The environment may experience one or more of the following symptoms if the antivirus client is impacting either the Target Devices or PVS Servers.

-  Target Devices (running the VDA software) may appear power state unknown and no longer registered when looking at them via Studio or Director.   
-  Target Device or Server appears sluggish or generally slower than normal.
-  Target Device are booting slower than expected..
-  Target Device applications delays, freezes, increased keyboard and mouse latency.
-  Target Device retry count spikes.
-  Target Device BSOD, hangs and machine freezes.
-  Prolonged, excessive CPU or memory utilization on both ends of the stream.
-  Significant change in the Write Cache (WC) disk IO performance.  For example, local disk 'write time' and/ or 'write queue length' increase significantly.
-  During imaging a Target Device fails to start the imaging wizard upon reboot.  The PVS client displays a red x in its systray.
-  During boot, the Target Device performance remains poor for a short time while the AV definitions are updated or scan is completed.

Symptoms may vary greatly and are not limited to this list.


 

Limit Antivirus definition updates and full system scans to only the Master Target Device or Update Target Device (read/write mode).  The expected IO response times from the PVS server to a target request is typically 1ms.  Avoid scanning the vDisk and the vDisk Write Cache file.  Disk IO that has been altered, tampered, corrupted, or delayed may cause an application or operating system to fail immediately.

Avoid scanning the following process and system drivers on PVS Target Devices:
BNDevice.exe: handles client functions, licensing, etc
BNIstack6.sys: IO protocol driver | UDP port 6901-6930
CNicTeam.sys: network NIC teaming, if being used
CFsDep2.sys: file system minifilter
CVhdMp.sys: storage miniport driver
The cache disk, .vhdx file on the local hard drive

Avoid scanning or whitelist the following processes on PVS Servers:
Streamprocess.exe: Streaming engine | UDP port 6901-6910
Streamservice.exe: Service manager for streaming services
Soapserver.exe: handles Database connectivity and AD authentication
Inventory.exe: vDisk Inventory | UDP port 6895
MgmtDaemon.exe: Inter-server communication |UDP port 6898
Notifier.exe: Inter-server communication | UDP port 6903
BNTFTP.exe: TFTP service delivers bootstrap | UDP port 69
PVSTSB.exe: Two Stage Boot delivers bootstrap | UDP port 6969
BNPXE.exe: PXE service | Broadcast Protocol
CdfSvc.exe: Citrix Diagnostic Facility COM Server
CFsDep2.sys: file system minifilter
CVhdMp.sys: storage miniport driver
Ardbp32.bin: BIOS PXE bootstrap file
Pvsnbp64.efi: UEFI PXE bootstrap file

Problem Cause

1. If an antivirus program scans the data stream between Servers and Targets this impedes the normal operation of PVS by causing disk IO delays and read-write failures, HA problems, and more. In extreme cases, the PVS target device and server can consume more resources than necessary, driving up IO response times and causing a significant performance impact.

2. In general it’s best practice to run a full system scan while the vDisk is in maintenance mode (read/write).  Although real-time type scanning can be enabled it’s imperative that the PVS components be provided an exception.

3.  All Av clients are different and include an array of additional features and functionality, threat protection, DLP and posture assessment amongst others.  Provisioning services may not function correctly where the AV feature introduces delay to the IO stream.   These additional features do not always honor the Av scanning exception list.  If necessary, remove all additional features and functions except the Av scanning engines where the PVS components are excluded.

Updating the AV client in a maintenance vDisk isn’t always successful.  A new vDisk may be required.  In that case the vDisk should be reverse imaged and initial Target Device installation steps be followed.  This requires uninstalling the PVS client on the reverse imaged disk prior to updating the Antivirus software.  The PVS target software install is the last maintenance performed prior to running the imaging wizard again.  Antivirus clients vary from vendor to vendor.  Check with your antivirus software vendor for specific instructions on configuring Av scanning exceptions. Citrix recommends that you test the antivirus client software and its configuration prior to placing it into a provisioned (PVS) environment.  Obtaining a performance baseline early may help prove useful for future performance troubleshooting.

Citrix CVAD AV Guide -  https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html