KBEA-00009 - Using ElectricAccelerator with anti-virus software

Summary

This article addresses the supportability of anti-virus scanners installed on ElectricAccelerator hosts, servers and Electric Make (eMake) machines. Also, compatible configurations with virus scanners and ElectricAccelerator are listed.

Solution

ElectricAccelerator is not certified to run with any specific anti-virus applications.

The following information is a compilation of support knowledge related to configuring anti-virus applications to successfully work with ElectricAccelerator. This information is not an official recommendation, just lessons-learned to assist you in avoiding known problems when anti-virus applications are configured to the contrary.

General issues to consider when configuring virus scanners on an ElectricAccelerator server are as follows:

1. When and how to scan
2. When and how not to scan
3. What to scan
4. What not to scan
5. Verifying anti-virus settings
6. Performance considerations

When and How to Scan

When possible, scan manually or on a scheduled basis during downtime (non-work time). This limits virus scanning’s performance impact during normal operations, especially ElectricAccelerator use. This impact could be significant depending on client speed, network bandwidth, server performance, and the number of clients accessing the cluster.

Shut down ElectricAgent on cluster host(s) being scanned. This avoids any possibility of the scanner’s affecting or being affected by ElectricAccelerator.

When and How Not to Scan

Avoid “realtime” or “on-access” scans on cluster agent machines. Depending on how aggressive the virus scanner is, on-access scanning can disable EFS creation/access. The final step in the on-access operation is typically to rename temporary containers, and ElectricAgent creates many of these containers as part of its process. On-access scans may lock a file to perform some operations, resulting in the inability of ElectricAgent to rename the file. This may result in errors from ElectricAgent such as “unable to open/rename file.” This can also generate spurious serializations and false conflicts.

It is recommended to disable heuristic scans, for example TrendMicros IntelliTrap.

What to Scan

Scan source files on the eMake machine.

Scan the derived objects after the build completes on the eMake machine. This catches files added or modified by a virus. Real-time scanning on the eMake machine may adversely affect performance.

What Not to Scan

Do not scan the EFS temporary directories (on the cluster machines): Scanning this part of the drive scans all files mounted on this system. The EFS lookup/creation phase of a file open in EFS can lead to serious performance degradation because the scan attempts to open all files in the temporary space.

Sample configuration on our local TrendMicro setup:

1. We have two groups defined in the TrendMicro server used by our build and test machines. One for servers and one for desktops.
2. Both groups have basically this setup:
   1. Real Time scan is enabled
   2. IntelliScan uses TrueType file type detection
   3. We do not scan mounted drives
   4. We exclude these directories (the list will vary from environment to environment):
      1. c:\cygwin\tmp
      2. c:\Documents and Settings\build.Electric-Cloud\Local Settings\Temp
      3. c:\Documents and Settings\build\Local Settings\Temp
      4. c:\ECloud
      5. c:\efs
      6. c:\Temp
      7. c:\tmp
      8. c:\User\build.Electric-Cloud\AppData\Local\Temp
      9. c:\User\build.Electric-Cloud\Local Settings\Temp
      10. c:\User\build\AppData\Local\Temp
      11. c:\User\build\Local Settings\Temp
      12. c:\Windows\Temp
      13. n:\ (samba share… just in case)
   5. IntelliTrap is disabled
   6. Firewall is disabled
   7. Behavior Monitoring is disabled
   8. Web Thread detection is disabled
   9. TrendSecure toolbars are disabled
   10. Mail scan is disabled

Verifying Anti-Virus Settings

To test your anti-virus software’s whitelisted directories, a text file can be created that is 100% safe and is used for testing anti-virus software. Instructions on how to generate the file (called the “EICAR Standard Anti-Virus Test File”) are available on the EICAR website. If the 68-byte file is generated in a whitelisted directory and is flagged by anti-virus software, it means that there is an issue with its configuration. This string is:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Performance Considerations

Real-time scan everything (agents and eMake) - 8% slower than no scan

Real-time scan except for TEMP (on agents) - 4% slower than no scan

Real-time scan except for TEMP (on agents and eMake) - not much slower than no scan

Applies to