开发机器和防病毒策略
我们公司使用 Sophos Anti-Virus 的默认配置,对所有文件执行按访问扫描。
我们正在考虑对源代码文件关闭此功能,但担心这会带来潜在风险。在我们的例子中,这些文件是包含 C# 源代码的 .cs 文件。
这真的会带来风险吗?
编辑
在公司内部,我们最近遇到了许多病毒问题(全部被 Sophos 捕获),其中大约 90% 来自开发人员计算机。
开发人员正在进行 Windows 开发工作,因此对其计算机拥有完整的管理权限。
Our company uses Sophos Anti-Virus with a default configuration that performs on-access scanning on all files.
We are considering turning this off for source code files but are concerned about the potential risk this poses. In our case these files are .cs files containing C# source code.
Does this really pose a risk?
Edit
Within the company we have had a number of issues with viruses recently (all got caught by Sophos) and about 90% of these came from developer machines.
Developers are doing Windows dev work so have full admin rights on their machines.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
静态类型编译语言的源代码文件通常是简单的文本文件,除非将它们编译成可执行代码,否则它们无法对您的系统执行任何操作。
另一方面,如果您的源文件实际上是脚本/批处理文件,它们通常可以由操作系统“按原样”执行。因此,扫描脚本文件并针对任何其他源文件类型关闭它可能具有一定的价值。
最简单的情况是,这可能涉及对文件扩展名进行 AV 过滤(即扫描所有以 js、jvs、bat、vbs 等结尾的文件)。当然,这并不是 100% 万无一失,除非 AV 也分析文件的内容。
总而言之,关闭 .CS 源代码文件上的 AV 扫描几乎为零风险。来自开发人员计算机的任何病毒几乎肯定是由于管理权限和下载实际包含病毒的其他“工具”的开发人员共同造成的。
如果您的开发人员仍在 XP 上工作,那么在这种情况下,由于 UAC 提高了安全性,因此迁移到 Vista(或 Windows 7)实际上可能是一个好主意。
Source code files for statically typed, compiled languages are usually simple text files that can't do anything to your system unless they are compiled into executable code.
On the other hand if your source files are actually script/batch files they can often be executed "as-is" by the operating system. So there may be some value in scanning script files and turning it off for any other source file type.
At the simplest this would probably involve the AV filtering on file extension (ie scan all files ending in js, jvs, bat, vbs etc.) Of course this is not 100% fool proof unless the AV also analyses the content of the file too.
So in summary there is almost zero risk in turning off AV scan on .CS source code files. Any viruses coming from developers machines are almost certainly due to the combination of administrative rights and developers who download additional "tools" that actually contain the virus.
If your developers are still working on XP, this is one situation where moving to Vista (or Windows 7) might actually be a good idea due to the improved security thanks to UAC.
病毒通常不关心将恶意代码注入到未编译的源文件中,它们通常喜欢诱骗您安装一些 sh*tty 应用程序,从而将您的计算机变成机器人。
得到了更好的解决方案,呵呵。卸载您的病毒软件,以普通用户身份运行,并且不要在您的开发计算机上下载和安装您不能 100% 确定的任何内容。
Viruses usually don't care about injecting malicious code into uncompiled source files, they usually like to trick you into installing some sh*tty application which turns your machine into a bot.
Got a better solution, tho. Uninstall your virus software, run as a normal user, and don't download and install anything on your dev machine that you aren't 100% sure about.
Sophos 标记的文件是代码文件还是其他文件?我们在“扫描全部”设置上使用 Sophos 至少五年了,没有任何问题,并且我们拥有管理员权限
Are the files flagged by Sophos the code files or other stuff? We've been using Sophos for at least five years on the Scan All setting without any issues, and we have admin rights
默认设置是不扫描所有文件,仅扫描可感染的文件类型。检查“扫描所有文件”是否未选中。仅扫描 sophos 扫描的默认文件类型列表是安全的。
The default settings are to NOT scan all files, only infectable file types. Check that "Scan all files" is unchecked. You are safe only scanning the default list of file types sophos scans for.
我会说不。但话又说回来,我的机器已经有近 7 年没有安装防病毒软件了,也没有感染过任何病毒。所以我想我是一个特例。
I'd say no. But then again - I haven't had an antivirus on my machine for nearly 7 years now and haven't caught a single virus either. So I guess I'm a special case.