McAfee Anti-Virus Exclusion

McAfee Anti-Virus Exclusion

[Lam Jian Zhou]

Hi Cygwin,

We have encountered an issue with Cygwin process get slow when using McAfee anti-virus.
We have put all the exclusion on not scanning or checking on Cygwin process and folder, but the slowness still exists.
We have tried McAfee recommendation on this : https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-459435D7-AE7B-4656-9120-9235F39EA0D6.html but still not able to solve the issue.

We have tried to find the issue in various forum but there is not much helpful information on this and even the McAfee support told us only Cygwin support can give the answer.

Would you able to give some recommendation of what should be exclude for Cygwin process?
Or is there any other windows process will be trigger along with the Cygwin? so, we can exclude them as well.

Thank you.


Best Regards,



Jian Zhou

IT Infrastructure Executive



BOND PRICING AGENCY MALAYSIA SDN BHD (667403-U)

Serving the Malaysian Market Since 2004

17-8 & 19-8, The Boulevard, Mid Valley City
Lingkaran Syed Putra
59200 Kuala Lumpur
MALAYSIA

GL: +603 2772 0888 | DL: +603 2772 0831 | F: +603 2772 0887

BPAM has instituted and maintains policies and procedures designed to prevent bribery and corruption in compliance with the Malaysian Anti-Corruption Commission Act 2009.  As such, we will not, directly or indirectly, accept, offer or make any payment or provide anything else of value or engage in any activity or conduct that will violate any anti-bribery or anti-corruption laws or regulations that are applicable to BPAM. Any improper conduct may be made in writing (via e-mail to whistleblowing@bpam.com.my<mailto:whistleblowing@bpam.com.my>) and will be treated with the utmost confidentiality. Visit our page here<https://www.bpam.com.my/about-us#our-commitment> for more details.



Disclaimer:
This e-mail and any contents attached to it contains confidential information for its intended recipient(s). If you are not an intended recipient, please reply the sender immediately or inform us immediately by e-mail to enquiries@bpam.com.my. If you are not an intended recipient you must delete this e-mail and all copies thereof. You may not forward it or otherwise in anyway disclose its contents by way of copy, screenshot, forward, circulate to any one or more third party. If you are not the intended recipient you may not in reliance of the information contained in the e-mail take any action against us. The contents of this e-mail may represent the author/sender's personal opinions, and not necessarily the opinion of Bond Pricing Agency Malaysia Sdn Bhd. As the e-mail may have been intercepted, corrupted, lost, destroyed, arrive late, incomplete or contain viruses, no liability is accepted as a result. Bond Pricing Agency Malaysia Sdn Bhd is a private company with the Company Registration No. 667403-U. Our is business address is No. 17-8 & 19-8, The Boulevard, Mid Valley City, Lingkaran Syed Putra, 59200 Kuala Lumpur, Malaysia. For further information please visit us at www.bpam.com.my

Re: McAfee Anti-Virus Exclusion

[Brian Inglis]

On 2021-05-07 04:57, Lam Jian Zhou via Cygwin wrote:
> We have encountered an issue with Cygwin process get slow when using McAfee anti-virus.
> We have put all the exclusion on not scanning or checking on Cygwin process and folder, but the slowness still exists.
> We have tried McAfee recommendation on this : https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-459435D7-AE7B-4656-9120-9235F39EA0D6.html but still not able to solve the issue.
> 
> We have tried to find the issue in various forum but there is not much helpful information on this and even the McAfee support told us only Cygwin support can give the answer.
> 
> Would you able to give some recommendation of what should be exclude for Cygwin process?
> Or is there any other windows process will be trigger along with the Cygwin? so, we can exclude them as well.

Cygwin support is a bunch of volunteers, so unless you can demonstrate an 
obvious reproducible problem across multiple different installations, using a 
simple test case, caused by Cygwin doing something it should not, it is unlikely 
anyone here will be able to help much.
Please note that Cygwin is doing only what it has to, in order to support a 
POSIX development environment under Windows.
If it seems too slow for your uses, please consider testing, timing, and running 
your development toolchain under faster environments: try one of the many 
distros under WSL, local or server VMs, Docker, etc.

The problem is with McAfee going out to servers to check every executable, 
rather than remember locally that a file has already been checked using a hash 
over contents and properties, and skipping future checks.
If you have problems with McAfee, complain to Intel, and thence to whoever 
insists you run a legacy AV suite.

Run Windows Defender if you need an AV and want to minimize slowdown.
More intrusive AV will intercept and interfere more with performance (like 
anything called End Point Protection, which is known to break Cygwin).
Have your techs run your processes with only Windows and Cygwin installed, then 
with Windows Defender, then with Intel McAfee AV to see the differences.

