App-V 4.6: Using Service and Process Inclusions

App-V has a feature that can often answer many questions. Is there a way to allow anti-virus applications access to scan files in the virtual drive? How does AppLocker work with the virtual drive?  Is there a way in general to allow certain processes and services to interact with the virtual drive?

The answer is yes. Through the use of features known as “process inclusions” and “service inclusions” administrators can give specified services access to the virtual drive. Service inclusions exist for Windows Defender and the Anti-malware service if installed. AppLocker is also listed and this is how AppLocker is able to apply to App-V applications and scripts. Configuring service inclusions is a pretty easy process.

Simply create a string value (REG_SZ) under the following key:

X86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\<version>\Client\AppFS\ServiceInclusions

X64

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\<version>\Client\AppFS\ServiceInclusions

The name can be anything but the value must represent the short name of the service (usually matching its registration name.) For example, the following built-in services may need access in some circumstances.

  • Application Experience (AeLookupSvc)
  • AppLocker (AppIDSvc)
  • Group Policy Client (gpsvc)

Since the access is given based on name, it is actually granted to the services’ Process ID (PID.) This will mean any processes and services spawned by this service will have access as well.  Also be advised that there will be no security check for the service account being used to authenticate the service as it was designed for services that would be running under the local system context. Unless there are specific permissions on items in the virtual drive denying access all services granted inclusions will be able to access and interact with everything in the virtual drive.

In the case of anti-virus software, we actively discourage direct scanning of the read/write package volumes (PKG files) as it drastically affects performance and could lead to potential corruption. This is a cause for concern for many security administrators as malware could use the folders virtualized under these PKG files (especially the user volume) if left unprotected. This is another situation where service and process inclusions could come in very handy. For example, let’s say you were running Symantec Endpoint Protection and you want to be able to protect internal files within the virtual environment while excluding the *.PKG and *.FSD files externally.

In the case of most anti-virus applications, you would need to create both service and process inclusions. For example, SEP uses a service called “Symantec Endpoint Protection.” To include this service, you would use its registered service name “SepMasterService.”

1.)   Add a value called SepmasterService1 (REG_SZ) under HKLM\Software\Microsoft\Softgrid\4.5\Client\AppFS\ServiceInclusions (HKLM\Software\Wow6432Node\Microsoft\Softgrid\4.5\Client\AppFS\ServiceInclusions if x64)

2.)   Give it a value of SepMasterService.

3.)   Add a value called ccSvcHst1 under HKLM\Software\Microsoft\Softgrid\4.5\Client\AppFS\ProcessInclusions (HKLM\Software\Wow6432Node\Microsoft\Softgrid\4.5\Client\AppFS\ProcessInclusions if x64)

4.)   Give it a value of ccSvcHst.exe

5.)   Restart the App-V Client Service for this to take effect.

After the App-V client is restarted, my anti-virus software will now have access to the virtual drive. Your mileage may vary depending on version and type of anti-virus with regards to which services and processes to include. One item to note when these services access the virtual drive – directories below package roots will not be available until those packages are launched. 

Limitations on Process Inclusions

There are some stricter limitations on process inclusions. Since we are not dealing with the service control manager, only processes running in the local SYSTEM context can be used. The process must be already running at the time the App-V Client service is started. If there is more than one instance of a process running at the time of the inclusion check, all instances of the process are granted access to the virtual drive.