Problem:
- Antivirus slows logon while scanning of ProfileUnity Program Files and directories.
- Cause Slow down of the VM
- Cause file corruptions
Resolution:
ProfileUnity Client Tools Installation Path
PHASE 1
Exclude the entire "C:\Program Files\ProfileUnity" folder, and all sub-folders and files. Each A/V solution has different ways for specifying recursion, ie C:\Program Files\ProfileUnity\* or C:\Program Files\ProfileUnity\**
Or you can list out all the binary files for your specific installation by running these 2 powershell cmds:
(Get-ChildItem -Recurse 'C:\Program Files\ProfileUnity\' -File -Include "*.dll","*.exe","*.cab","*.sys").FullName > $env:userprofile\Desktop\687R2_DllExeCabSys_List.txt
(Get-ChildItem 'C:\Windows\System32\drivers\' -File cb*.sys).FullName >> $env:userprofile\Desktop\687R2_DllExeCabSys_List.txt
(the second command gets the currently-installed filter drivers)
Filter Drivers
6.8.5 & 6.8.6
C:\Windows\System32\drivers\cbregistry20.sys
C:\Windows\System32\drivers\cbregistry.sys
C:\Windows\System32\drivers\cbfilter20.sys
6.8.7 & 6.8.7R2
C:\Windows\System32\drivers\cbregistry22.sys
C:\Windows\System32\drivers\cbfilter22.sys
C:\Windows\System32\drivers\cbprocess22.sys
These versions might update and you can find additional information here on post GA releases where a HotFix might have updated drivers
https://support.liquidware.com/hc/en-us/articles/360033876051-ProfileUnity-Hot-fix-List
C:\Windows\System32\drivers\cbregistry24.sys
C:\Windows\System32\drivers\cbfilter24.sys
C:\Windows\System32\drivers\cbprocess24.sys
PHASE 2 - Continue only if performance has not increased to desired level!
ProfileUnity on network shares:
\\<domainname>\netlogon\profileunity\:
Note:This is the current default deployment path. If unsure, check the ProfileUnity console under Administration (top right)->ProfileUnity Tools->Deployment Path.
7z\x64\7z.exe
7z\x86\7z.exe
LwL.ProfileUnity.Client.Startup.exe
LwL.ProfileUnity.Client.Startup.Update.exe
LwL.ProfileUnity.Client.Logoff.exe
User's home portability/vhdx directories:
- \\profileserver\profiles\%username%\Portability (recursive)
- Exclude:*.7z, *.lou,*.lbr *.vhd *.vhdx and*.manifest files located inside.
DIA software storage location for DIA applications:
- \\server\share\DIA_APPS\
- Exclude: *.vhd *.vhdx
ProfileUnity Temporary directories:
System Temp Directories:
- c:\Windows\Temp\ProfileUnity
- C:\ProgramData\Liquidware (recursive)
User Temp Directory
- %temp%\ProfileUnity
- This directory can be redirected to a fixed location like C:\PUTemp using ProfileUnity ADM GPO template.
- KB: How to setup custom ProfileUnity Temp directory.
The FlexApp package and ProfileDisk mount directories:
- C:\FADIA-T (recursive)
- C:\ProfileDiskMounts
- C:\Users\ProfileDisk
Users Local Portability Manifest Location
%USERPROFILE%\ProfileUnity (recursive)
For SMB cache mode and cloud for FlexApp Block level caching:
- Block cache path = C:\DiskShadowData
Additional AV Application Specific Information
Trend Micro Apex One (formerly OfficeScan) Specific
Please refer the attached trendexclusions.docx and Zipped AV.zip for examples
Microsoft Windows Defender Specific
Please refer to attached Defender Exceptions.zip, which includes a GPO output of example path exclusions
Another consideration is Microsoft Defender 365 feature called "Attack Surface Reduction" (a.k.a. ASR) can block ProfileUnity from using elevation. When this is turned on, the default policy that is enabled causes this issue. Customers need to approve the the rules in the cloud portal for exclusions.
Example:
CrowdStrike
The full list provided in the CrowdStrike txt attachment below was generated using the powershell commands at the top of this article. It can be simpler to use a folder-level, recursive exclusion combined with 3 file-level exclusions instead of the 600+ file-level exclusions found in the txt file:
Program Files\ProfileUnity\** (all versions)
Windows\System32\drivers\cbfilter22.sys (6.8.7 and 6.8.7 R2)
Windows\System32\drivers\cbprocess22.sys (6.8.7 and 6.8.7 R2)
Windows\System32\drivers\cbregistry22.sys (6.8.7 and 6.8.7 R2)
When using Citrix VDA 7.1.4 or above.
Add C:\Windows\System32\vds.exe to the trusted program list.
See attached Files for examples specific to those AV's for exclusions.
Related article
ProfileUnity Console executables on the PU Server:
- "C:\Program Files (x86)\Liquidware Labs\ProfileUnity" and sub folders+files
- "C:\Program Files\MongoDB" and sub folders+files
Product: ProfileUnity Client
Product Version: 6.8.5 and higher