DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 1B3683857C48
MIME-Version: 1.0
References: <SI2PR06MB4428406980C4C5CB49D96E0495579@SI2PR06MB4428.apcprd06.prod.outlook.com>
 <c4c91b98-d94f-1e7c-c568-87b767cb142a@SystematicSw.ab.ca>
In-Reply-To: <c4c91b98-d94f-1e7c-c568-87b767cb142a@SystematicSw.ab.ca>
Date: Sat, 8 May 2021 22:50:45 -0400
Message-ID: <CAEMWCRsMkJQGK_mFuLk7tzj0XNNjkL8jowVDM8N922WRLR1iRQ@mail.gmail.com>
Subject: Re: McAfee Anti-Virus Exclusion
To: Cygwin <cygwin@cygwin.com>
From: Jim McNamara via Cygwin <cygwin@cygwin.com>
Reply-To: Jim McNamara <nefariousscheme@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Cygwin" <cygwin-bounces@cygwin.com>

On Sat, May 8, 2021, 7:33 PM Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
wrote:

> On 2021-05-07 04:57, Lam Jian Zhou via Cygwin wrote:
> > We have encountered an issue with Cygwin process get slow when using
> McAfee anti-virus.
> > We have put all the exclusion on not scanning or checking on Cygwin
> process and folder, but the slowness still exists.
> > We have tried McAfee recommendation on this :
> https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-459435D7-AE7B-4656-9120-9235F39EA0D6.html
> but still not able to solve the issue.
> >
> > We have tried to find the issue in various forum but there is not much
> helpful information on this and even the McAfee support told us only Cygwin
> support can give the answer.
> >
> > Would you able to give some recommendation of what should be exclude for
> Cygwin process?
> > Or is there any other windows process will be trigger along with the
> Cygwin? so, we can exclude them as well.
>
> Cygwin support is a bunch of volunteers, so unless you can demonstrate an
> obvious reproducible problem across multiple different installations,
> using a
> simple test case, caused by Cygwin doing something it should not, it is
> unlikely
> anyone here will be able to help much.
> Please note that Cygwin is doing only what it has to, in order to support
> a
> POSIX development environment under Windows.
> If it seems too slow for your uses, please consider testing, timing, and
> running
> your development toolchain under faster environments: try one of the many
> distros under WSL, local or server VMs, Docker, etc.
>
> The problem is with McAfee going out to servers to check every executable,
> rather than remember locally that a file has already been checked using a
> hash
> over contents and properties, and skipping future checks.
> If you have problems with McAfee, complain to Intel, and thence to whoever
> insists you run a legacy AV suite.
>
> Run Windows Defender if you need an AV and want to minimize slowdown.
> More intrusive AV will intercept and interfere more with performance (like
> anything called End Point Protection, which is known to break Cygwin).
> Have your techs run your processes with only Windows and Cygwin installed,
> then
> with Windows Defender, then with Intel McAfee AV to see the differences.
>
> Looking at the McAfee exclusions, they are decades out of date, most
> installations are now x86_64, and may also support x86 [32 bit], so you
> need to
> exclude the compiler and build toolchain utilities (gcc, llvm, clang,
> binutils,
> coreutils, c/make, libtool, git packages) in /bin/, /usr/*86*-pc-cygwin/,
> /lib/gcc/*86*-pc-cygwin/[1-9]*/ and all their DLLs /bin/cyg...*.dll for
> all
> installed compiler and utility versions.
> Note that Cygwin supports git (and is part of the toolchain used to build
> Git
> for Windows mentioned by McAfee), so add /usr/libexec/,
> /usr/libexec/git-core/,
> and other contents of that tree to your exclusions.
>
> On development machines, Adaptive Threat Protection (guessing based on
> patterns
> matching existing malware) will slow down every step of every build, so
> switch
> it off, as well as any other guessing games, cloud or remote access!
>
> Following McAfee's suggestions, using gpg keys and SHA2 hashes, make a
> verified
> clean Cygwin developer build of everything you use, and upload everything
> installed to McAfee's GTI servers, and the validation files to your own
> TIE
> servers: clone to each developer machine and run a local TIE server there.
> Do the same for everything in all your production builds.
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
>
> This email may be disturbing to some readers as it contains
> too much technical detail. Reader discretion is advised.
> [Data in binary units and prefixes, physical quantities in SI.]
>
> --
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple


Hi,

I have really good luck with Webroot.
AVG ... not so much (cygwin false positives) ! Webroot and malwarebytes go
good together. Webroot uses own outbound firewall and windows defender for
inbound. I think I remember from YouTube review it has to be connected to
internet for scanner to detect threats.

It is good to know that software labeled endpoint software wont work. I
know of one such place using it.

I hope you can use defender and save $. If not, hopefully 2 more good
suggestions for you.

Robo-loki


>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple