McAfee Anti-Virus Exclusion

Sat May 8 22:43:20 GMT 2021

On 2021-05-07 04:57, Lam Jian Zhou via Cygwin wrote:
> We have encountered an issue with Cygwin process get slow when using McAfee anti-virus.
> We have put all the exclusion on not scanning or checking on Cygwin process and folder, but the slowness still exists.
> We have tried McAfee recommendation on this : https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-459435D7-AE7B-4656-9120-9235F39EA0D6.html but still not able to solve the issue.
> 
> We have tried to find the issue in various forum but there is not much helpful information on this and even the McAfee support told us only Cygwin support can give the answer.
> 
> Would you able to give some recommendation of what should be exclude for Cygwin process?
> Or is there any other windows process will be trigger along with the Cygwin? so, we can exclude them as well.

Cygwin support is a bunch of volunteers, so unless you can demonstrate an 
obvious reproducible problem across multiple different installations, using a 
simple test case, caused by Cygwin doing something it should not, it is unlikely 
anyone here will be able to help much.
Please note that Cygwin is doing only what it has to, in order to support a 
POSIX development environment under Windows.
If it seems too slow for your uses, please consider testing, timing, and running 
your development toolchain under faster environments: try one of the many 
distros under WSL, local or server VMs, Docker, etc.

The problem is with McAfee going out to servers to check every executable, 
rather than remember locally that a file has already been checked using a hash 
over contents and properties, and skipping future checks.
If you have problems with McAfee, complain to Intel, and thence to whoever 
insists you run a legacy AV suite.

Run Windows Defender if you need an AV and want to minimize slowdown.
More intrusive AV will intercept and interfere more with performance (like 
anything called End Point Protection, which is known to break Cygwin).
Have your techs run your processes with only Windows and Cygwin installed, then 
with Windows Defender, then with Intel McAfee AV to see the differences.

Looking at the McAfee exclusions, they are decades out of date, most 
installations are now x86_64, and may also support x86 [32 bit], so you need to 
exclude the compiler and build toolchain utilities (gcc, llvm, clang, binutils, 
coreutils, c/make, libtool, git packages) in /bin/, /usr/*86*-pc-cygwin/, 
/lib/gcc/*86*-pc-cygwin/[1-9]*/ and all their DLLs /bin/cyg...*.dll for all 
installed compiler and utility versions.
Note that Cygwin supports git (and is part of the toolchain used to build Git 
for Windows mentioned by McAfee), so add /usr/libexec/, /usr/libexec/git-core/, 
and other contents of that tree to your exclusions.

On development machines, Adaptive Threat Protection (guessing based on patterns 
matching existing malware) will slow down every step of every build, so switch 
it off, as well as any other guessing games, cloud or remote access!

Following McAfee's suggestions, using gpg keys and SHA2 hashes, make a verified 
clean Cygwin developer build of everything you use, and upload everything 
installed to McAfee's GTI servers, and the validation files to your own TIE 
servers: clone to each developer machine and run a local TIE server there.
Do the same for everything in all your production builds.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]