can be domain members this is not recommended. The OS is really a host for drivers and low level networking protocols.

    Some additional lock down of the terminal is provided by the write filter that prevents permanent changes to the OS. If we look however at a terminal that is compromised its interesting to asses the risks:

    Virus Infection: It is possible to run some anti virus products on terminals however it is generally viewed as only adding complexity and expense to a deployment. If a device was to get a virus a simple reboot of the terminal would remove it, the risk then becomes that the terminal will become re-infected and then become an infection source its self. Placing the terminals on the edge of the network outside the trusted network stops the trusted network being placed at risk. Also terminals can be fire walled to stop network borne viruses cross infecting other terminals, Windows XPe SP2 includes the Windows firewall or third party products such as the Sygate enhanced firewall product can be used. Additionally removing un used services and applications greatly lowers the attack surface for viruses, it is rare for terminals to contract viruses when configured this way. Internet Kiosks that use Internet Explorer generally are at the greatest risk.

    Network Attacks: similarly to viruses fire walling and reducing the attack surface are very effective for mitigating this risk. If a unit is compromised however no date is stored locally, only the core OS and ICA client software is on the terminal and this software is freely available. As only keyboard, mouse clicks and screen updates are being sent to the terminal via a ICA session there is little of use to an attacker.

    Administrative privilege: Gaining admin rights on a device is of little use, damage may be done to render the device inoperable but once again no data is stored on the unit. As the devices are outside the trusted network they can not be used as a platform to launch an attack.

    The above is a summary not meant to detract from security however highlight that the focus moves in Server based computing. Network access becomes critical and does network traversal, if an attacker gains access to authenticate and launch an ICA session they have now moved from the perimeter to the centre of the network and this is where the main focus should be. Citrix have a number of excellent resources around these issues.

    -TT

    #8740
    AvatarAnonymous
    Member
    • Total Post: 162
    • Jacked into The Matrix
    • ★★★★★★

    Hi,

    i had the same project in 2004. We are currently using Symantec Antivirus on all our XPe Devices.

    Best Practice from my view:

    Install a Symantec Antivirus Server –> For Pattern File Update
    Create a custom installation for the SAV Client, which shows to your SAV Server.

    If you need more information, give me a sign. Our Environment works very stable and safe. 8)

    #8884
    Avatarpeter1969
    Member
    • Total Post: 42
    • Frequent Flyer
    • ★★★

    Hi MDF,

    How do you get the Wyse to install latest virus definition? Do you use a script where you disable/enable write filter? As far as I know the parent server distribute the update automatically to the client. How do you know when to disable/enable write filter, I presume you don’t know when the update is distributed?

    /Peter

    #8885
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi Peter,

    What many do is create a third partion on the flash and format this as the D: drive. Do not protect this drive with the EWF, only protect the C: drive.

    When you install the AV instal it to the D: drive,

    Cheers,
    -TT

    #10120
    Avatarjmccammond
    Member
    • Total Post: 5
    • Newbie

    I am using XPE and mcafee EPO and having no problems… the thing that I am sure is different that what you are doing is that I am using the latest version of the write filter and yes Wyse can give it to you its on version 621 not 503 that you can download from the site. What I did was exclude the folder for mcafee from the write filter. That way I have only one partition and still able to get my updates. Before that I was updating the defs every time the unit would reboot. But I have to tell you… if you leave them without an antivirus and you get a virus on your network it will be a résumé producing event

    #10121
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi,

    Yes the new WFR1 (Wyse Feature Release 1) has introduced the file based write filter so 2 partitions are no longer required for the AV dat file. I am in the process of writing an article on all of the current firmware releases as there have been quite a few changes,

    Cheers,
    -TT

    #10271
    Avatarpeter1969
    Member
    • Total Post: 42
    • Frequent Flyer
    • ★★★

    Hi,

    I have installed Symantec Antivirus 10.2 on my V90 XPE. I have 660MB of free space on the C: drive.

    When I start the Wyse V90 I get the error message “Scan failure: not enough free disk space to perform a scan” – Symantec Antivirus folders are on the exclusion list, using WFR1

    If possible, please help me installing Symantec Antivirus

    Thanks

    #10273
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi Peter,

    A guess here, the temp folder is set to the Z: drive which is only 16MB – if the scan is using this space up maybe this is where the “out of disk space” message is coming from (Z: looks like a disk to Windows)

    As a test of this try increasing the RamDisk in the control panel or see if the AV program can be set up to not use the temp drive but a specific location like C:temp.

    The problem with nearly all AV programs is they were never written with XPe in mind,

    Cheers,
    -TT

    #10450
    Avatartjsel
    Member
    • Total Post: 23
    • Regular Joe
    • ★★

    @jmccammond wrote:

    I am using XPE and mcafee EPO and having no problems…

    Same here.. Currently EPO3.6.1/McAfee8.0i. Got it going by using the “McAfee 8.0 AV Install on an XPe” document and registry keys.

    Wondering if there are documents/registry keys available for an 8.5 install as I’m preparing to upgrade to 8.5 accross the enterprise.

    #11186
    AvatarLrod
    Member
    • Total Post: 13
    • Regular Joe
    • ★★

    Hey, is there some reference material on how to exclude certain folders from the write filter on the new image?

    #11187
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Not really 🙁

    Log in as administrator and double click the write filter icon in the task tray, there is a GUI where you can add folders to exclude,

    Cheers,
    -TT

    #11199
    AvatarLrod
    Member
    • Total Post: 13
    • Regular Joe
    • ★★

    Oh…and here I thought it was going to be complicated and command line driven, lol. Thanks for the info. 😀

    #11201
    ConfGenConfGen
    Keymaster
    • Total Post: 9890
    • Jedi Master
    • ★★★★★★★

    Hey, that is a contradiction in itself. Wyse and complicate?? Never.
    Ahhh, OK, almost never
    Ahhhhhh, OK, only sometimes

    😉

    #11209
    AvatarLrod
    Member
    • Total Post: 13
    • Regular Joe
    • ★★

    Had anyone been able to get McAfee Virus Scan 8.5 to work using the new FBWF?

Viewing 15 posts - 1 through 15 (of 26 total)
  • You must be logged in to reply to this topic.