I'm running up a bunch of HP Thin Terminals with Windows 7 Embedded Standard. I've enabled FBWF on the terminals and applications will be accessed by users via Citrix.
Very little needs to exist on these machines however they do require up to date AV protection. We are using Trend Micro OfficeScan 10.5, which installs fine. However I want to ensure that it will run correctly, update itself etc etc once FBWF is turned back on. I assume I will need to add exceptions to FBWF for this to happen and likely need to do so in the registry as well but I can't seem to find much in the way of documentation or discussion on the matter.
I could just add an exception for any/all directories that trend might need but I prefer the absolute minimum.
Any suggestions/links to documentation would be appreciated.
This sounds like a very specific question that can only be thoroughly answered by TrendMicro themselves. While I hate to say it, I'm going to say it anyway: contact support and be thorough in your explanation of what you're doing. What you wrote above will be good.
In the absence of TrendMicro's specific words, you could conceivably audit the files and folders that the software accesses and writes to using Windows Filesystem Auditing. It's a long, slog, and even registry keys can be audited. You might not ever know completely if you've made an exception for every possible folder or registry, however. Think about it: Perhaps there's a feature, option or bit of logic that is rare to be triggered that will only be seen in production well after you audited normal filesystem access.
Sounds messy? It is. Check with TrendMicro first and see what they say.