Antivirus exclusions to keep Xcode speedy

Don’t waste your time with AV. The only Mac malware is what people install themselves.

First your goal is to improve Xcode's performance, then you segue into AV schemes. You seem unsure of what you want, it seems.

If you want to improve performance, disable your AV tools.

If you want to avoid uploading infected files to the store, you might want to imagine the checks done on the backend and how they might easily dwarf your local efforts, making them at best, I think, redundant.

As for being cavalier, I'd wonder if you're referring to doing all this sans benchmarks - without them, you're just guessing.

I would not have posted this if it was my choice whether AV is installed.

In all seriousness, get your resume in order and start looking for a job. Your IT department has no idea how Macs work. Scanning the disk like that is a pathetic waste of time. There aren't any magic folders you need to exclude. There are only a handful of folders that even matter for such purposes in the first place. Your Mac could be chock full of malware and if there wasn't any mechanism to get it running and keep it running, it would be absolutely harmless.

You aren't going to get infected by a Mac virus because no such thing exists. If you go searching for free movie downloads and **** long enough, you might be able to get yourself infected with some adware. Such things are very simplistic. Reproducting themselves by infecting your Derived data folder is far beyond their capabilities. And even if it weren't, you wouldn't have to worry because Xcode doesn't use that folder when making archive builds.

You could try installing some other AV product to satisfy your IT department. The only one I would recommend is MalwareBytes. It will restrict itself to scanning just those handful of important places and not get in your way.

There have been instances of developers distributing malware-laden builds. But in those cases, the developers had installed hacked versions of Xcode itself. Anything like that would have blown right by any Mac AV product.

John,

Like I told Ken, you don't know the specifics of our product requirements. These didn't come from IT, they are requirements due to the nature of our products and our customers. How many pages of legal attestations do you have to sign in order to sell your product?

Macs aren't immune to viruses. What would you do if you worked on a product where well-funded state actors may be incentivized to penetrate the security of your business?

Hey John - Speaking of NASA, sorry I haven't gotten back to you about that telemetry data. Still waiting on NOAA to give me a timeline...suspect it will be the usual wait/wait, then how they need a deliverable yesterday.

Ken

Yeah, but I sure know the specifics of how software gets loaded and persisted on macOS. 🙂

No one said the Macs were immune to viruses. It is a simple fact that no such Mac viruses exist at this time. This is due to both the nature and relative (un)popularity of the platform. Furthermore, Apple has its own substantial security team and multiple layers of malware protection built into the operating system.

If you really think that a 3rd party, consumer product like Sophos is going to 1) do better than Apple or 2) protect you from the likes of the NSA, Mossad, the Russians, or the Chinese, then I guess you are just going to have to put up with slow builds.

1) Mac viruses do exist, they just aren't widely prevalent due in part to Gatekeeper and sandbox restrictions.

2) Since you know how software gets loaded and persisted then you should also know Apple's security team and multiple layers of malware protection don't include active virus detection.

3) State actors don't need magical deep hacking techniques to penetrate systems when they can exploiting basic failures of security. Most hacks like the DNC get their start because someone was manipulated into running infected software.

Again, you've made your personal opinions very clear. I actually agree with much of what you've written. I've only used Mac AV software one time before and involuntarily (at a 50,000 person company with very strict IT standards). But customer requirements trump all, and your personal opinions aren't pertinent.

A followup benchmark, building with bitcode for distribution is 20% faster with DerivedData excluded from Sophos scanning.

*****,

Did you make any progress here outside of this Chat? We have a similar challenge with XCode and Sophos Endpoint.