다음을 통해 공유


App-V 5 and Security Software (Anti-Virus, Application Protection, and Software Inventory) Guidelines

With regards to its interaction with security software, App-V 5.x is different from previous versions of App-V and Softgrid in that there are no artificial file system aspects. App-V 5.x uses the native NTFS file system and many extended features to establish a state-separated VFS (virtual file system.)

Due to this, there no necessary reasons to arbitrarily exclude any element related to the file system in App-V as was done in the past as there is no risk of a native file element being locked by an external security software component preventing the artificial elements from being properly accessed under acceptable performance. In Softgrid and App-V 4.x, we had .FSD’s and .PKG’s to exclude. In 5.x, these elements are human readable and not encapsulated inside of proprietary files where a battle of filters might commence. This allows for virtualized application assets to more easily be controlled as necessary by complementary security-related services. However, some of the extended optional features of the file system, in some cases, may warrant some specific configuration adjustments with regards to application performance and the App-V client functionality.

The Immutable Package Cache

The App-V Package Cache (also known as the PackageInstallationRoot or PIR) is a read-only package storage location that contains the read-only versions of the installed App-V packages (virtual applications.) When packages are fully mounted (cached) you will likely not encounter any issues when this area is being scanned by anti-virus applications.

The exceptions are when the packages are not cached due to the fact the packages have been published but not yet fully streamed, or the App-V client is configured to use the Shared Content Store. In these cases, the App-V package cache will be populated with NTFS sparse files. If you are planning to use the client in Shared Content Store mode (which is essentially stream-to-memory) you may want to consider excluding the package cache (by default located in %programdata%\App-V) from anti-viral scanning. The degree of performance impact of scanning the package cache also seems to vary across the anti-virus software spectrum.

CoW (Copy-on-Write Locations)

Given that all package state and user state files are relocated to User CoW locations and global state locations; it may be tempting to consider excluding those locations. From a security standpoint, it is not advised as App-V from 5.1 has reduced the number of CoW exclusions from over three dozen to only 4. As a result, many “executable” file format extensions (.js, .wsf, .cmd) no longer get blocked by CoW exclusions and can be relocated to modifiable locations with the user’s profile (%localappdata%\Microsoft\Appv)

Scanning Package Content on Content Servers.

In previous versions (4.6 and earlier) it was very difficult to scan the App-V packages due to obfuscation with the SFT file format. A resource kit utility was made available for these servers to allow read-only visibility into these packages. This was the SFTVIEW utility (https://www.microsoft.com/en-us/download/details.aspx?id=8897.)  Due to the AppV package being based upon the OPC/ZIP standard, it should be easily and safely scanned by Anti-virus software.

Software Inventory Scanning

Most software management applications, such as Microsoft’s Configuration Manager employ a software inventory scan mechanism that includes scanning the local drive for executable files. It is recommended that the Immutable package cache (Package Installation Root) be excluded from software inventory scanning, especially when operating in Share Content Store mode.

For example, this can be done easily for Configuration manager by placing a touched skpswi.dat file in the root of the PackageInstallationRoot. For more information on doing this specifically with Configuration Manager, see https://technet.microsoft.com/en-us/library/hh691018.aspx. Configuration Manager can query WMI to inventory published virtual applications without having to scan the App-V package cache.

Software Restriction Security Software

Software that can prevent the execution of unauthorized software should work well with App-V 5.x as the executables exist on the native NTFS file system. In 4.6, applications that needed to restrict executable launch required their services being configured as a service inclusion, meaning that it was brought into the virtual environments automatically. This is how AppLocker worked with 4.6. In the context of App-V 5, these are not necessary as executables can be whitelisted or blacklisted as needed by a variety of rules.

Is it Safe to Whitelist the Entire App-V Package Cache?

It is recommended to implement granularity in accordance to the normal security standards within your organization. However, since the package cache is immutable, exempting the entire package cache (especially within environments controlled by user-targeting from the publishing server) has grown in popularity without creating potential compromises.