EDR Sensor: Delayed login time in Citrix Non-persistent VDI
search cancel

EDR Sensor: Delayed login time in Citrix Non-persistent VDI

book

Article ID: 290439

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Login times with the sensor are delayed
  • Procmon events for cb.exe show citrix hooked into the process

Environment

  • EDR Sensor: 7.0.1 - 7.2.1
  • Microsoft Windows 10
  • Citrix Non-Persistent VDI

Cause

Interoperability issues between Citrix and cb.exe

Resolution

Add exclusions in Citrix registry for cb.exe
Keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\cb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\cb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook64\AppInit_Dlls\cb.exe
Value Name: Flag
Type: REG_DWORD
Value: 0

Additional Information

  • The CtxHook64 key does not exist on Windows 2008 R2 or higher and it is not required.
  • Due to architectural differences in hashing for 7.x sensors, login delays may continue.
  • This has been resolved in the 7.2.1 sensor release:
Fixed a bug causing delayed logons and spikes in network usage with sensors running
on certain Citrix VDI environments. [CB-33578]