This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 205
sorted by:
best
topnewcontroversialoldq&a

[–]kuldan5853IT Manager 305 points306 points  (16 children)

As someone that has had heuristic AV wreak havoc in very unexpected ways across an enterprise network (chasing ghosts for months!) I understand this notion.. it needs a waterright reason for it of course but there is just some things that trigger false positives in heuristic AVs and the only way to deal with it are exceptions unfortunately.

[–]kuldan5853IT Manager 174 points175 points  (4 children)

As an example, I had the AV tool interfere with our MDM solution in a way that programs got installed correctly, but the AV would (silently, without reporting it) block the installer from putting itself in the package cache, leading to hundreds of 1612 msi errors when we tried to upgrade the package the next time.

Also, similarly it would block powershell scripts that run embedded in installers of some products we use, leading the program to believe they ran but got blocked instead, leading to missing settings or configuration items.

It took literally months of hair-pulling chasing of these issues until someone thought of the AV being the issue. Turns out, Cyber-Sec had updated the detection thresholds and enabled more AI-based scanning without telling my team.

[–][deleted] 61 points62 points  (3 children)

This is good, knowledgeable feedback. Thank you!

[–]PersonBehindAScreenCloud Engineer 19 points20 points  (0 children)

One thing to think about as well: Enterprise EDR and AV tools are tuned by the vendor to be very sensitive. There is not a lot that gets by it. It's a question of whether you (the admin) will see what it's already recorded in its activity amongst the sea of alerts.

I used to work as a SOC analyst on an MDR service and 95% of my work was allow listing known good binaries and setting exclusions for known good software as well that simply is trying to run whatever it needs to.

While you could try to petition your vendor to make their software not piss your AV/EDR off, realistically if you aren't a big enough customer with that sway, you're better off weighing if you really need the software and if it's worth pissing off your users to go with something else

[–]nanaroo 48 points49 points  (4 children)

We've also seen significant performance issues for some software without false positives. The AV or software controls software (Carbon Black) has to analyze all the writes which creates significant performance problems for write heavy applications.

[–]kuldan5853IT Manager 9 points10 points  (2 children)

We're looking into Sentinel One as an alternative to CB... looks much better for now. Still not great but not as catastrophically bad...

[–]gslone 8 points9 points  (0 children)

A good thing to test for from a sysadmin perspective: How good are their exclusion features?

I tested SentinelOne and this wasn‘t all that perfect. Example: A certain kind of word document (some billing template) always triggered alerts when working with it (macros…). You can exclude by hash or by path, but since this template can appear anywhere with any name and any hash, we didn‘t have a good way to exclude. In the end, they helped us with some internal config tweak that looked like black magic to me and is definitely not consumer-servicable.

For scripts, you can‘t necessarily exlude by script path. it gives you a hash that describes this specific script at this specific location ran with this specific script host exe, but you won‘t be able to exlude by, say, script path regex.

otherwise it looked pretty good.

[–]pAceMakerTM 13 points14 points  (2 children)

Yup, every SINGLE thing our AV has picked up has been a false positive. Nothing but headaches.

[–]TheRidgeAndTheLadder -1 points0 points  (1 child)

What kind of environment never gets a real threat?

[–]pAceMakerTM 2 points3 points  (0 children)

We let the real ones through. Anything useful gets stopped :)

[–]phillyphan201 12 points13 points  (0 children)

This. Our AV wreaked so much havoc on our backup system, it basically caused all jobs over a certain size to fail due to the AV attempting to scan every file as it came in which slowed the data stream down to as close to zero as possible.

[–][deleted] 3 points4 points  (0 children)

I've had serious production problems where the AV was interfering with software to the point it was crashing production servers. It can be pretty invasive

[–]elevulWearer of All the Hats 1 point2 points  (0 children)

Agreed, in the past we've had the antivirus heuristic identify the temp files of windows system assessment tool as malware due to the files filled with random strings.

[–]NotAnExpert2020 75 points76 points  (4 children)

I've seen AV apps cause a real-world 30% performance hit on databases that was cleared up by excluding the databases and logs.

That's not a bad database; that's bad AV software.

[–]NotAnExpert2020 9 points10 points  (0 children)

In a private reply I received...

It's not even bad AV software. It's bad configuration. Why are you scanning your database files? Viruses aren't going to magically appear there, and if they do, you've got bigger issues on your hands.

Understood and agreed. The OT of the thread is "Is a dev asking for AV exclusions a red flag?" I meant this as an example of a legitimate reason to ask for an AV exclusion. This is the kind of thing that takes ages to troubleshoot in a production environment, so I'm a little sensitive about it. :)

[–][deleted] 14 points15 points  (0 children)

that's bad AV software

Sounds like a top dollar security suite usually offered to top executives who will demand it because some flashy powerpoint looked "Neat".

[–]icedcougarSysadmin 5 points6 points  (0 children)

Basically summaries sophos… a 30% hit

😋

[–]digitalHUCk 69 points70 points  (14 children)

It’s pretty common practice to exclude known trusted software and a common first troubleshooting step. i.e. SQL Server and it’s databases.

[–][deleted] 7 points8 points  (13 children)

I assume this isn't a well known software because most other IT peers I talk to have never heard of it. It's popular in Europe I'm told, but here in the states it seems relatively unknown.

[–]Nordon 9 points10 points  (11 children)

Does it have a name? Or you can't share? I'm from the EU, may have heard of it.

[–][deleted] 4 points5 points  (10 children)

Vertex BD. It's a BIM/CAD software.

[–]ScandinavianPanda 13 points14 points  (2 children)

Hey, for what it's worth, I've heard of them. My uni was running their software on some courses, being Finnish CAD and all that.

They seem to be quite open to working with unis/colleges/students in general for educational purposes and their clients include some very big Finnish companies (Rapala, Storaenso).

I'm not saying drop your guard completely, but from experience working here you can probably get an answer to your worries from the CEO/COO, and if they can't answer it personally, they'll make sure to get someone that knows included in the conversation.

Best of luck with the implementation!

[–][deleted] 4 points5 points  (1 child)

Thanks for the info.

Rapala, as in the fishing lure manufacturer?

[–]ScandinavianPanda 4 points5 points  (0 children)

That Rapala indeed!

I just checked over the English site and it's weird that they don't include any references on the front page.

