Development machines and anti-virus policy
https://stackoverflow.com/questions/1404999
-
05-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Our company uses Sophos Anti-Virus with a default configuration that performs on-access scanning on all files.
We are considering turning this off for source code files but are concerned about the potential risk this poses. In our case these files are .cs files containing C# source code.
Does this really pose a risk?
Edit
Within the company we have had a number of issues with viruses recently (all got caught by Sophos) and about 90% of these came from developer machines.
Developers are doing Windows dev work so have full admin rights on their machines.
Solution
Source code files for statically typed, compiled languages are usually simple text files that can't do anything to your system unless they are compiled into executable code.
On the other hand if your source files are actually script/batch files they can often be executed "as-is" by the operating system. So there may be some value in scanning script files and turning it off for any other source file type.
At the simplest this would probably involve the AV filtering on file extension (ie scan all files ending in js, jvs, bat, vbs etc.) Of course this is not 100% fool proof unless the AV also analyses the content of the file too.
So in summary there is almost zero risk in turning off AV scan on .CS source code files. Any viruses coming from developers machines are almost certainly due to the combination of administrative rights and developers who download additional "tools" that actually contain the virus.
If your developers are still working on XP, this is one situation where moving to Vista (or Windows 7) might actually be a good idea due to the improved security thanks to UAC.
OTHER TIPS
Viruses usually don't care about injecting malicious code into uncompiled source files, they usually like to trick you into installing some sh*tty application which turns your machine into a bot.
Got a better solution, tho. Uninstall your virus software, run as a normal user, and don't download and install anything on your dev machine that you aren't 100% sure about.
Are the files flagged by Sophos the code files or other stuff? We've been using Sophos for at least five years on the Scan All setting without any issues, and we have admin rights
The default settings are to NOT scan all files, only infectable file types. Check that "Scan all files" is unchecked. You are safe only scanning the default list of file types sophos scans for.
I'd say no. But then again - I haven't had an antivirus on my machine for nearly 7 years now and haven't caught a single virus either. So I guess I'm a special case.
