Microsoft Windows Defender Is Detecting Citrix Broker Service As Trojan

Microsoft Windows Defender Is Detecting Citrix Broker Service As Trojan

https://support.citrix.com/article/CTX279897

Solution
Citrix is aware of a potential issue impacting the Citrix Broker and Citrix HighAvailability services on the Delivery Controllers and Citrix Cloud Connectors respectively with Microsoft Defender installed. Please see the following article for best practices to configure Microsoft Windows Defender: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html.

On-Premises Deployment

Microsoft has released an updated Antivirus Definition 1.321.1341.0 to address this issue.

Please follow the below steps to clear the current cache and trigger an update, use a batch script that runs the following commands as an administrator:

cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate

Reference :
https://www.microsoft.com/en-us/wdsi/defenderupdates

If you continue to see the issue, please follow the below workarounds:

Workaround 1

The following steps can help restore the service:
Restore the quarantined files from Windows Defender by following this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus
This includes the Citrix Broker Service, the Citrix High Availability Service and the Citrix Configuration Sync service.

Change the Log On for these services to Network Service.
Apply the exclusion list described in the article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html.
Reboot the Citrix Delivery Controller machine
Try the below steps if the above workaround does not resolve the issue.

Workaround 2
Mount the Citrix Virtual Apps and Desktop ISO.
Navigate to the «\x64\Citrix Desktop Delivery Controller» folder.
Right Click Broker_Service_x64.msi and choose Repair.4. During the Repair, add the BrokerService.exe and the HighAvailabilityService.exe to the exclusion list in Microsoft Windows Defender Pop-up wizard.
5. If Microsoft Windows Defender Wizard does not pop-up automatically during the BrokerService.exe Repair , then follow https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html. to add the exclusions manually.

Workaround 3
Disable/downgrade Microsoft Windows Defender Version.Refer to below Microsoft articles to add exclusions or roll back the update.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus

https://support.microsoft.com/en-in/help/4052623/update-for-microsoft-defender-antimalware-platform
Ensure Citrix Recommended AV exclusions are in place as per Citrix article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html#antivirus-exclusions

Citrix Virtual Apps and Desktop Service

Workaround

Please follow the below steps on all Citrix Cloud Connector machines:
Restore the quarantined files from Windows Defender by following this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus
This includes the Citrix High Availability Service and the Citrix Configuration Sync service.
Change the Log On for these services to Network Service.
Apply the exclusion list described in the article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html#cloud-connector
Reboot the Citrix Cloud Connector

Note: If the files for Citrix High Availability Service and the Citrix Configuration Sync service. are no longer present in Windows Defender Quarantined files, then uninstall and reinstall the Citrix Cloud connector.

Problem Cause
Microsoft Windows Defender is detecting Citrix Broker Service as well as H ighAvalabilityService.exe as Trojan and deleting them.