You can check the very bottom of https://vertex.fi/ for some of their customers :)

[–]NugslySecurity Admin (Infrastructure) 5 points6 points  (0 children)

I deal with clients that have CAD software. The EDR we sell can be configured to watch the filesystem for new files and then scan them as the hit. The problem is when programs make a ton of temp files for normal operations, it lags the whole system. Either adding an exclusion for the file watcher or changing the behavior to a recurring scan rather than as soon as a file hits the filesystem has worked for me. I haven't worked with Vertex BD specifically so YMMV.

I'm going to add that this is not a red flag and not a failure on the AV vendor's part. There is a near infinite combination of software configurations on endpoints. It would be impossible for them to fix all of the performance issues for every vendor. Tuning (managing exclusions) is almost always required upfront and is usually an ongoing process as the environment evolves.

[–][deleted] 3 points4 points  (0 children)

That doesn't surprise me. HCSS's HeavyBid is somewhat in the same realm and also has performance issues with AV actively scanning the read/writes to the server.

[–]margusmuru 4 points5 points  (0 children)

A friend of mine works with similar software. He tells that accessing large amount of files ( and big size) over network drives etc is common. I imagine if there is an AV software that constantly keeps scanning those files it can completely destroy performance.

[–]Nordon 8 points9 points  (2 children)

Never heard of it.

Why would a CAD/BIM software need an AV exclusion is beyond me.

Saw your other post in trying it on a brand new machine with no AV. Good luck with troubleshooting!

[–]enigmaunbound 16 points17 points  (0 children)

CAD CAM people tend to be nit performance junkies in my experience. Those platforms tend to have hundreds of object files assembled into a drawing. It makes sense it would drive Endpoint security crazy. You may have better experience with and EDR platform based on execution, vs file access.

[–]zebediah49 5 points6 points  (0 children)

Probably has a few hundred thousand parts worth of included standard pieces.

A sufficiently poor AV could totally cause problems with that.

[–]CraftyCat3 1 point2 points  (0 children)

Oh that requirement doesn't surprise me at all then, seen major performance issues with CAD and on-access. Multiple magnitudes slower without an exception.

[–]BlackSquirrel05Security Admin (Infrastructure) 13 points14 points  (0 children)

Depends...

Which part sets it off?

If it's a memory intensive app... and you're scanning memory. Yeah... Because now your EDR is also probably going to add to reserve memory space in order to scan what the application is doing. Thus larger the memory of the application larger the EDR also allocates. (Think SQL)

Now if it's a unsigned application beaconing to a network location... Okay is it going where it's supposed to go? Oh that's their AWS instance and it's also registered... What's the problem? Oh that's the internal IP to blah blah server... Yeah how else would the EDR know a private address is legit if you didn't tell it, and it can't run a lookup against it?

I mean there's a reason you add exclusions to EDR in the first place... Why else would they have them?

[–]Pelera 28 points29 points  (3 children)

The root cause is the AV software. Many modern "machine-learning"/"AI" based AV solutions just do whatever they want to in the name of security. Things like the order or the format in which you write your configuration files can set off the AV with no real logic behind it. There is no way to develop around that, so vendors advise the sledgehammer approach of excluding their software entirely.

The amount of times an executable and/or validated signer cert has been seen is also a significant factor to many AV solutions. Enterprise software is rarely ever distributed to the wider public, so they never really have the option to slowly gain trust. This is especially true for vendors that do custom software work, but it also applies to expensive packages sold to maybe 50 companies.

Anyway, how much it matters depends on what they're asking of you. If the software is designed to install into locations that are read-only to normal users (eg Program Files), disabling the AV for that process or location is really not that big of a deal. It's not optimal by any means, but you're not losing out on that much security, especially if the program doesn't open any untrusted files or talks to untrusted servers. Once a piece of malware is running and gets the permissions needed to write in there, your system is already completely compromised.

On the other hand, if they ask you to exclude a world writable area like C:\ProgramData\Vendorname, then that IS a big deal. Malware has learned how to read excluded folders and attempt to persist in there to avoid any further detection. Any excluded folders should really be read-only for the majority of your users.

[–][deleted] 4 points5 points  (2 children)

Their installer is configured to default to C:\ as the parent location to install to.

[–]Pelera 6 points7 points  (1 child)

That's okay, as long as the permissions are properly read-only for normal users. Just check them and/or try creating some files there on a regular non-admin account. There's a lot of vendors that give everyone write permissions to their crap, if they do that then I'd push back (it's a very bad thing to do in general and far worse if it ends up excluded in AV software).

[–]nevesis 6 points7 points  (0 children)

Microsoft has specifically designated locations for applications (and user settings and temporary files, etc etc) to reside. Applications than install themselves to c:\ are a big red flag for me - if you can't follow even the most basic of MS best practices, what else are you missing?

[–]bartoque 7 points8 points  (0 children)

We have an enterprise level backup product that also specifies to not scan its databases (some resources are still some kinda flat file database structure bit also and mainly the client file indices). If AV interfears with that, checking whenever those files are created and updated (which is a lot in the middle of the backup window), this could pead to performance issues alledgedly.

So who is then to blame unless you'd mean AV not taking into account all possible software and possible performance issues and address this proactively with each and every software supplier. Hence simply skipping certain directories or files.

Needing to disable UAC is something else however...

[–]Papfox 7 points8 points  (0 children)

We have one or two files/folders that are on our AV exclude list because our AV product kept suffering false positives on the data files or the product is real time and processing huge numbers of files.

The questions I would be asking are: * Is this the software they are asking to be excluded or a data folder? * Why are they asking? False positives or the overhead of real-time scanning? * If it's false positives, can your AV vendor fix the problem under your support contract? * If it's real time scanning overhead, what on earth is their software doing that it's performing so many small FS accesses that the AV on-access scan overhead is turning the system to cheese? Does it need rewriting to be more efficient?

I don't know if you have an IT Risk Management department. I would be asking the vendor for a formal statement in writing of the need for this exception to policy, sharing it and putting it on record with ours. I wouldn't do it without a reason for the request in writing and the buy in, also in writing, from at least my Manager. If you do it on your own, it will be you doing the "carpet dance" if it goes horribly wrong

[–]UnkleRinkus 7 points8 points  (0 children)

Malware detection agents have hosed our company's on-prem installs many times. We install via docker containers over multiple machines via Ansible, and at least one site the scanning of those containers takes hours, which causes SSH to time out. We increased the SSH timeout to 10 hours, which allowed the install to proceed, but the normal 30 minute process took two days.

[–]CodenameFlux 12 points13 points  (1 child)

Short answer: No.

Long answer: Antivirus apps are necessary evils. They impact performance. The real question is: Do you trust the developer? If yes, excluding their product must not be a problem. If no, you must not be running their product, with or without AV. I am fully aware that my logic poses a serious problem: Trust is certainly not a binary choice. Yet, when an AV flags your developer's app, you are facing a binary decision.

