website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

Advice to disable antivirus on Windows seems risky

Open farrago opened this issue 8 years ago • 3 comments

The content for the Windows Installer page says:

Notice

Please whitelist your project folder and the Yarn cache directory (%LocalAppData%\Yarn) in your antivirus software, otherwise installing packages will be significantly slower as every single file will be scanned as it’s written to disk.

This seem like incredibly risky advice for files that will be downloaded from the internet and blindly executed. Particularly as the issue could be on a deeply nested dependency that is hard to know about or verify in advance.

Is there a justification for this being safe that I am missing?

If not, I'm happy to prepare a pull request to remove this.

farrago avatar Jan 20 '17 16:01 farrago

First, you are already putting significant trust into the packages you are about to install. They can execute scripts as part of the installation with the user running the installer (sometimes a root/admin user!). This install scripts are still run even when Antivirus is turned on. There's still plenty of damage that can be done that would still pass can Antivirus scan.

Second, the value of Antivirus has been debatable for years. Here's a key passage from the article just linked:

Unfortunately, two major factors have greatly diminished the effectiveness of antivirus technology. First, malware can traverse the internet at a rate nobody ever imagined was possible. Today, a new virus can become widespread on the internet before the antivirus vendors even know it exists. Second, virus authors have learned to produce variants, which are version of their illicit programs that function the same way, but have deliberate changes in their signature to evade antivirus programs. Because much of our malware is now distributed in kit form, even a novice can produce a malware variant and get it out on the internet very quickly.

While the value of antivirus software has been diminishing for some time, it was arguably pushed over the edge by ransomware, which, by some recent estimates, evades 100% of antivirus systems, owing its success to the rapid succession of new variants.

(I'm not a yarn admin, but a fellow user)

markstos avatar Jan 23 '17 15:01 markstos

Thanks for the comments @markstos.

Besides the passage you highlighted, I think the real key passage from the article is:

Given all of the facts, I continue to believe that antivirus software, despite its limitations, has a place in our defensive strategy -- but just as part of that strategy.

I think we can agree that antivirus is not a global panacea, but I believe it is a part of a sensible security strategy and yarn should not recommend removing it.

farrago avatar Jan 23 '17 16:01 farrago

Any movement on this? I guess it's still not safe enough to disable your antivirus. Any solutions? I guess with WSL 2, we'll be able to yarn from there and could be faster? Still, what about without WSL2?

zenVentzi avatar Mar 30 '20 22:03 zenVentzi