Friday, January 28, 2011

What antivirus do you recommend for dev boxes

What antivirus would you recommend for computers used for windows development. Would you use an antivirus for these users? These users compile quite often and therefore read and write tons of files. If I deploy a slow performing antivirus, they will not be happy.

From serverfault David Pokluda

  • I use Kaspersky and my desktop's performance doesn't seem to be affected by it -- unless it's doing an automatic update. It's the most bullet-proof anti-virus that I know of and have used.

    From Ates Goral

  • I would deploy the same AV solution as in your production environment. That way you have one management interface and you get an apples-to-apples comparison as to impact, especially as the newer ones are incorporating more and more intrusion prevention measures with each version. One AV solution may not react the same as another as a result.

    Burly : Using the same AV in testing and production Is a Good Idea (in general, if the production environment is controlled, then you should have a testbed that is as identical as possible). However, I don't know that it should a requirement be the same on the developers boxes, especially if it causes performance issues during compilation or increases the cost significantly, etc.
    From K. Brian Kelley

  • I have a couple opinions here...

    Obviously the point of anti-virus is not necessarily to have the fastest, but simply the most effective. I prefer Symantec but to each his own.

    One thing you could do is make realtime scan exclusions for a development folder (i.e. C:\Development) or something - that way it's not realtime scanning every compile. Most viruses/malware would not put anything in a C:\Development folder anyway (99% of the time it'll be going into Program Files, Windows, etc). Configure your antivirus to run a scan on the Development folder once per day instead.

    On the other hand, normally developers will be pretty computer savvy (we hope). So in that case I'm not sure antivirus is needed at all in this type of environment. Best thing here is dedicate machines (virtual machines or whatever) just for development and not e-mail, web surfing, and the like. This would yield the fastest performance with no scanning overhead, obviously.

    Luke : All good suggestions except for the part about having web surfing on a different machine from development..the two tasks often overlap :) Also wouldn't want to do IO heavy work on a virtual machine.
    From routeNpingme

  • You definitely want real-time scanning on these machines.

    I've been out of the game awhile, but to my knowledge the three main surfaces to cover are infection by removable media like floppies & USB storage (mainly boot-sector viruses), email (mostly trojan horses), and network services (worms). A development machine is likely going to have all three.

    I would advise following routeNpingme's suggestion of specific exceptions on filesystem scanning for real-time scanning.

    From Trevor Bramble

  • I would not install any antivirus software on those machines assuming the following points:

    • The computer runs behind a router with built in firewall, MAC address filtering and NAT.
    • Only needed ports are open
    • Windows firewall is enabled
    • Developers only install software that they need to get things done from trusted sites
    • No pirated software is used
    • Operating systems are updated regularly
    • Devs do not visit underground sites

    On dev machines you want maximum performance and antivirus software is a known antonym of performance. Besides this antivirus are not so effective.

    Spoike : I'd add a point about developers not using usb-sticks from untrusted sources. I know a collegue who accidentally infested his development machine with a usb-stick he recieved from a client. Symantec Antivirus didn't pick it up on his dev computer at work, but AVG Free at his home computer did.
    cletus : I disagree with the Windows firewall bit but agree with everything else.
    JAG : cletus, I like to have Windows firewall enabled just because probably the production environment will have it enable and I don't think it slows down the computer. But you're right, it wouldn't be necessary.
    Darren Oster : As long as ALL the above points are followed, no problems. Just remember, not all viruses are from email, etc. Think SQL Server worm viruses. Although, perhaps antivirus may not catch these anyway... But is it not better to be safe than sorry?
    sh-beta : Even brilliant developers occasionally make mistakes. You NEED antivirus software.
    Luke : Can you clarify about the firewall strategy? Firewalled off from the rest of the company? From any intranet servers as well? Seems like that could cause some headaches when using internal apps.
    Fabio Gomes : Just be aware that if the company has interns, they will use their pendrives for homework and stuff and then stick it on their dev machines, I've seen viruses spread several times like this.
    Element : I never used AV until a few months ago when my dev box got infected just by visiting a blog website from digg. It had a 0day Adobe pdf exploit injected into one of its banner ads. I actually didn't even have adobe PDF reader installed, I use foxit pdf reader but it was still able to exploit and infect my computer simply by visiting the page.
    Cristian Ciupitu : You're forgetting logging in with a regular user, instead of an administrator user. Unfortunately, the default regular users have too much power, so a custom group might be needed.
    Jim B : I can't agree more, especially since most developers will disable the antivirus software the second theny thing they are having a performance problem.
    From JAG

  • Background

    There are obviously multiple variables involved here, so there is not a one-size fits-all response. These variables include:

    Existing company/corporate policies

    Any policies involving security mandates (such as the requirement to run the company configured AV) may make this decision a non-issue.

