[cvsnt] Installation of CVSNT on a production Environment
Peter Crowther
Peter.Crowther at melandra.com
Wed May 26 09:51:50 BST 2004
> From: Tepperis-von der Ohe, Michael
> in chapter 2.5 Installation of the Installation Tips
> (http://www.cvsnt.org/wiki/InstallationTips)
> there is the advice on the picture 'Antivirus Software Warning:'
> to disable Virus checking.
>
> What is the current status with this point?
It depends on your virus checker. The recommendation is to disable
real-time scanning on the CVS repository, as some scanners can cause
sufficient delays and/or odd behaviour on system calls that CVS times
out or fails completely. It's not predictable, and doesn't always show
up in a test environment. I suspect it's load-related, but Tony would
be able to tell you more. There's some evidence that the problem varies
with the AV solution; what are you running? I'm sure at least one of
the subscribers to this list will be able to tell you about their own
experiences.
There is no problem with running regular scheduled scans of the CVS
repository (we do this). Similarly, there is no problem with running
real-time scanning outside the CVS repository (we also do this).
Finally, please note the following three points:
- It is recommended that the CVS repository is not sharedvia Windows
file sharing, and that the only way to get to the filestore is via the
CVS server. Therefore, it is quite difficult for even a worm to get
onto that filestore unless it has already infected a process or another
file outside the CVS repository. If your real-time scanning is enabled
elsewhere on the server, this should be detected.
- Files stored on the repository that have been checked in by a client
will have a ,v suffix, and contain extra bytes. It is very unlikely
that a virus scanner would identify a virus that had been checked in,
even if real-time scanning was running.
- A deep anti-virus strategy includes virus scanning on clients as well
as servers. There is no problem with real-time scanning on the
*clients*. These scanners will quickly identify viruses in files
checked out of CVS, even if the ,v files on the server contain such
viruses, and will (hopefully) prevent viruses being checked in.
Tony, is this accurate? You know the problem better than anyone...
- Peter
More information about the cvsnt
mailing list