Windows Defender Mistakenly Considered Citrix Services as Malware


Windows Defender has caused some Citrix customers issues after removing two services that were wrongly identified as malware.

The problem is apparently caused by the update to KB2267602. Users of Windows Defender who installed the update may have had their Citrix Broker and HighAvailability services deleted on Delivery Controllers and Cloud Connectors after being mistakenly detected as a Trojan.


According to Citrix, the users that are affected the note that the Broker service is no longer accessible in the Services console, that the BrokerService.exe file is missing from the System Files folder, and an error stating that the Broker service could not be contacted.

Microsoft released antivirus specification update 1.321.1341.0 to fix the issue and Citrix provided guidance on how to uninstall and install the latest unstable version.

Citrix also has mutual workarounds that can be used to recover the affected files and avoid the identification of them as malware by Windows Defender.

Last week Citrix urged customers of its Endpoint Management (CEM) software, also known as XenMobile, to install patches for several serious vulnerabilities immediately. The bugs can be used to obtain administrative rights for affected systems, and the manufacturer expects the hackers to exploit them quickly.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.