Appstream and Windows Defender

0

Scenario is that our security team needs Windows defender running with "real time protection ON". The moment we turned it on, we notice deterioration in performance. The application is an old java swing JNLP ie when it starts, it downloads a lot of jar files into c:\users\photonuser\.cache folder. I am struggling to exclude this folder from defender scan rules

As per below link ,it seems I cant add %USERPROFILE% as it wont point to c:\users\photonuser and bizarre is that if I try to add a exclusion like "%USERPROFILE\.cache" image builder snapshotting fails in sysprep phase. ( AWS couldnt help find any root cause and it takes 12 hours to fail )

Would like to know what /how you guys managed to configure Windows defender in appstream

thanks in advance

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus?view=o365-worldwide

Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists

Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, don't use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under System environment variables for a complete list of system environment variables.

asked a year ago703 views
1 Answer
1

While for anti-virus software or programs such as Windows defender can be used on AppStream 2.0. However, it can impact the performance of your fleet instances during user sessions even if automatic updates are not enabled [1] as it may perform hard drive scans or other operations that may impact the performance of your fleet instances during user sessions. [2]

While Microsoft releases its security updates for defender service and other components at monthly/quarterly basis. That means, you only need to update the defender service on the image builder when a new update is released by Microsoft. Then create a image and update your fleet with the latest image. So, you do not need to update your image hourly or daily basis. You are only required to update the image once Microsoft releases a latest update.

You can read more about this on the Microsoft article: Microsoft Endpoint Security and Configuring Microsoft Defender Antivirus for non-persistent VDI machines [3].

I found out this documentation page as well describing how it can be enabled. [4]

Additionally, I would love to investigate the issue further, as we require details that are non-public information. Please reach out to us by a support case.

References:

[1] Image Assistant CLI operations: https://docs.aws.amazon.com/appstream2/latest/developerguide/programmatically-create-image.html

[2] Scanning exclusions: https://docs.aws.amazon.com/whitepapers/latest/best-practices-for-deploying-amazon-appstream-2/security-1.html

[3] Configuring Microsoft Defender Antivirus for non-persistent VDI machines: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633

[4] Windows Update and Antivirus Software on AppStream 2.0: https://docs.aws.amazon.com/appstream2/latest/developerguide/administer-images.html#windows-update-antivirus-software

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions