ShareFile Antivirus scanning

This article is about scanning your data in an On-premises StorageZone using the ShareFile Antivirus functionality.

Citrix Managed or Customer Managed StorageZones

Whether you need to arrange some kind antivirus scanning depends on the fact where your ShareFile data is located. Is it in a Citrix Managed StorageZone, or do you have an On-premises StorageZone, or perhaps a mix of both?

Citrix Managed StorageZone

When having your data in a Citrix Managed StorageZone, you do not need to worry about scanning for viruses of your data. All data within this zone is being scanned by Citrix.

Customer Managed StorageZones

When running an On-premises StorageZone, you as a ShareFile customer, are responsible for scanning your data for viruses.

AV Scanning options

Now, what options do we have to scan data being uploaded to the On-premises StorageZone? You can scan the data via a Citrix ShareFile tool called SFAntiVirus.exe but you can also leverage the existing AV scanner on the server where your ShareFile Network Share is resided. Both options have its advantages and disadvantages, and it is possible to use both simultaneously. If you will run virus scans using SFAntiVirus.exe you need to make sure Encryption is disabled. You can do so by checking the Enable Encryption check box within the StorageZones Configuration page, it should be cleared.

Existing AV Scanner on ShareFile Network share

Assuming you have your File Servers set up for AV scanning you can use the existing AV scanner of your choice to protect the ShareFile network share. While having On-Access scanning enabled you are protected against any malicious files being uploaded via the ShareFile control plane(assuming the AV scanner of your choice is uptodate, being able to detect the latest viruses and policies are set to take corrective actions).

From a ShareFiles’ perspective, the advantage of having On-Access AV scanning enabled, is also the disadvantage. If an infected file is being uploaded using the ShareFile web application, and the virusscanners’ On-Access scan policy is set to delete or quarantine the file, the On-Access AV on the File Servers kicks in and deletes and/or quarantines the file in question. However, this is not being noticed by the web application resulting in an timeout uploading the file. The user is not being notified that the file was infected and thus removed from the upload queue.

SFAntivirus.exe (ShareFile Antivirus)

The main purpose of ShareFile Antivirus is that ShareFile Control Plane is aware of infected files. Within the ShareFile Web Application, an infected file is marked with a red warning sign and the user gets warned when he or she tries to download it.

ShareFile Web Application - Before SFAntivirus scan

Before SFAntivirus scan

ShareFile Web Application - After SFAntivirus scan

After SFAntivirus scan

The tool is installed alongside the Citrix StorageZone Controller and is by default located in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SFAntiVirus. In order to make use of the tool you have to register it so the ShareFile Control Plane is aware of the feature being enabled.

SFAntivirus.exe configuration

Registering and configuring SFAntivirus.exe is explained on the Citrix Documentation Centre. The configuration file for SFAntivirus.exe is SFAntivirus.exe.config and easily edited with any text editor. However, with a fresh install of the Storage Zone Collector software, the config file is not configured and with version 4.2 and 4.3 a few options are missing which you need to add yourself. Below a piece of the original config file and a customized config file is shown.

<?xml version="1.0" encoding="utf-8"?>
    <add key="LogLocation" value="" />
<?xml version="1.0" encoding="utf-8"?>
    <add key="ShareFileUrl" value="" />
    <add key="QueueSdkUrl" value="http://localhost/rest/queue.aspx" />
    <add key="ZoneName" value="YourStorageZoneName" />
    <add key="StorageLocation" value="\\Fileserver\Fileshare" />    
    <add key="LogLocation" value="" />

At the end of the article I have included some samples of the config file using different AV scanners(Windows Defender, Kaspersky Security) for you to download.

When the config file is edited, the SFantivirus.exe tool needs to be registered. Keep in mind, when using StorageZone Controller 4.2 of higher, you need to register it via the NETWORK SERVICE account. Download PSExec and run the following command:

PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShellv1.0\powershell.exe

 After that register the SFAntivrus.exe tool within the PowerShell session using the command:

SFAntivirus –register yourSFAdminaccountname yourSFpassword

The SFAntivirus tool is now configured. Notice the Antivirus Scan Queue is being added to the StorageZone monitoring page.

ShareFile Antivirus Queue - Before enabling SFAntivirus

Before SFAntivirus registration

ShareFile Antivirus Queue - After enabling SFAntivirus

After SFAntivirus registration

  When files are uploaded the Antivirus Scan Queue goes up:

ShareFile Antivirus Queue - After enabling SFAntivirus - Filled Queue

When a SFAntivirus job has run, the Antivirus Scan Queue is emptied. There are two ways of running a job, manually through elevated NETWORK SERVICE rights or via a scheduled scan.

Scheduled Task

Below you’ll find the steps for creating a scheduled task. Notice that the job is being run as NETWORK SERVICE account.

ShareFile Antivirus Scheduled Task - General TabShareFile Antivirus Scheduled Task - Triggers Tab ShareFile Antivirus Scheduled Task - Actions Tab ShareFile Antivirus Scheduled Task - Settings Tab

What to choose?

The SFAntivirus.exe option has the advantage of integration within the ShareFile Control Plane. You as a user get feedback about the Antivirus status of your files. On the other hand, this option has no On-Access scanning capabilities, which might lead to Virus infections within the StorageZone when infected data is uploaded between scans.

From a Admins’ perspective I currently would recommend the On-Access Antivirus Scanner to be enabled for the StorageZone Fileshare. The end user does not get notified about malicious file uploads, but hey, that’s better than having a virus potentially spreading within your network.

For now, If you want On-Access scanning and feedback to the user, I guess you probably need to go for the ICAP functionality. The latest versions of StorageZone Controller support Antivirus platforms using ICAP. However I am not familiar with this functionality as I do not have an ICAP enabled solution within my testlab. 

I hope this article gives you some insight about the current possibilities of scanning your ShareFile data for viruses.

Download ShareFile Antivirus config files here:

SFAntiVirus.exe.config – Windows Defender on Windows Server 2016

SFAntiVirus.exe.config – Kaspersky Security for Windows Server

This entry was posted in Citrix, Citrix ShareFile and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *