App-V 4.6: Using Service and Process Inclusions

App-V has a feature that can often answer many questions. Is there a way to allow anti-virus applications access to scan files in the virtual drive? How does AppLocker work with the virtual drive?  Is there a way in general to allow certain processes and services to interact with the virtual drive?

The answer is yes. Through the use of features known as “process inclusions” and “service inclusions” administrators can give specified services access to the virtual drive. Service inclusions exist for Windows Defender and the Anti-malware service if installed. AppLocker is also listed and this is how AppLocker is able to apply to App-V applications and scripts. Configuring service inclusions is a pretty easy process.

Simply create a string value (REG_SZ) under the following key:

X86

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid<version>ClientAppFSServiceInclusions

X64

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid<version>ClientAppFSServiceInclusions

The name can be anything but the value must represent the short name of the service (usually matching its registration name.) For example, the following built-in services may need access in some circumstances.

• Application Experience (AeLookupSvc)
• AppLocker (AppIDSvc)
• Group Policy Client (gpsvc)

Since the access is given based on name, it is actually granted to the services’ Process ID (PID.) This will mean any processes and services spawned by this service will have access as well.  Also be advised that there will be no security check for the service account being used to authenticate the service as it was designed for services that would be running under the local system context. Unless there are specific permissions on items in the virtual drive denying access all services granted inclusions will be able to access and interact with everything in the virtual drive.

In the case of anti-virus software, we actively discourage direct scanning of the read/write package volumes (PKG files) as it drastically affects performance and could lead to potential corruption. This is a cause for concern for many security administrators as malware could use the folders virtualized under these PKG files (especially the user volume) if left unprotected. This is another situation where service and process inclusions could come in very handy. For example, let’s say you were running Symantec Endpoint Protection and you want to be able to protect internal files within the virtual environment while excluding the *.PKG and *.FSD files externally.

In the case of most anti-virus applications, you would need to create both service and process inclusions. For example, SEP uses a service called “Symantec Endpoint Protection.” To include this service, you would use its registered service name “SepMasterService.”

1.)   Add a value called SepmasterService1 (REG_SZ) under HKLMSoftwareMicrosoftSoftgrid4.5ClientAppFSServiceInclusions (HKLMSoftwareWow6432NodeMicrosoftSoftgrid4.5ClientAppFSServiceInclusions if x64)

2.)   Give it a value of SepMasterService.

3.)   Add a value called ccSvcHst1 under HKLMSoftwareMicrosoftSoftgrid4.5ClientAppFSProcessInclusions (HKLMSoftwareWow6432NodeMicrosoftSoftgrid4.5ClientAppFSProcessInclusions if x64)

4.)   Give it a value of ccSvcHst.exe

5.)   Restart the App-V Client Service for this to take effect.

After the App-V client is restarted, my anti-virus software will now have access to the virtual drive. Your mileage may vary depending on version and type of anti-virus with regards to which services and processes to include. One item to note when these services access the virtual drive – directories below package roots will not be available until those packages are launched. 

Limitations on Process Inclusions

There are some stricter limitations on process inclusions. Since we are not dealing with the service control manager, only processes running in the local SYSTEM context can be used. The process must be already running at the time the App-V Client service is started. If there is more than one instance of a process running at the time of the inclusion check, all instances of the process are granted access to the virtual drive.

Yes, Trusteer Rapport does break App-V

You may have encountered problem with slow logons, slow startups, and slow access to applications when using App-V in conjunction with security software known as Trusteer Rapport. The Trusteer Rapport issue is timing related. It also appears to have a signficant effect on Windows XP machines (since the App-V Client service cannot be set to a delayed start.)

For information on Trusteer Rapport, this is their own support page:

http://www.trusteer.com/support

According to their FAQ, it is currently listed as not being compatible with App-V and that they’re working with the vendor to resolve it.

From their FAQ, as it’s not entirely easy to find:

http://www.trusteer.com/support/faq/supported-platforms

There’s a section under there about “are there any known conflicts” which leads to the app-v page:

http://consumers.trusteer.com/appv

and here:

http://consumers.trusteer.com/compatibility-other-security-software

Why is it happening?

There is contention when you startup as this software is preventing SFTLIST from completing initialization. This is the SFT Listener process which is a primary component of the App-V Client service. If you combine this with  SFTTRAY launching at startup (within the “Run” registry key) as well as combining this with SFTDCC loading in USERINIT (to support DC Refresh upon login if configured) –  the resulting negative user experience ranges extremely slow logons to virtual applications never being available.

So What are your Options?

You can uninstall Trustee Rapport or you can try to get them working together by leveraging KB 973756 which takes SFTTRAY /autostart out of the run key.

http://support.microsoft.com/kb/973756

Step two in this article may turn you off as it requires putting the App-V client service in manual startup mode.

Also note – some customers have gotten success with the delayed start feature on Windows 7 for the App-V client service.

– Steve Thomas