Have you followed best practices for SEP on citrix servers ?
What does Intrusion Prevention do that Antivirus protection does not?
Antivirus technology is strong, effective technology that protects your computer from files that are on the hard drive. Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place.
Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.
For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. Since IPS already had signatures for the RPC Handling vulnerability, however, computers running IPS were protected before the worm was ever released.
IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.
Best practices regarding Intrusion Prevention System technology