Microsoft Defender blocks Citrix services as Trojan

[German]Currently, there is a problem that Microsoft Defender detects Citrix services as Trojans after an update and deactivates these services. But there is a workaround, which is described in a support article.


German blog reader Toni has informed me about this problem by e-mail, which is mentioned in this KB-post, among other things at Citrix. A reddit user describes the whole thing like this: 

Microsoft Windows Defender Is Detecting Citrix Broker Service And Citrix High Availability Service As Trojan

Got issue with customers Citrix services. Spent some time troubleshooting, and found that Citrix Broker service was not there.

Only when we called up Citrix, then we were told about this issue… wasted the morning.

This issue occurs because Windows Defender incorrectly identifies and quarantines the primary and secondary Citrix broker services (BrokerService.exe and HighAvailabilityService.exe) that are responsible for tracking current user connections/ sessions as Trojans. Well, with such a virus hunter like Microsoft Defender, there is no need for any more malware so that nothing works. Citrix writes about this in this support article from August 14, 2020: 

Virtual Apps and Desktop: Microsoft Windows Defender Is Detecting Citrix Broker Service And Citrix High Availability Service As Trojan

Symptoms or Error

  • You notice that Citrix Broker service is not present in Services console. 
  • BrokerService.exe is also missing from c:\program files\Citrix\Broker\Services\
  • The issue is seen with multiple Windows Defender Versions
    installed on Delivery Controllers. 
  • Citrix Studio states – enter the delivery controller address with Error "Could not contact the Broker Service."

Citrix is therefore aware of a potential problem that could affect the Citrix Broker and Citrix High Availability services on the Delivery Controllers and Citrix Cloud Connectors, respectively, with Microsoft Defender installed.

Workaround: Exclude Citrix services from the scan

Citirix describes in this article best practices for configuring Microsoft Defender to exclude Citrix services from a scan. The following figure shows the affected files:

Citrix-Ausnahmen im Defender
(Citrix Exceptions in Defender, Source: Citrix)


Citrix describes in the support article a further workaround for repairing the services and, if necessary, also proposes a downgrade of the Defender – which is no longer necessary, however.

Updating the Defender

Microsoft is reported to have released an update to Defender (Antivirus Definition 1.321.1341.0) that is intended to resolve the problem. To force the update, open an administrative prompt. Then run the following commands:

cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate

Could also be executed as a batch file with administrator rights. The commands force the deletion of the incorrect signatures and a signature update. Afterwards it should run again. Any of you affected??

Similar articles:

Windows Defender flags CCleaner as PUP – Part 1
Defender flags Windows Hosts file as malicious – Part 2
Defender blocks redirected Microsoft hosts entries – Part 3
Defender mis-classified Winaero Tweaker as a hacker tool
Issues with Defender Update KB4052623 (March 2020)?

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *