Summary
This document describes and outlines the best practices for configuring McAfee Anti-Virus in a Moka5 environment. The scope encompasses those environments containing McAfee. Environments running other AV software may reference this as a guide, but should consult the Moka5 KnowledgeBase for further applicable documents.
Steps
Background
Moka5 Player is a virtual desktop solution that runs on users’ desktops and laptops. Included among Player components are encrypted files which contain the LivePC virtual desktop image, and processes that enable the virtualized environment.
Many users run anti-virus (AV) products on their machines to protect them from malicious attack. If the machine is corporate issued, the AV product may be centrally managed by the user’s IT department. If the machine is a personal computer, the AV product may be installed and managed by the user themselves.
Under typical configurations, Player and AV products run well together, with no impact of one against the other. However, under some circumstances, Player performance can be impacted by AV products.
Reasons for impact to Player Performance
Under some circumstances, when Player and AV products are run on the same machine, AV products can interfere with Player performance and make for a poor user experience in the virtual desktop. This can happen for a few different reasons, each of which can be addressed.
• Scanning of Moka5 files and processes. AV products may be scanning the Moka5 virtual desktop image files, or the active processes. Because of the instrusiveness of such scans, this can cause performance to significantly slow.
• Machine may be resource constrained. AV products and Player both require computer resources to run, in addition to other applications that run on the host. If a machine has a relatively slow CPU or a small amount of RAM, Player performance can degrade to the point where the user experience is impacted.
• Aggressive scanning. AV product scanning frequency and breadth of coverage can be adjusted. If these are set aggressively, the scans can have a negative impact on all host applications, including Player.
• Many applications executing simultaneously. If the user starts many applications at once, including Player, the simultaneous load can reduce Player performance. When adding the load of an AV scan, user experience in the virtual desktop could deteriorate to an unacceptable level.
Excluding Moka5 files and processes from AV scanning
Of the different root factors, the scanning of Moka5 files and processes is relatively straightforward to implement and can help maintain performance on all endpoints. To do this, you configure the AV product to not scan Moka5 files and processes during its regular system scans.
Note it is possible for malware to explicitly target Moka5 files or processes, in an attempt to avoid detection on machines on which exclusions were configured. However, this is unlikely as it requires some understanding of Moka5 structure, and there are many other attack vectors that would be a lot more productive for someone with malicious intent.
Files to exclude
Recommendations
Anti-Virus in the LivePC
Scan-at-startup
Since Moka5 loads a fresh disk at start-up, it is highly NOT recommended to scan the disk at start-up of the LivePC. In other words, this disk cannot get infected as it is read only and loads fresh each time. If scan-at-startup is enabled, the LivePC will be fully scanned each time it loads. This will increase load times exponentially.
On-Access scanning
On-Access scanning will set McAfee to scan all read and write operations from the drive of the machine (LPC in this case). On a LPC or native machine this functionality can cause slowdowns in operations across the board. That said some organizations still enable On-access scanning. The McAfee Virus Scanner loads after the FILO filter driver (Moka5 layering) in the kernel stack. As such McAfee is unable to ‘see’ the N:\ and M:\ read-write operations. It will see all operations as writes to C:\. Given this behaviour it is not possible to exclude the system disk (known good drive provisioned from the server) from On-access scanning. So On-access scanning needs to remain enabled on Moka5 LPC’s for the full C:\ drive.
Scheduled drive scans
Of the different root factors, the scanning of Moka5 files and processes is relatively straightforward to implement and can help maintain performance on all endpoints. To do this, you configure the AV product to not scan Moka5 files and processes during its regular system scans.
Note it is possible for malware to explicitly target Moka5 files or processes, in an attempt to avoid detection on machines on which exclusions were configured. However, this is unlikely as it requires some understanding of Moka5 structure, and there are many other attack vectors that would be a lot more productive for someone with malicious intent.
IT policy often includes regular scans of the C:\ drive (e.g. every Wednesday afternoon at 1PM a full drive scan kicks off). During this time LPC or native machines performance can suffer.
In a layered LPC the system drive is represented as a C:\ drive. That said all changes made at the player are sent to either the N:\or M:\ drives. These drives are resolved to a single C:\ drive as far as Windows operations are concerned ... but N:\ and M:\ can be addressed separately. As such we strongly recommend changing your LPC McAfee agent to target only the N:\ and M:\ drives only. This should shorten the scan time considerably and give full coverage of all locally written files.
Also, given the nature of LPC’s and their ability to recover from catastrophic failures, some organizations decide to lengthen the time between scans.
Anti-Virus on the Host (Applies to Type 2 Only)
Anti-virus on the host - especially AV on managed hosts - can cause performance issues when loading a LivePC. We recommend that AV not scan the Moka5 file structure on the host. At a high-level you can exclude the entire Moka5 folder on the Host.
This folder is located at:
- Windows (default location - this location can vary depending on where the user chooses to install their LivePC): %appdata%/mokafive
- Mac: ~/Library/Application Support/MokaFive
If you'd like to exclude specific files, you can do the following:
Moka5 stores encrypted LivePC image data in files with “tdsk” in the filename. Specifically, the AV product should not scan the following file types:
• */system.tdsk.*
• */system1.tdsk.*
• */app.tdsk.*
• */user.tdsk.*
• */local.tdsk.*
Processes to exclude
Some AV products will embed some logic in running processes to detect ongoing modifications to these processes. The AV product should avoid doing this for the following processes:
• *\mokafive\livepcs\*
• *\Mokafive\Engine\bin\m5engine.exe
• *\win32\bin\m5engine.exe
• *\win32\bin\vmplayer.exe
• *\Mokafive\Engine\bin\vmplayer.exe