What antivirus do you recommend for dev boxes

Question

What antivirus would you recommend for computers used for windows development. Would you use an antivirus for these users? These users compile quite often and therefore read and write tons of files. If I deploy a slow performing antivirus, they will not be happy.

Answer 1

You NEED antivirus software

It's been said a few times in these answers that developers should know better, or should only install software they need from known good sites, etc, so if you need antivirus you have a social issue, not a technical issues. A few points on that:

• Prevention is only one of the functions of antivirus. Even if your vendor is slow about getting new definitions out, if your software detects a virus on your machine after the fact you're much better off than if you had no AV software at all.
• Everyone, no matter how brilliant, makes mistakes. You cannot bet your infrastructure on the perfection of your employees' awareness.
• Downloading software is only one vector of viral attack. What about software vulnerabilities? What if a "known-good" software site is hijacked? What if automatic update software (Java, Adobe, Apple, MS, whatever) is compromised? Your security is too valuable to leave in the hands of your employees and your vendors.
• Unless you're a very small company, you have non-technical people working with you. Receptionists, office managers, sales people, etc. If your devs are perfect and your receptionist clicks a bad link his mom sent to him, your network is compromised.
• Installing AV software on all machines except your developers' leaves the (arguably) most valuable workstations unprotected.
• Your developers have software on their machines that is not "necessary" for their jobs. Guaranteed. iTunes, AIM, other apps they've discovered that they like. They're smart enough to get around policies/software that tries to prevent this.

My recommendations

At Fog Creek, we use ESET NOD32.

I have tested Symantec, Kaspersky, Norton, ZoneAlarm, Avast, and AVG. All of them have noticeable performance issues, and many were downright unusable for our devs (blocked debuggers, caused issues when hooking into system calls, etc).

NOD32 has been deployed for nearly a year now, and I've only had a single dev run into any trouble with it (and that was fixed by checking a configuration option). It causes no noticeable performance hit, doesn't interfere with any of our tools, and is unbelievably simple to setup - I deployed it across all of our workstations and servers in the middle of the day from the comfort of my desk.

The only trouble we had with NOD32 was a big performance hit when running VMWare Workstation during our evaluation period. After exempting all VMWare files from realtime scanning, the problem disappeared.

Answer 2

I would not install any antivirus software on those machines assuming the following points:

• The computer runs behind a router with built in firewall, MAC address filtering and NAT.
• Only needed ports are open
• Windows firewall is enabled
• Developers only install software that they need to get things done from trusted sites
• No pirated software is used
• Operating systems are updated regularly
• Devs do not visit underground sites

On dev machines you want maximum performance and antivirus software is a known antonym of performance. Besides this antivirus are not so effective.

Answer 3

I have a couple opinions here...

Obviously the point of anti-virus is not necessarily to have the fastest, but simply the most effective. I prefer Symantec but to each his own.

One thing you could do is make realtime scan exclusions for a development folder (i.e. C:\Development) or something - that way it's not realtime scanning every compile. Most viruses/malware would not put anything in a C:\Development folder anyway (99% of the time it'll be going into Program Files, Windows, etc). Configure your antivirus to run a scan on the Development folder once per day instead.

On the other hand, normally developers will be pretty computer savvy (we hope). So in that case I'm not sure antivirus is needed at all in this type of environment. Best thing here is dedicate machines (virtual machines or whatever) just for development and not e-mail, web surfing, and the like. This would yield the fastest performance with no scanning overhead, obviously.

Answer 4

Background

There are obviously multiple variables involved here, so there is not a one-size fits-all response. These variables include:

Existing company/corporate policies

Any policies involving security mandates (such as the requirement to run the company configured AV) may make this decision a non-issue.

Variability of the "production" environment.

If this an application that is being deployed in a controlled environment OR a limited environment then it is a good idea to duplicate that production environment for your testbeds.

If however, this is an application that is going to be released "into the wild" then there is obviously no way to test for all possible production configurations.

Development and testing environment

If there is a formal testing/QA team and environment or even just a build server, then this is likely the best place to mimic the production environment, not the developers machines.

Security Concerns

This is an book all to itself, but the security concerns may outweigh any of the particular trade-offs to the developers machines. This depends on such things as:

• Sensitivity of the data and/or code
• Connectivity to outside networks/internet
• Removable media
• much much more

Developer's Machine Performance

The obvious here is the performance hit during development due to the CPU and I/O tax introduced by the virus scanner. The not so obvious is the potential impacts are: - Downtime associated with the contraction of a virus/trojan/malware and subsequent removal - Performance impact of the virus/malware if no AV software is present to detect and notify the user such that they continue to work with the virus/malware present.