Looking at the McAfee exclusions, they are decades out of date, most 
installations are now x86_64, and may also support x86 [32 bit], so you need to 
exclude the compiler and build toolchain utilities (gcc, llvm, clang, binutils, 
coreutils, c/make, libtool, git packages) in /bin/, /usr/*86*-pc-cygwin/, 
/lib/gcc/*86*-pc-cygwin/[1-9]*/ and all their DLLs /bin/cyg...*.dll for all 
installed compiler and utility versions.
Note that Cygwin supports git (and is part of the toolchain used to build Git 
for Windows mentioned by McAfee), so add /usr/libexec/, /usr/libexec/git-core/, 
and other contents of that tree to your exclusions.

On development machines, Adaptive Threat Protection (guessing based on patterns 
matching existing malware) will slow down every step of every build, so switch 
it off, as well as any other guessing games, cloud or remote access!

Following McAfee's suggestions, using gpg keys and SHA2 hashes, make a verified 
clean Cygwin developer build of everything you use, and upload everything 
installed to McAfee's GTI servers, and the validation files to your own TIE 
servers: clone to each developer machine and run a local TIE server there.
Do the same for everything in all your production builds.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

Re: McAfee Anti-Virus Exclusion

[Jim McNamara]

On Sat, May 8, 2021, 7:33 PM Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
wrote:

> On 2021-05-07 04:57, Lam Jian Zhou via Cygwin wrote:
> > We have encountered an issue with Cygwin process get slow when using
> McAfee anti-virus.
> > We have put all the exclusion on not scanning or checking on Cygwin
> process and folder, but the slowness still exists.
> > We have tried McAfee recommendation on this :
> https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-459435D7-AE7B-4656-9120-9235F39EA0D6.html
> but still not able to solve the issue.
> >
> > We have tried to find the issue in various forum but there is not much
> helpful information on this and even the McAfee support told us only Cygwin
> support can give the answer.
> >
> > Would you able to give some recommendation of what should be exclude for
> Cygwin process?
> > Or is there any other windows process will be trigger along with the
> Cygwin? so, we can exclude them as well.
>
> Cygwin support is a bunch of volunteers, so unless you can demonstrate an
> obvious reproducible problem across multiple different installations,
> using a
> simple test case, caused by Cygwin doing something it should not, it is
> unlikely
> anyone here will be able to help much.
> Please note that Cygwin is doing only what it has to, in order to support
> a
> POSIX development environment under Windows.
> If it seems too slow for your uses, please consider testing, timing, and
> running
> your development toolchain under faster environments: try one of the many
> distros under WSL, local or server VMs, Docker, etc.
>
> The problem is with McAfee going out to servers to check every executable,
> rather than remember locally that a file has already been checked using a
> hash
> over contents and properties, and skipping future checks.
> If you have problems with McAfee, complain to Intel, and thence to whoever
> insists you run a legacy AV suite.
>
> Run Windows Defender if you need an AV and want to minimize slowdown.
> More intrusive AV will intercept and interfere more with performance (like
> anything called End Point Protection, which is known to break Cygwin).
> Have your techs run your processes with only Windows and Cygwin installed,
> then
> with Windows Defender, then with Intel McAfee AV to see the differences.
>
> Looking at the McAfee exclusions, they are decades out of date, most
> installations are now x86_64, and may also support x86 [32 bit], so you
> need to
> exclude the compiler and build toolchain utilities (gcc, llvm, clang,
> binutils,
> coreutils, c/make, libtool, git packages) in /bin/, /usr/*86*-pc-cygwin/,
> /lib/gcc/*86*-pc-cygwin/[1-9]*/ and all their DLLs /bin/cyg...*.dll for
> all
> installed compiler and utility versions.
> Note that Cygwin supports git (and is part of the toolchain used to build
> Git
> for Windows mentioned by McAfee), so add /usr/libexec/,
> /usr/libexec/git-core/,
> and other contents of that tree to your exclusions.
>
> On development machines, Adaptive Threat Protection (guessing based on
> patterns
> matching existing malware) will slow down every step of every build, so
> switch
> it off, as well as any other guessing games, cloud or remote access!
>
> Following McAfee's suggestions, using gpg keys and SHA2 hashes, make a
> verified
> clean Cygwin developer build of everything you use, and upload everything
> installed to McAfee's GTI servers, and the validation files to your own
> TIE
> servers: clone to each developer machine and run a local TIE server there.
> Do the same for everything in all your production builds.
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
>
> This email may be disturbing to some readers as it contains
> too much technical detail. Reader discretion is advised.
> [Data in binary units and prefixes, physical quantities in SI.]
>
> --
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple


Hi,

I have really good luck with Webroot.
AVG ... not so much (cygwin false positives) ! Webroot and malwarebytes go
good together. Webroot uses own outbound firewall and windows defender for
inbound. I think I remember from YouTube review it has to be connected to
internet for scanner to detect threats.

It is good to know that software labeled endpoint software wont work. I
know of one such place using it.

I hope you can use defender and save $. If not, hopefully 2 more good
suggestions for you.

Robo-loki





>