Support Center

Virus discussion XPe or WES 2009

Last Updated: Aug 09, 2016 04:18PM PDT
Problem: CLI XPE and WES do not have 3rd party built in Virus, Malware protection software.


Base Operating System:
All currently shipping CLI XP Embedded (XPe) thin clients come with Microsoft XP Windows Embedded Service Pack 2 which provides the same broad range of security changes to Windows XP Embedded that Windows XP Professional SP2 includes. Also, the Windows Firewall is standard on Windows XPe increasing the security of the thin clients.
Newer systems running Windows Embedded Standard (WES) offer the same protections with the addition of Embedded Service Pack 3.

Vulnerability Protection:
Most vulnerabilities, virus and malware are transferred by Internet browsers, email attachments, or by opening infected files in the local storage devices. Microsoft Windows XPe SP2 and Windows Embedded Standard provides pop-up blocker and the capability to block both unknown and unsigned ActiveX controls. Also, in the thin computing environment, CLI thin clients rely on the server-based email clients, when malicious mails or attachments are opened, they do not traverse or propagate to other thin client devices.
When local storage devices are attached, they could introduce security vulnerabilities for intrusion. (With CLI-WES you can control USB storage permissions, and access using the XPEMB Storage control utility)
You can equip CLI thin clients with any number of anti-virus solutions, although this is often overkill, and not used extensively by CLI customers.

Flash Write-Protection:

The Enhanced Write Filter (EWF) feature of Windows XPe/WES makes it possible for you to write-protect your images. All Windows XPe/WES units from CLI  come with EWF enabled by default. Make sure your deployment image is logging in as a User and not Administrator privileges. (flash closed mode)
CLI WES only builds can use either EWF or FBWF (disabled by default)
File Based Write Filter or Microsoft's Enhanced Write Filter, when enabled,  prevents permanent writes to the local media which means that your CLI unit won't suffer from a permanent virus, but allows for an "unprotected area" of c: to be configured, so that AV defintions can be stored to c:. This does not prevent viruses which install to RAM and propagate without requiring a reboot, but it does mean that a simple reboot of the unit will clear any such virus and return the unit to its clean state.

Firewall Protection:
All CLI XPe SP2/WES units ship with Microsoft's Windows Firewall as part of the base OS. This solution, and others like it, has proven effective against the spread of viruses but can reduce versatility at the client level. It will require an increased level of testing to ensure that all local functions on the client perform as expected and required before any deployment using the Windows Firewall.

Contact CLI sales if you have XPe thin client image and wish to use WES (requires 1GB/1GB minimum) (not supported on MT15/35xx models).  

Note: CLI has tested virus solutions from Symantec.  Endpoint protection for XPe has been certified.


Contact Us

  • 1-800-727-5250 x2001
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found