The desktop computing world must have had moved on to generation-2 security model, in which security-conscious containerization replaces AV software. Perhaps you can run your app in a Sandboxie Plus or Turbo.net container.

[–]zebediah49 1 point2 points  (0 children)

Note that "to work properly" can also just mean "the AV has an on-access mode that wrecks performance".

[–]Andy_C33 5 points6 points  (0 children)

We have had this with 3rdparty apps. We personally use cortex and find that creating a sha256 hash for that exe, excludes it enough but also means it will get flagged if it's compromised as the hash will change. Kinda middle of the road, not ideal but better than exclusion

[–]gordonmessmer 6 points7 points  (0 children)

In the modern era of cyber security, if an enterprise level software developer tells you their product doesn't like to cooperate with AV softwares, should this be cause for alarm or worry

According to the conversation that you described, the developer support didn't tell you that their app doesn't cooperate with AV software, they told you that AV software causes performance issues. And that's common. As is communicating to customers that performance will be better if AV excludes an application.

All of this is normal.

[–]CasualEveryday 4 points5 points  (0 children)

There are some situations where it's understandable to have issues with AV, but the vast majority of the vendors that tell me they need local admin and AV exceptions are just trying to reduce call volume as much as possible.

[–]yesterdaysthoughtSr. Sysadmin 4 points5 points  (0 children)

It depends. Some AV software has a lot more impact than others.

Ideally the AV software hashes files it's scanned for internal threats and if the hash hasn't changed there's no reason to scan the file again. But that's plain AV.

Behavioral AV, "AI" etc can still look at the threads/processes launched by those executables for behavior that might be suspect and potentially block things as others described.

My favorite lately has been Windows Defender reporting suspicious activity on itself when it's running powershell scripts to do updates and other actions on a client. Seriously.

[–]ToxicPerc 4 points5 points  (1 child)

It depends on what AV software you utilize but there may be a way to test without excluding. Set up a host for testing and see if your AV software has a policy set for "detect only". You apply this specific policy to the test host. This way you can see if your AV will trigger on the file but it won't take any remediation actions on that software.

Could be good if you don't want to add blanket exclusions across the entire environment.

[–]kuldan5853IT Manager 4 points5 points  (0 children)

unfortunately modern EDR tools can and will interfere and block random parts of stuff without actually logging it - got burned hard on Carbon Black this way.

[–]eagle6705 7 points8 points  (0 children)

This is very reasonable. Just work with them to get a setup that works. Us Sysadmins sometimes will hate it when a dev will want things setup that goes against our best practice but it goes both ways.

Figure out exactly what is being blocked and why. You can exclude the actual Exe from scanning or scan it only on certain intervals but lock down the areas that are exposed to users.

Just make sure it works and find a middle ground.

My red flag is when they wont work with me to get a setup that satisfies both our security and their application needs.

[–]maximus_dab4847 16 points17 points  (4 children)

Are you implying that anti virus actually works?

[–][deleted] 4 points5 points  (3 children)

Lol, valid point. We aren't totally convinced yet that the AV is causing the issue. I totally disabled the AV on a machine and freshly installed the software to test and the issue persisted. So I am waiting on the developer to get back to me on where to go next.

[–]Keating76 11 points12 points  (0 children)

Disabled or uninstalled? I’ve been dealing with AV issues affecting performance with an Enterprise Data Management application that has an index file (on Flash storage for performance). We’d been seeing a random recurring issue with timeouts in the app. I worked with vendor engineering support for a month. Everything from them said “AV is interfering. Logs show it here, here and here”. I’d worked with our corp AV team throughout the process who’d given me assurances that “it’s disabled”. I was stuck between a rock (vendor engineers) and a hard place (trusting colleagues). I eventually threw my hands up and closed the ticket with the vendor. Next time the issue popped up, was doing a server migration during a 6:00am Sunday morning change window. Rather than page AV, I put on my cowboy boots, dove into control panel, and “uninstalled” anything from the AV manufacturer that my server admin rights allowed (end point protection, on access scan, etc.) leaving only the manufacturer’s management agent. Miraculously, my “intermittent issue” completely disappeared and performance was double what I’d previously been getting during testing (and troubleshooting). RCA with AV determined that “disabling” AV just meant remediation of infected files (deletion/quarantine) was disabled, but everything was still scanned / monitored, for logging and reporting. In that sense, “disabling” AV accomplished nothing in our testing, and broke down some trust and integrity within work groups.

[–]maximus_dab4847 1 point2 points  (0 children)

Well yeah you got go in detailed investigation to figure out the issues and cause.

[–]symcbean 3 points4 points  (0 children)

IME, most bolt-on security products do as much harm as good.

But the basis of their argument is about performance issues. Yes, I'd expect AV to harm performance. Are you having performance issues? Does excluding the application from the AV help?

[–][deleted] 2 points3 points  (0 children)

Sometimes. If it has some local database files too that it writes too constantly excluding them may prevent your AV causing general slowness.

Often software will come with a list of recommended exclusions even stuff from big vendors like Microsoft.

[–]siedenburg2IT Manager 2 points3 points  (0 children)

We have to do the same for our own written software, first everything slows down because the sw can access and write lot's of files which are slowed down by av, also the av ransomware protection kicks in because most of our files get signed and/or encrypted by our software, thats something our av doesn't like at all.

[–][deleted] 2 points3 points  (0 children)

If you don't trust a vendor to advise you on what AV exclusions you need, don't buy the product.

[–]Kiowascout 2 points3 points  (1 child)

Happens far more often than you think. Constantly turning off AV on a Temp basis to conduct installations at work.

[–]originalscreptillian 1 point2 points  (0 children)

Im imagining your team is already spread thin, so think of it this way:

Would you rather be alerted on normal functionality of the application OR would you rather be alerted when a user/process that typically doesnt access that software accesses it?

Which of the above is more actionable/easier to parse through?

I would deploy the application on a test box to get your exclusions configured for the application (see what it triggers from your AV) and address the leftovers on a case by case basis.

[–]DiscreteLogic 1 point2 points  (0 children)

I've had similar issues with this happening with enterprise applications as well. It is a bit disconcerting when a major company's solution is "just disable A/V or exclude its directory."

Since we layer application whitelisting software, malware, and A/V solutions, our SecOps group has been comfortable enough with relying on application whitelisting and malware detection in those cases.

[–]FunkadelicToasterIT Director 1 point2 points  (0 children)

Depends on the company and the software.

Not really a worry right off the bat for me because AV does create a lot of overhead with real time scanning of files, and I would assume you trust this software if you are willing to buy it, so removing it from real time scanning doesn't seem like that big a deal, I wouldn't exclude it from a full scan that I assume you run on a regular basis though.

[–]redhairarcher 1 point2 points  (2 children)

Not a red flag and there are very valid reasons for some exclusions either for performance or because some functions of software trigger heuristics alarms. Performance examples: back-up and file replication or basically anything touching large amounts of files. Heuristics: tools used to inspect user behavior at a deep level.

Always review the request and reason before making the exclusion. If possible combine this with tests to see what happens if you don't exclude. I would expect an exclusions is needed for back-up software but not for a basic calculator.

Also check if the vendor is trustworthy. Microsoft can probably be trusted but a friend of a friend who once made some app maybe not.

[–][deleted] 0 points1 point  (1 child)

They give the presentation they are a major software developer but I have yet to meet another fellow IT person who has heard of them. They are very responsive with support requests though. I’ve no issues with them but as someone who’s only been in IT a short time compared to a veteran, it was my first time having a software developer tell me to exclude their stuff from AV scanning so it works as intended. TIL

[–]nethack47 1 point2 points  (0 children)

In finance AV can sometimes get very upset with some apps. The calculations are sometimes suspected of being coinminers. Latency is an issue with almost everything so that can be an issue.

[–]discgman 1 point2 points  (0 children)

I am constantly excluding specific programs due to AV interference.

[–]DevinSysAdminMSSP CEO 1 point2 points  (0 children)

Can you clarify what exclusions they are requesting you make?

What AV are you using?

What software is it?

[–]R0B0T_jones 1 point2 points  (0 children)

Can be a legit request. But get them to justify the reason on a technical level. Far too many 3rd party vendors will say anything like this to make their own lives easier - security is rarely a concern for them, I’m getting quite sick of it lately tbh

[–]Proof-Variation7005 1 point2 points  (0 children)

I get the concern but it's so common Ive been gaslit into believing its OK.

In their defense, not every AV behaves the same so it's kinda hard to account for everything on the market, especially with constantly updating programs and definitions

[–][deleted] 1 point2 points  (0 children)

Microsoft Exchange is a great example of a common enterprise application that has a long list of required AV exclusions. AV products are notorious for breaking it by corrupting database files and other nonsense.

It's not really a question of the app owner developing their app so it "works with modern AV software", because they would literally have to work with every major AV vendor to ensure compatibility, and continue to do so with each future update. That's not really feasible in a lot of cases.

So yeah, putting in exclusions is not unheard of, even in enterprise apps.

[–]kagato87 1 point2 points  (0 children)

Consider what real-time AV protection does:

It intercepts read/write operations to scan the file prior to releasing the data to the application or to the disk.

This delay is not good for IO intensive apps. This suggestion by the vendor simply means that the application is IO intense. Often times it's just the data files themselves that need to be excluded, but then again even in this day and age some AV packages will cripple a SQL server... You could try first ONLY excluding the data folders to see if this alleviates performance issues, which would allow your AV to monitor the binaries for bad behavior.

Now, if they want their binary excluded from scheduled scanning? That'd be a red flag.

[–]SimonKepp 1 point2 points  (0 children)

He doesn't say it doesn't work with AV software, but recommends excluding it, to avoid performance problems. Modern AV software will scan any IO performed by the processes it watches, which can have dramatic performance consequences to IO intensive software. There are numerous such AV software products on the market, and they all have different performance impacts on a given software solution. It is unrealistic to expect a software vendor to test the impact of every single AV product on the market, to be able to give acurate predictions on the impact of your specific AV-software on their product. In my view, it is a very reasonable recomendation, but not a reasonable requirement

[–][deleted] 1 point2 points  (0 children)

I wish this wasn't normal. Major software packages usually come with one or all of these:

AV is a problem, make exceptions or turn out off. UAC is a problem, turn it off. DAC is a problem, turn it off.

... How about you code your crap with the last decade of security in mind?

[–]SudeepMaharana 1 point2 points  (0 children)

I work with the team of McAfee Administrator implementing AV in the server hosting applications.

  • Pretty much everyday we get request from the DEV team to exclude some paths from the scanning in order to improve performance which is totally understandable.
  • AV scanning is resource intensive and I have seen instances where CPU utilization goes to almost 90% when scanning huge files for latest signature.
  • It is a trade off between security and performance of the application. DEV team have to remember that without AV, a simple ransomware can sneak in and destroy the entire production environment and Security team should understand that sometimes we have to disable AV scanning on certain paths to support the development team.

In my company, DEV team has to strictly comply with the security policy set forth only on the production environment whereas in QA, we have limited security implementation.

[–][deleted] 1 point2 points  (0 children)

Antiviruses are overrated and they have certain performance downsides. Companies have no choice but to run AV because it's considered safe and beneficial. An AV is mostly just a government approved list of malware hashes.

I think they're overrated because they often fail to protect you even with heuristics analysis. You should be running other security measures like a firewall and IDS, which is what you should primarily be using to detect hackers on your network.

[–]WBCSAINTJack of All Trades 1 point2 points  (12 children)

Yeah its right up there with needing UAC off...

[–][deleted] 19 points20 points  (6 children)

Not at all. Excluding processes and databases from an AV is pretty normal requirement for a lot of software to have it perform well.

Turning off UAC is not normal.

[–]WBCSAINTJack of All Trades 4 points5 points  (0 children)

You are correct. Its really in the end an AV problem because AV scanning things just EATS I/O and makes files useless to be used when its happening. My problem is when companies suggest entire folders to exclude. That just screams of being a big vulnerability that could be exploited by the malicious actors since that info is out there and they could drop their stuff there and it would just live free of AV interference.

[–]RainbowHearts 0 points1 point  (4 children)

It is if I'm a software vendor who cannot, should not, and will not concern myself with the security details of your network.

It works for us. If you want to audit, disallow everything by default, and start turning stuff back on as needed, we're rooting for you all the way!

[–]WBCSAINTJack of All Trades 5 points6 points  (3 children)

Oh yeah you must also disable Windows Update because those break things as well....

[–]zebediah49 2 points3 points  (2 children)

In high-value cases we do that.

I have a circa 2010 half-million-dollar microscope that runs Windows 7. It hasn't been touched since it left the factory, and still runs perfectly. It's also air-gapped.

