Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Citrix Virtual Memory Optimization Service leads to Unexpected Policy Deny

Endpoint Standard: Citrix Virtual Memory Optimization Service leads to Unexpected Policy Deny

Environment

  • Carbon Black Cloud Sensor: 3.6.0.1979 and earlier
    • Endpoint Standard (Formerly CB Defense)
  • Microsoft Windows: All Supported Versions
  • Citrix Xenapp: Versions 5.0-6.5

Symptoms

Unexpected Policy Deny Alerts are received in the Carbon Black Cloud Console. For example:
 
The application c:\program files (x86)\citrix\server resource management\memory optimization management\program\ctxbace.exe attempted to execute content from an alternate data stream c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\55fdc5ecc34b13ee35a9ccf13a66fdf2\system.serviceprocess.ni.dll:ngsv2099.3. A Deny policy action was applied.

Cause

Citrix's Virtual Memory Optimization service generated a modified copy of the dll into an Alternate Data Stream of the file.  This modified copy has a normalized base address and invalid digital signature and any load of the original dll will be redirected to the Alternate Data Stream.

Resolution

Disable the Virtual Memory Optimization Service. If this is not an option, a permissions rule to bypass CtxBace.exe can be configured as a workaround.

Additional Notes

  • The filename and process name of the Policy Deny may vary due to the Citrix Memory optimization process.
  • Virtual Memory Optimization will also require the sensor to report unique new hash with invalid digital signature and possibly unknown reputation
  • While there may be memory savings from using Citrix's service, we also believe there is a security risk associated with this feature since by normalizing the base addresses the system is effectively bypassing the operating systems Address Space Layout Randomization (ASLR) security feature
  • Carbon Black’s January 2021 Maintenance Release of the Windows Sensor will allow ADS dll loads if Citrix Virtual Memory Optimization is detected. 

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-20-2021
Views:
1896
Contributors