Virtual Apps/Desktops that works within Citrix environment experiences login issues and slow performance when Symantec Endpoint Protection (SEP) starts an Active Scan. Registry keys are loading and then disappear. This breaks the Citrix stack and users are not able to log in.

Once systems loaded SEP definitions from 10/1/19 and the Active Scan kicks off, it creates usrclass.dat in C:\Windows\Service Profiles\Network Service\App Data\Local\Microsoft\Windows. This creates a reg hive in HKEY_USERS S-1-5... and Citrix tries to scan the S-1-5 hive and it crashes. 

• (14.0.1 MP2) 14.0.3929.1200
• Windows 2008 R2 x64

On 10/1/19, the Eraser engineering team changed the configuration for the ERASER scans to use Windows API vs. raw file I/O for registry scanning. This was done to improve performance.

This issue was resolved with SEP content definitions 10/5/19 rev. 3 and newer.