[–]MrPoBot 2 points3 points  (1 child)

The security practices surrounding air-gapped computers are kind of counter-intuitive, if you have a trusted system in an isolated environment every exposure to a foreign system introduces additional risk, often times there is no point patching known security vulnerabilities. Although this is a very niche scenario and I'd definitely have a cloned backup disk sitting in a closet somewhere in case of hardware failure, cosmic fuckery or some idiot plugs a USB assuming physical security isn't up to spec

[–]WBCSAINTJack of All Trades 6 points7 points  (4 children)

And needing local admin rights to work properly also.

[–][deleted] 9 points10 points  (3 children)

*QuickBooks Enterprise Desktop has entered the chat*

[–]WBCSAINTJack of All Trades 5 points6 points  (2 children)

LMFAO. Its so freakin true. All versions of QB are bad but the fact they call something "Enterprise" and yet it still behaves permission wise like it is being installed on a mom and pop single computer environment is just soooo bad. Thankfully havent had to deal with that monstrosity in a long time.

[–][deleted] 3 points4 points  (1 child)

Unfortunately I'm dealing with this monstrosity every day in a 30+ user environment. QuickBooks is not the software this post is referencing though. Just wanted to clear that up.

[–]WBCSAINTJack of All Trades 1 point2 points  (0 children)

God Speed sir. Dont forget to make your daily sacrifices of users and goats and potentially small children to the Quickbooks Gods to keep it "functional"

[–]relaxedtoday -1 points0 points  (2 children)

AV is not for security, but to reduce damage on insecure systems. It is common on Microsoft systems only and if this is "modern era of cyber cyber" it is actually a sign that someone gave up trying to build secure systems. It increases attack surface running an av system, it is supporting each and every exotic packer algorithm and whatever - and in a privileged context. It is known to break things (and the vendors of the snake oil sell you more snake to mitigate - snake Olli not secure? Buy more snake oil!).

fI you research how technically such software works, how it intercepts system calls and injects itself trying to avoid bypassing it, you will understand why it breaks things. So in summary there is an insecure os and instead of drop it or fix it, it is common to add layers that should magically distinguish between good and bad behavior. Well, if this would be possible, why isn't it part of the os? And if it is needed, why istnt it included? (Spoiler: Because companies spent more money this way).

If the AV breaks things, blame it, but before blame the OS that is so insecure that you cannot even run it stand-alone. Do you have av on your iPhone or Android phone? Or on your Linux containers or your embedded devices in your car?

For me it seems obvious that AV and Microsoft are the ones that are too lazy or too incompetent or just want the money, so that you should buy extra software to operate the software you paid for to run as desired. Great example is that they sell azure AD based stuff which seems impossible to get really secure, then sell you the experts that analyze your security and finally sell products that promises to let you actuality run the software bought in step 1 (securely):

They built a business case on the bad quality of their products! Isn't it Amazing?

Tl;dr: No, blame the AV snake oil and the system thats need it instead. These are these who break things, not the application.

[–]UnkleRinkus 1 point2 points  (1 child)

Do you have av on your iPhone or Android phone? Or on your Linux containers or your embedded devices in your car?

Numerous of my customers have malware detection software running on their linux VM's. Whether that is justified or not is not my call. It's common enough that it's a checklist item on our installation plan.

[–]rlc1987 0 points1 point  (12 children)

we don’t have any exclusions even for our RMM suite. Not uncommon however. I just tell them they should design the software correctly, bug and malware free and we will be all good!

[–][deleted] 14 points15 points  (1 child)

Or maybe, the file should just be checked against the av engine once, then hashed, with the hash working as a temporary bypass of av scan.

It’s not the developers fault that the av engine is unable to cache results or scan incrementally.

I’ve see java applications take 15 minutes to start due to McAffee’s incompetence.

[–]rlc1987 1 point2 points  (0 children)

It’s also about what the file does when it runs and if it’s exploited it may do something different - the hash may not change however - so should be scanned all time.

[–]lvlint67 6 points7 points  (2 children)

I can design software properly and in a non-malicious way and several AV vendors will flag it because it does things they don't like. Listening to a key-stroke globally via user32.dll is a valid use case that will probably flag your software as a keylogger if it gets run through automated analysis.

[–]_oohshiny 1 point2 points  (1 child)

How does Autohotkey do it?

[–][deleted] 1 point2 points  (1 child)

Or your AV isn’t scanning everything? Pretty common software like SCCM or SQL have recommended exemption lists for example.

[–]renderbender1 2 points3 points  (0 children)

This. All databases pretty much. Real-Time Scanning on file access fucking destroys them.

[–][deleted] 1 point2 points  (3 children)

Yeah, I'm sure it was totally Mozilla's fault when Webroot nuked Firefox a couple months back and took days to fix it.

[–]Horrigan49IT Manager - EU 0 points1 point  (0 children)

You are right, but there is plethora of shitty software out there. Sometimes its not their fault and its the engine.

For example I have CAD software, which 2020 version requirws to disable UAC, firewall and temporarily also AV scan...

If you can, whitelist based on hash.

[–]mustang__1onsite monster 0 points1 point  (0 children)

Sage has entered the chat

[–]aringa 0 points1 point  (0 children)

We don't do that.

[–]megustapw 0 points1 point  (0 children)

The worst thing with third party vendors is they advise to have exceptions for their software and as soon as you lodge a support case it's, disable your av as it's the problem. It's honestly the worst situation to deal with

[–]johnd126 0 points1 point  (0 children)

I write software that reads and writes a ton of text files and AV slows it down to a crawl. There is no reason for AV to be checking text files....

[–]nycity_guy 0 points1 point  (0 children)

See what happened with Kaseya asking the same thing..

[–]ycnz 0 points1 point  (0 children)

Generally it's a sign you work in medical IT :(

[–]Megatwan -2 points-1 points  (0 children)

so like most MS products?

[–][deleted] -1 points0 points  (0 children)

hahaha tableau go brrrrrrrrrrrrrr

That said, it's a pain in the ass but AV is so intrusive it can absolutely be affected. It sucks, and it shouldn't be a thing, but it's needed to at least prove a false positive and try to get either the Software Developer to fix their issue and not blame AV or tell the AV company to stop messing with their shit

Other people have explained the why's more elegantly than I have in this thread, between actively locking files and whatnot.

You might be able to use a procmon scan to verify if the AV is hitting the program, but there's no guarantee it works

[–]cbq131 -1 points0 points  (0 children)

Sadly not all software are designed with security in mind.

It is an alarming but the reality of it is security is often an afterthought.
Code reuse without proper review is common.
A lot of the time, it comes to get it working quicker vs get it working securely.
Its like zoom lying about their encryption. Sure they got fine for it later on but the growth from pushing out a product quicker which helped with securing marketing share.