    Variability of the "production" environment.

    If this an application that is being deployed in a controlled environment OR a limited environment then it is a good idea to duplicate that production environment for your testbeds.

    If however, this is an application that is going to be released "into the wild" then there is obviously no way to test for all possible production configurations.

    Development and testing environment

    If there is a formal testing/QA team and environment or even just a build server, then this is likely the best place to mimic the production environment, not the developers machines.

    Security Concerns

    This is an book all to itself, but the security concerns may outweigh any of the particular trade-offs to the developers machines. This depends on such things as:

    • Sensitivity of the data and/or code
    • Connectivity to outside networks/internet
    • Removable media
    • much much more

    Developer's Machine Performance

    The obvious here is the performance hit during development due to the CPU and I/O tax introduced by the virus scanner. The not so obvious is the potential impacts are: - Downtime associated with the contraction of a virus/trojan/malware and subsequent removal - Performance impact of the virus/malware if no AV software is present to detect and notify the user such that they continue to work with the virus/malware present.

    If you are using virtual machines or have a development image or have regular backups, this downtime potential maybe insignificant. If the developer is going to have to reinstall and reconfigure everything on his/her machine from scratch (depending on the severity of the virus) then the downtime could be a severe penalty.

    Probability of Contraction

    The probability that a virus/malware will be contracted by the developers machine is a huge wildcard/unknown. However, if you are working on a closed network and don't bring in much outside media, the risk is obviously much lower than if all of the machines are directly connected to the internet.

    If the development environment is Mac OSX or Solaris or Linux, etc then the probability of contraction is much lower than on the Windows platform.

    Also, if the nature of the development itself increases the exposure of the developers machines to potentially unsafe traffic, this increases the probability of contraction.

    Recommendations

    Based on these status of the variables above (and probably more) there are several options (in increasing security, decreasing performance order):

    • No AV software at all
    • AV software with no real-time protection but scheduled virus scans during off-hours
    • AV software with real-time protection but exclusions on folders/filetypes involved in the development process
    • AV software with real-time protection and no exclusions

    There are obviously a number of variations on these four options (such as ones involving the use of Virtual Machines) but I think this covers the major options.

    Personal Usage

    For what it's worth, I personally use Symantec Corporate at work and Avast Free Edition at home. I have real-time protection enabled with the only exclusions being for my Virtual Machine folders/vmdk files. I do some of my development in the host and some of it in the guest. I do C# and native C++ development for the windows platform and find the performance penalties manageable.

    From Burly

  • We're using Trend Micro in production, and I've recently installed it on all our TEST VM's (after one got a virus) and have noticed no noticeable performance loss (20+ VMs on one eight core host), these machines get thrashed by our support department when trying to reproduce customer environments, it's a barebones AV and does the trick. It's picked up a couple of things that would have otherwise infected a machine after visiting the dreaded underground sites

    From sascha

  • I prefer not to have antivirus installed, but the average developer (and I mean 90% of the developers) sure needs it, I've been using McAfee (forced by company policy) and have had no major issues, if you have the option to filter out the folders where the source code resides that'll fix most of your problems

    Chris Marisic : I worked at a place that I was forced to have McAfee install it made builds take 10-20 minutes because of the real time scanning infecting my build process the first thing I would do when I booted my machine there was to kill all of the services for the AV. I considered blacklisting them entirely but figured that would set off some kind of alert at corporate.
    From BlackTigerX

  • I personally don't run any. I have OS X and run my Visual Studios in VMs. I never got infected, but I regularly backup my VMs and in case of Windows Problems, I can always grab a fresh VM (ready to use), do a SVN checkout and start working within 15 minutes.

