When forming opinions, it is a good practice to follow scholastic tradition – think as hard as you can against the opinion you hold and try to find counter-arguments.
However, no matter how hard I try, I just cannot find reasonable arguments in favor of antivirus (and related security measures) on development machines.
Arguments against antivirus(AV) in development are plentiful:
- It is not uncommon for 1 minute build to take 10 times longer with AV on
- In a conference talk, IntelliJ developers claim AV software is #1 suspect when their IDE is sluggish
- Unzipping comes with roughly 100 kb/s speed with AV on
- AV renders Cygwin completely unusable (vim takes 1 minute to open a simple file)
- AV blocks me from downloading useful files (JARs, DLLs) from colleagues’ e-mails
- I can’t use multiple computers for development, since AV / security measures prevent me from unblocking ports
- AV kills performance of programs with high file turnover, such as Maven or Ant
Last, but not least – what does AV actually protect me from? I am not aware of my AV program ever stopping any security thread.
If the reason is fear of disclosing NDA stuff – no AV can possibly prevent me from doing it if I set my mind to it.
If the reason is fear of losing source code and/or documentation – there are distributed revision systems for this (there are at least 20 copies of our repo and we sync on daily basis).
If the reason if fear of disclosing customer data – developers rarely work connected to real production databases, instead they are playing around in toy environments.
Even if there are meaningful arguments in favor of having AV on development machines, they fall apart when faced with the ability to run a Virtual Machine in your paranoidly protected environment.
Since I want to keep an open mind of the issue, could anyone present meaningful, strong argument in favor of Anti-virus software for developers?
22
The one reason to use anti-virus software on development machines that trumps all your arguments is:
To comply with security audits.
Banks, government agencies, large regulated firms with sensitive data don’t have a choice on this matter.
5
Really, there is absolutely no reason to exempt developers from having anti-virus software on their machines. And overwhelmingly many reasons to require it.
Most of the disadvantages you mention can be addressed by telling the anti-virus software that your development folder (the one tied to your code repository) is a trusted location. After we had done that (and made IT postpone the daily scan for us to some time point in the evening as most developers leave their machines on anyway), we no longer had any issues with anti-virus software on our machines.
As for the download of files from e-mails: just tell your friends to use a different extension. Not a known one – anti-virus software is clever enough to check that it is or isn’t what it purports to be, a made-up one. Update: Please note that this is a way to get around most e-mail clients’ rather dumb rules regarding attachments. Most anti-virus software isn’t fooled by the extension change and even if it is, the anti-virus will kick when you come to re-rename the extension to actually use it.
And for the port issue: that is about the only thing in which the policies of the anti-virus software may need to be different for developers, but honestly, we have to and can unblock our server instances all we like, we can still not accept connections from outside our local network. And security wise, that is how it should be. And we are working with a remote team. They use a VPN (Virtual Private Network) so are “within” the local network as far as the anti-virus software is concerned.
9
There are many reasons to use an anti-virus. However, personally, I don’t feel the trade offs are worth it. You can protect yourself by just being smart about using computers:
- When something asks for administrative permissions, why is it doing that. What does it need those for?
- Ensure your machine receives automatic updates
- Disable dangerous and unneeded things from automatically running in your browser (Flash, Java, Silverlight)
- Checked
msconfigevery once in a while. Is a strange program running at start up? Time to do a (one-time) scan and ensure it’s not anything bad - Use a VM for development. This has a speed penalty, but last time Windows 8 died on my VM, all I had to do was revert to a snapshot from a week back and do a
git pull. Much easier to do this than to keep snapshots of physical machines, especially with changing hardware
I’ve never seen an antivirus that didn’t significantly impact system performance. I’ve switched to Linux and/or OpenBSD in 2008, where I still watch what programs I run, but it’s much easier there than Windows to know what a program will do (primarily due to most things being open source).
Anyway, since I’ve switched, I now run Windows in a VM and Linux on the physical machine almost exclusively, including at my (Microsoft shop) workplace. I’ve never installed an antivirus on a VM. I don’t really browse the web or anything on the VM for obvious reasons, so I don’t worry much about my bank account info going anywhere. The worst thing they could get is some proprietary info or my password. I use random passwords, so that’s pretty pointless. And if the virus is to get proprietary info (say proprietary source code), then it’s probably so targeted and custom that no antivirus will detect it anyway.
Edit:
Actually, I do run one AV program on my VM. I use Windows Defender, but that’s basically because it’s on by default, and so lightly intrusive that I’ve never noticed it running
Since I want to keep an open mind of the issue, could anyone present
meaningful, strong argument in favor of Anti-virus software for
developers, please?
I suspect most people who visit this forum are smart enough not not to download or visit dangerous internet sites, so they view AV as an annoyance or not needed.
But, really you need AV software. Not for you, but for the poor sap (computer neophyte) who clicks on “Click here to see cute kittens” link in an email and the last thing they see are hundreds of pop ups with cute little kittens saying “all your bases belong to us” as there machine is infected by malware.
Then the malware spreads across your network and then next thing you see is your processor running at 100% and nothing is working.
Unless you developing in a bubble, I want protection. I can cite that once I worked for company who decided they didn’t need AV and for a time it was OK, until everyone’s machine got infected. Well machines got reformatted and a lot of time was lost. Then everyone got AV and a company notice to not disable or un-install AV.
As others have suggested, you can tweak the AV so it will have less impact on your daily efforts.
You can walk the tightrope without a net, but really I prefer having a the net, even if I never need it.
4
I agree that antivirus software is so intrusive that it makes one wonder whether the medicine is worse than the cure. I, too, am tempted to turn it do without and see what happens.
However, I have never done this, because there are serious risks to doing without antivirus software. Information can be stolen, data can be lost, or your computer can be bogged down by spyware. Your software has likely blocked many attacks that you weren’t even aware of. And anyway, “it hasn’t happened yet” is never a good argument against precautionary measures.
One thing I would suggest is tweaking the settings of your anti-virus software. You can probably disable some of the features to arrive at an acceptable compromise between performance and security. Most of the major problems that you describe come from real-time file scanning. I do not think you really need this (as long as you’re not doing anything stupid), and if you turn it off, you will probably find that 90% of the annoyance goes away.
I’ve never experienced slow downs with build times. I’m a Windows developer & Windows 8 has robust AV built in (Win XP-7 you could use the free Microsoft Security Essentials – which is an excellent product that have very little impact on performance).
If your build times are taking 10x longer I would suggest finding better AV software on your platform – and ensure you’re using MSE on your Windows machine.
If your company writes Antivirus Software you might need to test or dogfood your software.
Sounds far fetched, but it was exactly my case 3 or 4 years ago, and I can assure you it was not zero impact at all.
Furthermore, in 2010,
The malware industry has published nearly four new viruses per minute in the first half of the year.
–https://www.gdatasoftware.co.uk/press-center/news/article/article/1760-number-of-new-computer-viruses.html
Given those numbers, the only way AV software can keep up is through heuristics — in practice monitor particular win32 calls and making them trigger the AV. Of course, this is a bit of a problem if you need to make those calls as a developer. Again, a problem I did see happen.
As soon as there exists AV software for power users, I’d say there would be no reason against it. The problem is that all* AV software is made for your parents. They have more money than you, and are willing to pay for the feeling of security (and clicking more buttons to download kitten toolbars).
* For suitable values of “all.” I’ve found every AV program so far (about half a dozen major brands) extremely obnoxious and invasive.