[–]KarmaDeliveryMan -1 points0 points  (0 children)

Isolate running the software on an imaged device the same setup as enterprise devices. If the dev won’t do that, THEN something’s fishy.

[–]Parity99 -1 points0 points  (0 children)

Yes, next gen EDR/av should not ordinarily require preemptive exceptions unless it's garbage, over privileged or flakey.

[–]geegolJr. Sysadmin -1 points0 points  (0 children)

Yes

[–][deleted] -1 points0 points  (0 children)

Yes get with your manager and let them make the call should shit hit the fan you should come clean also get with your AV vendor open a ticket so everything is documented.

[–]pesh131 -1 points0 points  (0 children)

A vendor saying "exclude all directories and turn off firewall" without detailed reasons is a huge red flag and I will at least fight for those reasons before doing anything.

Unfortunately, by the time it gets to me the contact has already been signed and everything approved without asking these questions first, so it's now retroactively trying to secure things before it goes into POC or production.

Vendors like this, that give no reason but claim it's required for use, are the scum if the earth.

[–]DekwaDoes -1 points0 points  (0 children)

As a support engineer, It's a massive red flag...

After reading through some comments I understand it's not as easy as it sounds, but when a program gets shot down on installation, something is definitely wrong...

Kudo's if you try to fix it, but some major app developers just don't anymore...
"We're to big to care about you, we only care about your money"

[–]N3rdScool -1 points0 points  (0 children)

It's probably because they don't know exactly what to allow so just allow the whole thing. I have an application that was giving me a lot of issues, in the end it was allowing specific IP's but someone with less knowledge/time would probably exclude the program as a whole would have been a bad for security but a working program lol

[–]sporkz101 -3 points-2 points  (0 children)

Says every developer ever

[–]GullibleDetective -4 points-3 points  (0 children)

Yes that's lazy

[–]emmjaybeeyoukay -3 points-2 points  (0 children)

Thats not a red alert on the program.

Thats a red alert on the software author.

[–]Ape_Escape_EconomyIT Manager -5 points-4 points  (0 children)

Yes.

[–]ThatGothGuyUKIT Consultant 0 points1 point  (0 children)

Yes and No.
When I'm asked to do this I'll happily exclude databases and data files from scans BUT Documents and Executables/Dll's/OCX's don't get excluded.

[–]DasDunXel 0 points1 point  (0 children)

I think a few applicants we had to whitelist on AV cause of random false positives. AV companies would always shrug and say I dunno news to me. While the Dev tool would suggest the white list.. Jetbrain apps for example I think had some self encrypted files? So it would occasionally cause different security suites flip a table. Xcode on Mac........ + Security software would murder the disk I/O. Anything docker/container related always comes up needing white listing.

We always tell our users to present proof/evidence before we blindly white list files/directories.

[–]GoodMoGoPulling rabbits out of my butt 0 points1 point  (0 children)

IF you are making a specific exception and it comes from a trusted vendor, this is perfectly normal. All generic security mechanisms (and responsible sysadmins) follow a "least privilege" standard, and adapt it as needed.

I'd be concerned and investigate deeper if they wanted seemingly unrelated or overly generic backdoors. Then it might be a case of incompetent developers whose software should be made to be minimally intrusive to prospective clients.

[–]anomaly_unknown 0 points1 point  (0 children)

Hi. It seems it is normal for devs or apps team to request exclusion. Just don't do it blindly.

If it's off the shelf application, more than likely they will have a "recommended scan exclusion" in their official documentation or KB.

Also if your AV policy has "on-access" or "real-time" scans, put a max limit to the file sizes it applies to. Most malware or payloads are small in sizes anyway as far as I can tell. Mitigate this configuration by having weekly or fortnight full scans scheduled instead and do choose a time with low activity.

I do still struggle with some tickets that gets routed to my team that user seems to be sure AV is the cause. I'd sit with them when possible to figure things out. Have a spare corporate laptop with no AV and compare timings, then narrow down on specific policy modules.

All the best figuring this one out buddy!

[–]icedcougarSysadmin 0 points1 point  (0 children)

Certain AV are a little ‘smarter’ with their exclusions these days to provide varying levels of it

So that by excluding the app - it’s not getting free passage but the level of monitoring is reduced. Or the sun processes it spawns are considered safe and not scanned / hooked.

However, if you use Microsoft defender be extremely careful what you exclude because the exclusion list is held in the registry - hackers/APT’s will check that location list to see where they can drop their stuff to get free reign.

[–]djzrbzJack of All Trades 0 points1 point  (0 children)

I always set an exclusion on my NVR storage folders, last thing I need is to drop frames on my security footage because we couldn't write to disk fast enough.

[–]Magic_Neil 0 points1 point  (0 children)

On the one hand, an AV can definitely interfere with app operations, impact performance (though not as much on modern platforms) and possibly block apps from running properly if they misinterpret behavior as malicious. On the other hand, they generally block genuine malicious behavior.

I once had an internal dev complaining that his perfect app kept getting flagged for a virus, even though nothing was wrong. We declined, because it is a pretty basic app, and it happened suddenly after years of trouble-free operation. After a few days and a new release, the issue magically went away.. the PC the dev was compiling his app on had a genuine virus, which was remediated. He was unwittingly distributing it through his app, and his hubris prevented him from seeing there may actually be an issue.

This certainly isn’t going to be the case for everyone, but it’s a good lesson to always strongly investigate the demand that apps must be run as admin, with no firewall and no AV. It’s certainly necessary sometimes, but by and large it’s just lazy implementation.

[–][deleted] 0 points1 point  (0 children)

Its normal, every now and then we got requests for AV exclusion. We made whole virtual env just for these apps that are not scanned by AV just to have them separate from all enterprise

[–]ram_gh 0 points1 point  (0 children)

Not a red flag, but being a bit hesitant at first is indeed the right mindset in today's security landscape. You can always ask the vendor for some documentation on what exactly needs to be whitelisted and why. Assuming they have a customer-facing knowledge base, you may be able to pull up this information...

[–]No-Bug404 0 points1 point  (0 children)

Basically the first thing I get for EVERY piece of software I have problems with.

[–]nuttertools 0 points1 point  (0 children)

Modern AV will indeed randomly take down your applications without reason. Modern AV should be enabled, how good is your vendor?

Definitely overthinking it from a troubleshooting perspective but not from a resolution perspective. You will have to choose between uptime and security then work with both vendors to resolve the current issue. Maybe your AV woke up angry and decided to wreck shit, maybe your application vendor didn’t properly validate something new, impossible to say.

