Endpoint Standard: Citrix Virtual Memory Optimization Service leads to Unexpected Policy Deny
Article ID: 292089
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Unexpected Policy Deny Alerts are received in the Carbon Black Cloud Console. For example:
The application c:\program files (x86)\citrix\server resource management\memory optimization management\program\ctxbace.exe attempted to execute content from an alternate data stream c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\55fdc5ecc34b13ee35a9ccf13a66fdf2\system.serviceprocess.ni.dll:ngsv2099.3. A Deny policy action was applied.
Environment
- Carbon Black Cloud Sensor: 3.6.0.1979 and earlier
- Endpoint Standard (Formerly CB Defense)
- Microsoft Windows: All Supported Versions
- Citrix Xenapp: Versions 5.0-6.5
Cause
Citrix's Virtual Memory Optimization service generated a modified copy of the dll into an Alternate Data Stream of the file. This modified copy has a normalized base address and invalid digital signature and any load of the original dll will be redirected to the Alternate Data Stream.
Resolution
Disable the Virtual Memory Optimization Service. If this is not an option, a permissions rule to bypass CtxBace.exe can be configured as a workaround.
Additional Information
- The filename and process name of the Policy Deny may vary due to the Citrix Memory optimization process.
- Virtual Memory Optimization will also require the sensor to report unique new hash with invalid digital signature and possibly unknown reputation
- While there may be memory savings from using Citrix's service, we also believe there is a security risk associated with this feature since by normalizing the base addresses the system is effectively bypassing the operating systems Address Space Layout Randomization (ASLR) security feature
- Carbon Black’s January 2021 Maintenance Release of the Windows Sensor will allow ADS dll loads if Citrix Virtual Memory Optimization is detected.
Feedback
Yes
No
Powered by
