My corporate anti-virus doesn't let me add scanning exclusions : programmer

[–] stoy@lemmy.zip 65 points 1 week ago (4 children)

IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.

No, can't have that.

So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?

Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.

Something like C:\Excluded

The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.

[–] asdfasdfasdf@lemmy.world 30 points 1 week ago (4 children)

So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?

Give them a Linux machine?

[–] AtariDump@lemmy.world 17 points 1 week ago

[–] egonallanon@lemm.ee 11 points 1 week ago

This doesn't remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user's ability to add exclusions.

[–] Eyekaytee@aussie.zone -2 points 1 week ago (1 children)

You ever worked in an average corporate job? You're missing out on so much

The IT guys barely know Windows, they've most likely never even heard of Ubuntu, could you imagine such a thing :|

[–] luciferofastora@lemmy.zip 2 points 1 week ago

Huh, weird. The IT guys I work with don't just know Windows, when I joked about wanting a Linux instead they pointed out that we have software devs using Linux too. I'd need some reason to request it, but if I know the right people (and more particularly, what their favourite snacks are), I could probably get it approved.

(Doesn't actually help me, given I'm stuck using proprietary tools that I couldn't get to run with wine, but at least the option is there. And that's a big corp.)

[+] stoy@lemmy.zip -11 points 1 week ago (1 children)

A machine that takes extra time and skills to manage?

[–] Black616Angel@discuss.tchncs.de 7 points 1 week ago (1 children)

As someone who does exactly that right now. Yes.

You need a Linux machine in a separate network with separate firewall rules and the developer has to devote a bit of their time to managing that machine.
It can even be centrally managed, if you have the capacity.

But why would you want that? To secure your shit while allowing the devs to to what they like to their equipment.

[–] stoy@lemmy.zip 3 points 1 week ago (1 children)

In an ideal world I agree with you, but when resources are limited, running a separate environment is not allways realistic.

[–] computergeek125@lemmy.world 4 points 1 week ago (1 children)

^ this

As an example of scale, my company has an entire IT team of a handful of people for managing such an environment for a thousand or so devs and engineers.

[–] stoy@lemmy.zip 2 points 1 week ago

My past role was a combined role of these:

Helpdesk technician
VIP technician
Linux system administrator

We didn't effectively administrate the Linux environment, I was the only linux admin at the company, and I wasn't even doing it full time.

[–] henfredemars@infosec.pub 20 points 1 week ago

I appreciate you trying to keep your developers productive. Deeply appreciate the concern.

[–] wizardbeard@lemmy.dbzer0.com 7 points 1 week ago

Your user base must be better than mine.

Some chucklefuck over a decade ago caved to the "need" for a public shared drive. I can see the argument for things like HR policy documents and such. But they didn't just give all users read access. Oh no, everyone got full read write. No fucking governance model, no process to check that PII wasn't being stored there by people too lazy to follow proper procedure.

Thankfully that horror has been thoroughly killed, and MS Teams makes it so easy for people to spin up collab spaces and file storage that there's no use case anymore.

[–] paks@feddit.uk 2 points 1 week ago (1 children)

At our place it's the IT guys trying to tell us to exclude the entire Downloads folder. One of our devs had to put her foot down and say no, we'd do something more sensible/limited instead!

[–] stoy@lemmy.zip 2 points 1 week ago

That deserves a slap

[–] pastel_de_airfryer 57 points 1 week ago (2 children)

I am a software developer at a big bank. The hoops we are forced to jump to just do our jobs are ridiculous.

We resorted to using buggy and laggy remote development environments through a slow VPN.

It's a miserable life, but at least the pay is good.

[–] SirEDCaLot@lemmy.today 29 points 1 week ago (5 children)

And yet you all are still using SMS two factor authentication. Why does my Xbox video game account have better security than my money?

[–] MajorHavoc@programming.dev 22 points 1 week ago* (last edited 1 week ago)

Why does my Xbox video game account have better security than my money?

One is designed to securely collect and keep as much of our money as possible, and the other is just a bank.

[–] pastel_de_airfryer 8 points 1 week ago

Simple, it's not a priority for them.

They care more about their stupid emails than about your money.

[–] needanke@feddit.org 4 points 1 week ago (1 children)

Really? My banks use the best 2fa I've seen so far. You have a card-reader which generates a code based on some input values related to the transaction and the physical chip on my bank-card.

(Although they have been pushing PuhsTan (app on phone) a lot recently :/)

[–] Ajen@sh.itjust.works 1 points 1 week ago (1 children)

To log in to your account online?

[–] bleistift2@sopuli.xyz 2 points 1 week ago

My bank (German, just like needanke’s probably is) requires that exact 2FA method once every 3 months or whenever you login via an unrecognized device. Also for every transaction you make and when you want to check bank statements more than 1 month in the past.

https://en.wikipedia.org/wiki/Transaction_authentication_number#ChipTAN_/_Sm@rt-TAN_/_CardTAN

[–] wizardbeard@lemmy.dbzer0.com 4 points 1 week ago

Xbox has all of microsoft behind it, and they linked xbox accounts with microsoft accounts many years ago, allowing them to leverage all the security tools they're making for themselves and corporate customers of Azure/Entra. They also effectively have infinite money.

Banks, surprisingly, do not. They also are often using third party systems under the hood for things like online access to your account. Those third parties tend to have less money than a bank.

Laws can't keep up with tech developments in security, and getting all your ducks in a row to be legally covered in the finance industry is a fucking nightmare.

Lastly, banks (and companies) don't stay afloat by spending money on things that aren't necessary. Until it shows a significant impact through a breach or in customers leaving specifically for the reason of lackluster MFA options, and until that impact is easily communicated to the executives, trying to fight for some budget to improve shit is an uphill battle.

