2 Replies Latest reply on Sep 23, 2011 4:24 AM by oaker

    Development Environment Exclusions

    onires

      So I thought I would start this as I have not been able to come across any good discussion on the web in regards to development environments and antivirus setups.  There are some out there that are discussed by the engineering staffs themselves but nothing that I have come across that the security groups or admins within IT have talked about.

       

      Just so everyone knows that I'm currently running:

       

      ePO 4.5

      Agent 4.5

      VSE 8.7 and 8.8

       

      Right now in terms of the development environments, I have certain directories that are setup for engineers to put the dev directories in.  These directory structures are excluded from the on-access scans (i.e. something easy like c:/dev).  This helps the builds drop in build time by about 10% compared to when the are not in the excluded directories.  Mostly the builds are being run using Visual Studio 2005 and 2010 with some python and tcl scripts for auto-generated code.  Obviously I'm looking to help decrease that build time even further without jeopardizing security but not too sure were else to look.  I'm working with an engineering team right now and will be gathering more information and testing data to help with this.  

       

      I'm looking for some suggestions/ideas or things that you have implemented in your development environments that you would recommend. Should I put Visual Studio executables as low risk process within the ePO?  Is that recommended?

       

       

      Thanks in advance for the help and ideas!!

        • 1. Re: Development Environment Exclusions
          tao

          McAfee VSE Best Practices for Web Development Environments would definitely be a welcomed resource.  Indeed, all WDE wouldn't be covered but at least some insight on some of the major WD packages in relation to McAfee VSE exclusions.

          • 2. Re: Development Environment Exclusions
            oaker

            As you obviously already know, there are two exclusion techniques that can be applied here. Folder/file/ext exclusions and process exclusions (low risk option). We have looked into that issue ourselves because a lot of Eclipse devs complained about performance (and rightly so). Excluding whole folders and subfolders is always a tremendous risk and one usually not worth taking. Even so, compared to process excludes it is the less optimized approach if performance is a concern. The risk of adding the VS executables as low risk processes is much lower than excluding the whole folder and serves the same purpose. However it all depends on how you configure the low process policy. If need be you can exclude the folder in the low risk process policy which gives you the exactly same result but at much less risk. You just have to make sure you add all the right and relevant processes to the policy.