Endpoint Standard: Citrix Virtual Memory Optimization Service leads to Unexpected Policy Deny
Carbon Black Cloud Sensor: 188.8.131.529 and earlier
Endpoint Standard (Formerly CB Defense)
Microsoft Windows: All Supported Versions
Citrix Xenapp: Versions 5.0-6.5
Unexpected Policy Deny Alerts are received in the Carbon Black Cloud Console. For example:
The application c:\program files (x86)\citrix\server resource management\memory optimization management\program\ctxbace.exe attempted to execute content from an alternate data stream c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\55fdc5ecc34b13ee35a9ccf13a66fdf2\system.serviceprocess.ni.dll:ngsv2099.3. A Deny policy action was applied.
Citrix's Virtual Memory Optimization service generated a modified copy of the dll into an Alternate Data Stream of the file. This modified copy has a normalized base address and invalid digital signature and any load of the original dll will be redirected to the Alternate Data Stream.
Disable the Virtual Memory Optimization Service. If this is not an option, a permissions rule to bypass CtxBace.exe can be configured as a workaround.
The filename and process name of the Policy Deny may vary due to the Citrix Memory optimization process.
Virtual Memory Optimization will also require the sensor to report unique new hash with invalid digital signature and possibly unknown reputation
While there may be memory savings from using Citrix's service, we also believe there is a security risk associated with this feature since by normalizing the base addresses the system is effectively bypassing the operating systems Address Space Layout Randomization (ASLR) security feature
Carbon Black’s January 2021 Maintenance Release of the Windows Sensor will allow ADS dll loads if Citrix Virtual Memory Optimization is detected.