Development machines and anti-virus policy

Our company uses Sophos Anti-Virus with a default configuration that performs on-access scanning on all files.

We are considering turning this off for source code files but are concerned about the potential risk this poses. In our case these files are .cs files containing C# source code.

Does this really pose a risk?

Edit

Within the company we have had a number of issues with viruses recently (all got caught by Sophos) and about 90% of these came from developer machines.

Developers are doing Windows dev work so have full admin rights on their machines.

I'd say no. But then again - I haven't had an antivirus on my machine for nearly 7 years now and haven't caught a single virus either. So I guess I'm a special case.

Vilx- 2009-09-10 12:37:40

+1 A:

Viruses usually don't care about injecting malicious code into uncompiled source files, they usually like to trick you into installing some sh*tty application which turns your machine into a bot.

Got a better solution, tho. Uninstall your virus software, run as a normal user, and don't download and install anything on your dev machine that you aren't 100% sure about.

Will 2009-09-10 12:38:36

Sadly not an option - see my Edit

Richard Ev 2009-09-10 12:40:37

Sucks, dude.

Will 2009-09-10 13:03:41

+2 A:

Source code files for statically typed, compiled languages are usually simple text files that can't do anything to your system unless they are compiled into executable code.

On the other hand if your source files are actually script/batch files they can often be executed "as-is" by the operating system. So there may be some value in scanning script files and turning it off for any other source file type.

At the simplest this would probably involve the AV filtering on file extension (ie scan all files ending in js, jvs, bat, vbs etc.) Of course this is not 100% fool proof unless the AV also analyses the content of the file too.

So in summary there is almost zero risk in turning off AV scan on .CS source code files. Any viruses coming from developers machines are almost certainly due to the combination of administrative rights and developers who download additional "tools" that actually contain the virus.

If your developers are still working on XP, this is one situation where moving to Vista (or Windows 7) might actually be a good idea due to the improved security thanks to UAC.

Ash 2009-09-10 12:42:46

The source code files in question just contain C#, so they're not anything that can be executed on their own. I've updated my post accordingly.

Richard Ev 2009-09-10 12:44:44

I turn off AV scanning on my development folder. However, I've not actually noticed much of an improvement speedwise. Ash is right though - plain text is plain text, so you're not going to run into much of a problem there.

Randolph Potter 2009-09-10 12:46:09

Are the files flagged by Sophos the code files or other stuff? We've been using Sophos for at least five years on the Scan All setting without any issues, and we have admin rights

CodeByMoonlight 2009-09-10 12:50:00

Viruses have been encountered in things like movie files downloaded using BitTorrent (managing/preventing that is a different topic!). So no, source code files have not been a source of viruses.

Richard Ev 2009-09-10 12:53:39

That's what application control is for :-).

Douglas Leeder 2009-09-10 14:59:12

+1 A:

The default settings are to NOT scan all files, only infectable file types. Check that "Scan all files" is unchecked. You are safe only scanning the default list of file types sophos scans for.

2009-09-10 13:27:52

ansaurus

tags:

views:

answers:

Development machines and anti-virus policy

Edit

related questions