    It happened to me that I broke my Vista Machine (Virtual) while toying with the registry and had to do the above. It can be a pain if your VM doesn't support snapshots (VMWare does) or if your backed up VM is not "up to date".

    sh-beta : Honest question: if you don't run antivirus, how do you know you never got infected? Not all virii have immediately noticeable effects.
    Cristian Ciupitu : @sh-beta: you've got a point there, but as long as he wasn't visibly affected by viruses, why care about them?
    Kalmi : you know... they steal data...
    Oskar Duveborn : If a security breach or a compromised machine is discovered to be that, one should feel lucky and wipe it. Many will go undetected as that's many times the entire point of the infection - without checking the network traffic with expert knowledge about how it should look - how can one be sure any computer isn't for instance a zombie participating in nasty things? ^^
    Martín Marconcini : I wouldn't really know if I am infected, but it really doesn't change much. I only do C# programming in there, Internet is used from OSX (firewall), and behind a hardware firewall. Windows FW is always up. But yeah, I guess if I open a virus, the VM would be infected. But as I've said, wipe and svn checkout.
    From Martín Marconcini

  • ClamWin appears to be very light on resources. No noticeable impact on performance on my machine.

    From Brian Knoblauch

  • Install antivirus software on the computer but give the devs permissions to activate and deactivate the scans, set up exclusion directories etc. When they are doing things that the virus scanner doesn't play nicely with (e.g. working with large managed code apps like OWB or VS2005+) they can turn it off. They then have the option of turning it on if they want to run a scan.

    Best of both worlds.

    sh-beta : We tried this with Symantec, but most developers just ended up leaving it off. There's no incentive to turn it on when it slows their machine to a halt and wrecks their tools.
    From ConcernedOfTunbridgeWells

  • You NEED antivirus software

    It's been said a few times in these answers that developers should know better, or should only install software they need from known good sites, etc, so if you need antivirus you have a social issue, not a technical issues. A few points on that:

    • Prevention is only one of the functions of antivirus. Even if your vendor is slow about getting new definitions out, if your software detects a virus on your machine after the fact you're much better off than if you had no AV software at all.
    • Everyone, no matter how brilliant, makes mistakes. You cannot bet your infrastructure on the perfection of your employees' awareness.
    • Downloading software is only one vector of viral attack. What about software vulnerabilities? What if a "known-good" software site is hijacked? What if automatic update software (Java, Adobe, Apple, MS, whatever) is compromised? Your security is too valuable to leave in the hands of your employees and your vendors.
    • Unless you're a very small company, you have non-technical people working with you. Receptionists, office managers, sales people, etc. If your devs are perfect and your receptionist clicks a bad link his mom sent to him, your network is compromised.
    • Installing AV software on all machines except your developers' leaves the (arguably) most valuable workstations unprotected.
    • Your developers have software on their machines that is not "necessary" for their jobs. Guaranteed. iTunes, AIM, other apps they've discovered that they like. They're smart enough to get around policies/software that tries to prevent this.

    My recommendations

    At Fog Creek, we use ESET NOD32.

    I have tested Symantec, Kaspersky, Norton, ZoneAlarm, Avast, and AVG. All of them have noticeable performance issues, and many were downright unusable for our devs (blocked debuggers, caused issues when hooking into system calls, etc).

    NOD32 has been deployed for nearly a year now, and I've only had a single dev run into any trouble with it (and that was fixed by checking a configuration option). It causes no noticeable performance hit, doesn't interfere with any of our tools, and is unbelievably simple to setup - I deployed it across all of our workstations and servers in the middle of the day from the comfort of my desk.

    The only trouble we had with NOD32 was a big performance hit when running VMWare Workstation during our evaluation period. After exempting all VMWare files from realtime scanning, the problem disappeared.

    Clay Nichols : Good tip on exempting Virtual HD's from being scanned. Interestingly, I checked AVG (which we've had very good luck with) and it already had .vhd exempted.
    Svish : +1, Finally someone with a sensible answer...
    Oskar Duveborn : +1 Why repeat oneself when someone else has done the work already ^^
    From sh-beta

  • ESET NOD32 is the lightest (in terms of cpu usage) Antivirus program that I have found. It is also ranked as one of the better programs by AV-Comparatives. Just make sure to exclude the development or VM directories and you shouldn't have a problem.

    From Bakanekobrain

  • We use Symantec Endpoint Protection at work, and I would recommend against using it. There is a pretty severe performance hit, and it didn't catch anything in the two incidents where user's computers were compromised.

    From Nic

  • One way to considerably reduce the risk of not having it: Do all your web stuff in a VM.

    From Loren Pechtel

  • Being a developer I tend to side with the I use no antivirus software route but that's finally changed this year with the release of Microsoft Security Essentials. I use that both on my home machine and my work dev machine. I exclude the project folders for my solutions as most AVs go haywire during compilation seeing a bunch of DLLs and EXEs being created and trying to scan them during the super heavy file IO operations of building.

    From Chris Marisic
Posted by Mu Cat at 5:12 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)