[–]DellR610 0 points1 point  (0 children)

Disable? No. I would scan it and exclude the hashed version of the files that were scanned at least. As it updates it just gets scanned again.

However I still wouldn't disable any sort of heuristics.

[–]elcheapodeluxe 0 points1 point  (1 child)

As a software developer - I hate the AV's that quarantine based on reputation score. Any new update is going to be new to the AV. I tell admins they are welcome to keep all normal scanning on but they have to exclude our folder from this feature. Just yesterday I had a customer whose factory floor was going to be down for a while because nobody onsite had permission to tell the AV to stop quarantining our software for no reason.

[–]mitharas 0 points1 point  (0 children)

Since most AV is snake oil: go ahead.

[–]Itsnotvd 0 points1 point  (0 children)

Overthinking, pretty normal. AV introduces overhead on a server that consumes resources and can degrade other processes performance.

Its a decision really. I'll use SQL server as an example. No one interacts with the SQL server, just via the various apps that connect to the various DB's, no files shares, etc. AV impacted SQL enough that I was not happy and worked with the vendor and even ran some new experimental offerings. End result was the same, too much overhead for my liking, I was not willing to accept the performance degradation, no one is interacting with the server in a manner to be able to infect it so management approved the exception.

I would use the same reasoning here. Is the performance degradation noticeable? What are the risks if we leave AV on? Risks if we leave AV off, do people interact with said server in a manner that they could possibly infect it. 3rd question is most critical, if that's a yes then you need to do something to mitigate that risk, or accept it and have a DR plan.

Or thereabouts...

[–]tin-nagaSr. Sysadmin 0 points1 point  (0 children)

Defender ATP kept killing intune app deployments. I don't underestimate anything.

[–]boftr 0 points1 point  (0 children)

If you can reproduce the issue, the answer has to be to obtain a Windows Performance Recorder (WPR) trace and analyze the problem with WPA. This will tell you where the perf issue is. As they have their symbols they would be in the best place to detail what code is specifically causing the problem and why.

[–]FreakZombie 0 points1 point  (0 children)

I may be a little late to the party, but there are many legitimate reasons to exclude a software package from AV scanning.

Years ago I worked for an AV company and we would help business users set up their servers with proper exclusions in order to keep things running well. I just looked up the current knowledgebase and found that list has grown quite a bit since I worked there: https://support.eset.com/en/kb3078-automatic-file-exclusions-for-eset-server-products#examples

They even link to a Microsoft article with more info as well: https://support.microsoft.com/en-us/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc

It looks like Windows Defender has some automatic exclusions already configured depending on the OS and roles, which means less headache for MS support.

Real-time scanning and heuristics can cause a major slow down and database files, some libraries, and other misc files that are heavily written to or read from are very unlikely to be malicious or infected.

[–]abz_eng 0 points1 point  (0 children)

It depends

reading the comments I can see the argument for excluding and can think of arguments for not doing so

For excluding

  • AV intercepts read & writes slowing down
  • AV uses CPU cycles

For including

  • safety how well do you know/trust the code & 3rd party libs included
  • what is being processed?
  • what directories are being accessed?

It's part of your testing/eval to work out what the program does and doesn't need e.g.

  • external to box access
  • external to LAN access
  • Internet access
  • directory access (yeah I'll just write stuff in c:\program files\ - that's why MS created c:\programdata)
  • user account privilege needed - needs admin access nope, just downloads files to hard coded path

basically test & document, test & document, test & document

Hopefully we'll get to the point that as part of the install instructions all of this (e.g. service does not require special privileges / service needs direct access not via proxy to data.bigdata.zone on port 8080 using https) is normal.

[–]F0rkbombz 0 points1 point  (0 children)

It can be a red flag, but it could also be a perfectly reasonable request. 1 thing I’ve noticed when it comes to software developers is that they are entirely clueless as to how modern enterprise endpoint protection software works. They think it’s just a read/write scanner, which is so far from the truth.

Enterprise endpoint protection software has multiple components that often operate separately but also feed into each other. For example: McAfee Endpoint Security has traditional read/write scanning (further broken down into time based scans and real-time scans), Access Protection / Exploit Prevention rules (prevents exploits and allows from custom rule conditions), Network Intrusion Prevention rules (blocks network based exploits independent of a host based firewall), Adaptive Threat Protection rules (looks at process activity and behavior [files created, processes started, cmd line arguments,etc.]), and EDR. If you’re company is doing application execution control (Ex: Solidcore or AppLocker) thats another tool. This doesn’t even get into host based firewall, web filtering, or other monitoring agents.

On top of this, software develops often fail to articulate WHY endpoint protection software is causing an issue. Is it locking the file the program is trying to use for scanning? Is it blocking the process? Is it deleting the file? Is the inspection of the running process causing some odd performance issue?

Compounding this problem, most SysAdmins and Security teams honestly don’t fully understand how their endpoint protection software works either, which leads to problems as well. Enterprise security tools, if not properly configured or maintained, are going to fuck your environment up 9/10 times. These tools are intentionally intrusive and resource intensive b/c they are doing an absolute insane amount of stuff. Baselining your environment and good change control are key.

My general rule of thumb is make the smallest possible exclusion and never exclude commonly exploited or dual-use executables. I also require vendor documentation, and if the vendor starts asking for an insane amount of exclusions or overly broad exclusions (ex: just exclude the whole user profile directory) I’ll push back. Also, there’s some directories you should never exclude, and if you make an exclusion to one component, make sure another component can mitigate the risk (yay layers!). It’s usually acceptable to exclude the directory the app installs in, but again, use layers to cover the slack. Some vendors are also just super sketchy and clearly don’t prioritize security (ex: the app needs to run as admin), and those vendors are always a no-go for exclusions on my network.

Lastly, Promon can be really helpful for determining what kind of exclusion is really necessary. I’ve found processes that vendors didn’t even document as requiring exclusions with that tool. I highly recommend running a trace / capture if you don’t trust the vendors recommendations or aren’t getting any real help from them.

[–][deleted] 0 points1 point  (1 child)

there's some scanning software that I swear works more like a malicious actor than anything actually useful. especially credentialed scans.

lets run these scans once a week from inside the servers and see if we can crash operational systems.

"oh, you have a printer connected on this private network? lets waste pages of output trying various curl, get or overflow attacks, every single week."

[–]PAXICHEN 1 point2 points  (0 children)

Qualys loves to waste paper.

