Windows Defender blocks Citrix products and considers them to be malware
The Register noted that Citrix customers were having problems. It looks like Windows Defender is blocking Citrix products, treating them as malware, and quarantining them.
After the release of KB2267602 update and Windows Defender version 1.321.1319.0, users unexpectedly found that Citrix Broker and High Availability Services could not work properly. The BrokerService.exe file is marked as malware (Agent Tesla Trojan) and is sent to quarantine.
“Those wondering when the Microsoft love-in with Citrix might end will be relieved to learn that Microsoft Defender decided yesterday that Citrix Broker and High Availability Services bore all the hallmarks of a trojn”, — speak ironically the Register journalists.
Some administrators complained that this bug has already paralyzed a work environment for thousands of users.
According to Citrix developers, the problem could occur on Delivery Servers and Citrix Cloud Connectors with installed Microsoft Defender.
Microsoft has already released a fix for Windows Defender, and version 1.321.1341.0 is more loyal to Citrix products.
Victims are also advised to restore files from the depths of quarantine, and administrators are generally advised to consider adding some Citrix components to antivirus exclusions.
“Still, Citrix administrators will be relieved that at least the update did not sling an animated paperclip onto the screen, saying: “It looks like you’re trying to do some virtualization. Would you like some help with that? Maybe with Windows Virtual Desktop in Azure?”, — The Register journalists are not appeasing and continue to joke.
At the same time, the oddities of Windows Defender rather indicate the low responsibility or heavy workload of its developers. We have already written that Windows Defender recognizes CCleaner as PUA, and considers the HOSTS file to be malicious if it blocks telemetry.
All of these situations are a reminder that it is good practice to seriously test updates before allowing them to enter production. However, if your product receives updates as often as Microsoft Defender, this may not be possible.