If you are using virtual machines or have a development image or have regular backups, this downtime potential maybe insignificant. If the developer is going to have to reinstall and reconfigure everything on his/her machine from scratch (depending on the severity of the virus) then the downtime could be a severe penalty.

Probability of Contraction

The probability that a virus/malware will be contracted by the developers machine is a huge wildcard/unknown. However, if you are working on a closed network and don't bring in much outside media, the risk is obviously much lower than if all of the machines are directly connected to the internet.

If the development environment is Mac OSX or Solaris or Linux, etc then the probability of contraction is much lower than on the Windows platform.

Also, if the nature of the development itself increases the exposure of the developers machines to potentially unsafe traffic, this increases the probability of contraction.

---

Recommendations

Based on these status of the variables above (and probably more) there are several options (in increasing security, decreasing performance order):

• No AV software at all
• AV software with no real-time protection but scheduled virus scans during off-hours
• AV software with real-time protection but exclusions on folders/filetypes involved in the development process
• AV software with real-time protection and no exclusions

There are obviously a number of variations on these four options (such as ones involving the use of Virtual Machines) but I think this covers the major options.

Personal Usage

For what it's worth, I personally use Symantec Corporate at work and Avast Free Edition at home. I have real-time protection enabled with the only exclusions being for my Virtual Machine folders/vmdk files. I do some of my development in the host and some of it in the guest. I do C# and native C++ development for the windows platform and find the performance penalties manageable.

Answer 5

I would deploy the same AV solution as in your production environment. That way you have one management interface and you get an apples-to-apples comparison as to impact, especially as the newer ones are incorporating more and more intrusion prevention measures with each version. One AV solution may not react the same as another as a result.

Answer 6

ESET NOD32 is the lightest (in terms of cpu usage) Antivirus program that I have found. It is also ranked as one of the better programs by AV-Comparatives. Just make sure to exclude the development or VM directories and you shouldn't have a problem.

Answer 7

You definitely want real-time scanning on these machines.

I've been out of the game awhile, but to my knowledge the three main surfaces to cover are infection by removable media like floppies & USB storage (mainly boot-sector viruses), email (mostly trojan horses), and network services (worms). A development machine is likely going to have all three.

I would advise following routeNpingme's suggestion of specific exceptions on filesystem scanning for real-time scanning.

Answer 8

Being a developer I tend to side with the I use no antivirus software route but that's finally changed this year with the release of Microsoft Security Essentials. I use that both on my home machine and my work dev machine. I exclude the project folders for my solutions as most AVs go haywire during compilation seeing a bunch of DLLs and EXEs being created and trying to scan them during the super heavy file IO operations of building.

Answer 9

We're using Trend Micro in production, and I've recently installed it on all our TEST VM's (after one got a virus) and have noticed no noticeable performance loss (20+ VMs on one eight core host), these machines get thrashed by our support department when trying to reproduce customer environments, it's a barebones AV and does the trick. It's picked up a couple of things that would have otherwise infected a machine after visiting the dreaded underground sites

Answer 10

We use Symantec Endpoint Protection at work, and I would recommend against using it. There is a pretty severe performance hit, and it didn't catch anything in the two incidents where user's computers were compromised.

Answer 11

I use Kaspersky and my desktop's performance doesn't seem to be affected by it -- unless it's doing an automatic update. It's the most bullet-proof anti-virus that I know of and have used.

Answer 12

I prefer not to have antivirus installed, but the average developer (and I mean 90% of the developers) sure needs it, I've been using McAfee (forced by company policy) and have had no major issues, if you have the option to filter out the folders where the source code resides that'll fix most of your problems

Answer 13

I personally don't run any. I have OS X and run my Visual Studios in VMs. I never got infected, but I regularly backup my VMs and in case of Windows Problems, I can always grab a fresh VM (ready to use), do a SVN checkout and start working within 15 minutes.

It happened to me that I broke my Vista Machine (Virtual) while toying with the registry and had to do the above. It can be a pain if your VM doesn't support snapshots (VMWare does) or if your backed up VM is not "up to date".

Answer 14

ClamWin appears to be very light on resources. No noticeable impact on performance on my machine.

Answer 15

Install antivirus software on the computer but give the devs permissions to activate and deactivate the scans, set up exclusion directories etc. When they are doing things that the virus scanner doesn't play nicely with (e.g. working with large managed code apps like OWB or VS2005+) they can turn it off. They then have the option of turning it on if they want to run a scan.

Best of both worlds.

Answer 16

One way to considerably reduce the risk of not having it: Do all your web stuff in a VM.