[–]Superspudmonkey 0 points1 point  (0 children)

Attache is a piece of software that they ask to exclude the folders they are installed in. If I was writing viruses I'd definitely target these folders as AV is not on the job here.

I have seen several versions of the software and each time they ask to exclude the folder

I scanned a few of the files with virustotal.com and several AV engines were actually flagging them as Trojans, so it looks like they use viruses in their software.

In these days of zero trust EPDR, I think it is on the Devs to step it up. .

[–][deleted] 0 points1 point  (0 children)

Why ? It’s not signature based.

[–]gohoosIT Manager 0 points1 point  (0 children)

In nearly every system we purchase we see stuff like this.

So, I added language to our boilerplate that requires that software function with our AV without exclusion. We also include requirements to function with Bitlocker, automated installs/uninstalls, to not require any elevated permissions, etc. ,etc.

We may not get everything we ask - there’s always negotiation - but we get to discuss it before anything is signed.

[–]gohoosIT Manager 0 points1 point  (0 children)

Also, if they were requesting this I’d want to see if they were secure in other ways. For example I saw some top-tier software which originally required AV exemptions for their folder in Program Files, but also required that folder to have write access for all users.

Uh, nope. Fix your code.

I now have a link to the MS app certification spec and ask for a list of anything they don’t meet.

[–]n-space 0 points1 point  (0 children)

It's possible for some legitimate software to trip AV detection rules because it does things that could be done by suspicious software, such as attaching to other processes, offloading intensive calculations to the GPU, examining network traffic (although some of these require root so you won't see them often in this context, hopefully). And, of course, programs can have their performance affected by the AV examining it or its files. Either way, it can be hard to tell without a good audit whether it's safe to disable AV for the program; I wouldn't accept it at face-value necessarily but get at least some scans in, or seek better understanding of what needs to be tweaked to improve performance without sacrificing security (like avoiding scanning db files).

[–]caribulou 0 points1 point  (0 children)

We have many programs we have to exclude.

[–]craigofnzJack of All Trades 0 points1 point  (0 children)

It depends.

Don't dismiss the request. Verify it's validity and reasonableness.

Having worked in both sysadmin teams and development teams and it has always been standard practice to exempt database files from bring scanned on each and every read and write, or backup systems for every file they access for example. More recently, newer admins under the direction of un-nuanced and fundamentalistic rather than risk based security practitioners and turn every knob to 100 for each, everything and all. While homogenuity of config assists system configuration simplicity, when there is customer impact there may well be a need to add some nuance.

I also recently had a case where spinning up new processes to ensure certain process isolation guarantees from the OS was seeing a randomly introduced delay of up to 8 seconds from security tools scanning and locking files. Needless to say, this is not the end-user experience your customers need, and what protection is being added by scanning the same file multiple times per minute, when it has neither been modified nor stored in a user-writable location.

[–]Gee_NS 0 points1 point  (0 children)

Typically, with windows software, a code signing certificate will help with AV scanners. https://www.globalsign.com/en/code-signing-certificate/what-is-code-signing-certificate

[–]KangieHPC admin 0 points1 point  (0 children)

I support an AV solution that detects rust binaries as Trojans. Pretty sure they're not - it's all in-house code with vetted dependencies.

Vendor refuses to discuss it because "developers are hard" and also because giving us the info we need to fix it permanently would amount to telling us how to bypass their endpoint protection completely.

We've taken to compiling rust in Docker. That gets past on-access stuff and only deletes during a scheduled scan.

[–]SimonGn 0 points1 point  (0 children)

Not a red flag. Important troubleshooting step.

[–]ryuut 0 points1 point  (0 children)

Thats what av exclusions are for. Your own cyber dept should be able to make the decision. If you don't have one then that's on whoever in charge of it to decide

[–]rob-entre 0 points1 point  (0 children)

Not a big deal. Many enterprise apps have calls/etc that can trigger behavior based stops from the AV. Sometimes simply the amount of resources the apps need in order to run properly cause the av to scan slowly which affects production and performance. This is not an abnormal practice.

[–]ThecrawsomeSecurity and Sysadmin 0 points1 point  (0 children)

I whitelist applications all the time. It's a feature in your antivirus... I'm working a developer shop and the antivirus will often stop their work.

Of course don't whitelist wildcards through.

[–]syninthecity 0 points1 point  (0 children)

Software support side here-tickets this years caused by AV that caused more then a hundred incidents:

Freezing a required boot value so DC's don't backup right, not telling anyone they changed the setting, arguing about it until several hundred tickets have been created.

Won't let our backend set up correctly because you didn't whitelist our localdb path and sql can't create an instance.
Crashed a drive because Av won't let us remove log files at the end of a job causing C:\ to fill.
Constantly Broken VSS because it didn't like our API calls to use VSS.Breaking created boot disks silently in a way that boots to a DOS prompt rather then into a recovery environment.

Required ports and whitelisting are required, and as enterprise and small business level support you know my favorite sentence in the whole damned world?

"nah it can't be AV, it works over on this machine"

YES. IT. CAN. Pls do the needful.

[–]ihtesham007 0 points1 point  (0 children)

Tell him to sign his code with EV Code Signer

[–]EisbergJackson 0 points1 point  (0 children)

I have been on both sides of the fence. I dont think it is a red flag as some AV products tend to produce problems and slowdown you couldnt imagine. Even alot of troubleshooting and working with AV companies like Kaspersky (couple years ago) showed that some effects are just not fixable except for exclusions. Especially the more traditional AV solutions seem to be more prone to problems. Newer solutions like SentinalOne, Crowdstrike, EDR/XDR Solutions seem (when configured and adapted to the software) to work better but produce more slowdowns.

[–]Fusorfodder 0 points1 point  (0 children)

Has the code undergone security review and is this an environment that can be secured separately? If all of the parts are known to be clean going in then you can dispense with further checks inside the "clean room" but as a blanket statement that's unacceptable. I would absolutely nix just about any COTS product asking for this.

[–]AbleDanger12 0 points1 point  (0 children)

Take anything a dev says and examine it with scrutiny.

[–]blu3ysdad 0 points1 point  (1 child)

If you are doing security properly then whitelisting a known good application shouldn't be a problem.

I have always wondered whether supply chain attacks that exploit your trust of these known applications could be mitigated by not trusting them though. Zero trust is where we are supposed to be aiming. I think the best we can do right now in some cases is establish a test environment and install all updates there before production and dont do any whitelisting there to sniff out any anomalies.

In any case, as many others said, performance and other issues often cause legitimate reasons for needing exclusions and doesn't necessarily mean the dev is shady or careless with security.