Windows Defender has caused some Citrix customers issues after removing two services that were wrongly identified as malware.
Windows Defender signature update KB2267602 just deleted BrokerService.exe and HighAvailabilityService.exe on several of our Citrix Delivery Controllers. If you have not excluded these files/folders from scans, stop this update ASAP. #citrix #brokerservice #windows #updates
— Sebastian Parelius (@SirkusParelius) August 13, 2020
The problem is apparently caused by the update to KB2267602. Users of Windows Defender who installed the update may have had their Citrix Broker and HighAvailability services deleted on Delivery Controllers and Cloud Connectors after being mistakenly detected as a Trojan.
According to Citrix, the users that are affected the note that the Broker service is no longer accessible in the Services console, that the BrokerService.exe file is missing from the System Files folder, and an error stating that the Broker service could not be contacted.
Microsoft released antivirus specification update 1.321.1341.0 to fix the issue and Citrix provided guidance on how to uninstall and install the latest unstable version.
Citrix also has mutual workarounds that can be used to recover the affected files and avoid the identification of them as malware by Windows Defender.
Last week Citrix urged customers of its Endpoint Management (CEM) software, also known as XenMobile, to install patches for several serious vulnerabilities immediately. The bugs can be used to obtain administrative rights for affected systems, and the manufacturer expects the hackers to exploit them quickly.