I am so so glad that the closest my work gets to customers, legal, or anything regulatory is data rentention policies.

[–] Scoopta@programming.dev 2 points 1 week ago* (last edited 1 week ago)

Honestly it blows my mind that my bank doesn't support TOTP, they used to support email but recently removed that, they do support mobile push to their app so I usually use that but when you want to sign into the mobile app? Have to use SMS can't very well push notify the app being signed into, no choice, very silly.

[–] SurpriZe@lemm.ee 6 points 1 week ago (1 children)

What's the hourly wage?

[–] JaddedFauceet@lemmy.world 4 points 1 week ago* (last edited 1 week ago) (1 children)

23 USD

not all are paid equally

[–] SurpriZe@lemm.ee 2 points 1 week ago

But you're not the one who wrote the original message

[–] deegeese@sopuli.xyz 48 points 1 week ago (1 children)

Ah, that time when my job required me to write an executable scanner, and all the AVs got jealous I was honing in on their turf.

AV running in kernel mode charges its CPU cycles to the process being monitored, instead of the AV doing the monitoring.

I got a whole bunch of “your program is slow” support tickets which were resolved by telling the client to follow the AV exclusion instructions.

[–] CreatingMachines@fedia.io 11 points 1 week ago

Took me way to long to notice I was accidentally reading "charges" as "changes". Now I finally got what you were saying.

[–] pageflight@lemmy.world 39 points 1 week ago (2 children)

"Will I have root on my dev machine" is on my list of interview questions, now.

[–] MajorHavoc@programming.dev 22 points 1 week ago (1 children)

Asking questions like that can cause hiring managers like myself to have no choice but to offer you higher pay grades, because that question is a strong signal of experience.

[–] MonkderVierte@lemmy.ml 12 points 1 week ago* (last edited 1 week ago) (1 children)

Experience shows that you still force me to use WSL, because you want to develop your stupid app in the same setup as the Windows store version and i have to fix the not-so-much cross-platform monster of three people before me who never heard of technical debt.

[–] MajorHavoc@programming.dev 2 points 1 week ago* (last edited 1 week ago)

Absolutely.

My environment sucks almost as much as the next one. It just pays better and we get to be angry at difficult real problems caused by the previous people, instead of stupid self-inflicted problems caused by our own shortsightedness.

Edit: I mean, there's still some problems caused by our own shortsightedness, obviously.

And technically I didn't say you would like my answer, just that I'll pay more because you asked. Lol.

[–] Scoopta@programming.dev 2 points 1 week ago

Probably is for me too. This is something I've taken for granted as I work for a small company and I am the IT admin...and development team lead, I wear lots of hats. Not the owner though, basically like a CTO+.

[–] RustyNova@lemmy.world 26 points 1 week ago* (last edited 1 week ago)

Corporate antivirus is so great that it restricts windows update while not connected to the main network by ethernet.

Some of us are there once a month.

Last windows update broke it, and now nobody can update.

It also bring 5 seconds of load time to any website

[–] palordrolap@fedia.io 22 points 1 week ago

You could, and I'm just spitballing here, start sending your compiled executables to the anti-virus provider and only continuing work once they've been added to the upstream exceptions. Bonus points for compiling hundreds and sending them all. Do that for a day or two and there is sure to be a number of communications many levels above you.

If executed perfectly and all goes well, you'll get your exceptions access.

Worst case... uh. Maybe this isn't such a good idea after all.

[–] Honytawk@lemmy.zip 19 points 1 week ago (3 children)

Because too many developers don't understand cybersecurity.

As is obvious from some of these comments here.

Whats next, you want domain admin access to every computer/server you touch as well?

[–] Ephera@lemmy.ml 12 points 1 week ago

Nah, sudo is fine. I can create users without touching the domain stuff. 🙃

[–] isVeryLoud@lemmy.ca 5 points 1 week ago (1 children)

What they don't understand is their own machine can get compromised, and in turn compromise their accesses and other infrastructure in a pivot attack.

Developers tend to have quite a lot of access, and some can even deploy to production. At my company, the dev workstations are even more locked down than the regular users' computers for that reason, they can't even leave the province.

[–] dubyakay@lemmy.ca -1 points 1 week ago

I hate blanket generalization. You know when you get to that point that your company is over managed and understaffed, not creating a good work environment.

[–] MajorHavoc@programming.dev 4 points 1 week ago

you want domain admin access to every computer/server you touch as well?

Heh. I've had it. It's not all it's cracked up to be. And I didn't even get one of those humorous "all I got was this lousy T-shirt" shirts.

[–] bamboo@lemmy.blahaj.zone 13 points 1 week ago (2 children)

Trellix is just rebranded McAfee. Here's instructions for How To Uninstall McAfee Antivirus.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 4 points 1 week ago (1 children)

RIP you glorious bastard.

I’d like to think he’s up in heaven getting shit on by a beautiful Brazilian lady.

[–] bamboo@lemmy.blahaj.zone 2 points 1 week ago

If you haven't seen it: https://www.youtube.com/watch?v=tfe4Fjf3sds

[–] nightwatch_admin@feddit.nl -2 points 1 week ago (1 children)

This is not Trellix ePO as you can make exclusions. No, this reeks of Defender.

[–] ryannathans@aussie.zone 6 points 1 week ago

Click the link..

[–] joyjoy@lemm.ee 6 points 1 week ago* (last edited 1 week ago)

I also suspect it hangs Firefox's network stack while it does its initial scan after each boot. Chrome does not have this issue.

[–] skip0110@lemm.ee 2 points 1 week ago

Same. It is after all their own time they are wasting, so whatever. I get paid either way.

Programmer Humor

Rules