Topic: Antivirus Software (Read 2256 times)

dtc · « **on:** March 04, 2020, 10:04:39 am »

EDIT: This comment was moved from another thread. The comment was simply a recommendation to a user on how to set up Windows Defender on Windows 10 for MC.

The only exclusion that should be required in the Program Files\JRiver folder - or Program Files (x86)]\JRiver for the 32 bit version. Everything under that and everything opened by an application under that should inherit the exclusions.

JimH · « **Reply #1 on:** March 04, 2020, 10:50:20 am »

Excluding media directories is also a good idea.

dtc · « **Reply #2 on:** March 04, 2020, 10:58:21 am »

Quote from: JimH on March 04, 2020, 10:50:20 am

Excluding media directories is also a good idea.

EDIT: In the original thread, this was clearly in the context of Windows Defender on Windows 10.

I have not seen evidence of that. Do you have examples that show that that makes a difference? Excluded apps are supposed to not need the files they open excluded.

JimH · « **Reply #3 on:** March 04, 2020, 11:00:48 am »

Antivirus software inserts itself in processes like reading files. It clearly slows that down.

In the antivirus thread I keep, there are many examples of it causing such problems:

https://yabb.jriver.com/interact/index.php?topic=86096.msg588759#msg588759

dtc · « **Reply #4 on:** March 04, 2020, 11:06:20 am »

Excluding media can potentially speed up access, not doubt. But, I do not think there are any examples of it causing access problems.

As I have said before, it is time to have a clean explanation for exactly how to deal with Windows Explorer. The current thread has lots of speculation and discussion, which confuses the new user.

If the recommendation is to exclude the JRIver folder for access issues and exclude media folders for speed issues, I am fine with that. But, a clean explanation is probably in order.

By the way, I did read that thread and did not find any examples using Windows Defender where there were speed problems with media files when the JRiver folder was excluded. It may happen, but I have not seen the evidence.

JimH · « **Reply #5 on:** March 04, 2020, 11:38:03 am »

Antivirus software often reads and checks every file every time it's opened. If you need more "evidence" I can't help you.

I don't know what you mean by this:

"it is time to have a clean explanation for exactly how to deal with Windows Explorer"

dtc · « **Reply #6 on:** March 04, 2020, 12:11:47 pm »

Awesome Donkey did a wonderful job on the original Windows Defender thread. But it is long and confusing as people learned more about how to deal with Windows Defender. There are recommendations in there that are probably not necessary. AD agrees that with those observations. What I have advocated for before, is a much simpler explanation of exactly what needs to be done to Windows Defender to make it not interfere with MC. The conclusion of that long thread is that basically excluding the main JRiver folder is all that is really necessary. But, you have to read an awful to get to that conclusion.

Again, I have not seen any evidence in all these long discussions that excluding media folders helps with Windows Defender. There are certainly examples of other anti-virus causing problems when media files are not excluded. But I just have not seen any threads that show that excluding media folders when using Windows Defender on Windows 10 solves any problems. If there are such threads, please point me to them. But, I just have not seen them.

One of the basic tenants of the Taming Windows Defender thread is that if you exclude the main JRiver directory, any applications in that folder will honor that exclusion both for the application and for files that it opens. If that is indeed the case, then excluding the media files is not necessary, either for access control or for speed control. Note, again, I am talking about Windows Defender on Windows 10.

I keep bringing this up because Windows Defender on Windows 10 is a problem for JRiver. But, it seems like one simple exclusion is all that is needed to solve the problem. Pointing to a long and detailed thread and also recommending excluding media folders seems to unnecessarily complicate the solution.

I would ask that you look at the details of taming Windows Defender on Windows 10 and understand what needs to be done. I really think that can help new users figure out how to do the "taming". And, I think I is is much easier than is often portrayed. All you have to do it exclude one folder and you are done.

Again, I am talking about Windows Defender on Windows 10, not all the other antivirus software, which I totally agree can operate in bizarre ways.

Please read here for more details

https://yabb.jriver.com/interact/index.php/topic,122374.msg846945.html#msg846945

tij · « **Reply #7 on:** March 04, 2020, 12:53:25 pm »

If program is excluded from antivirus ... it does not automatically mean it’s action will be not monitored by antivirus.

MS word or Acrobat Reader can potentially open harmful documents. So AV can assume MC can too. Excluding media folder from “on demand” scan is logical.

Plus ... it’s better to eliminate all potential sources of AV interference ... some ppl might get away with some settings cause their machine can power through additional AV tasks ... some might not

dtc · « **Reply #8 on:** March 04, 2020, 01:06:51 pm »

Quote from: tij on March 04, 2020, 12:53:25 pm

If program is excluded from antivirus ... it does not automatically mean it’s action will be not monitored by antivirus.

My understanding is that for Windows Defender on Windows 10, if an exclusion is set for an application, then any files the app opens will also be excluded from being scanned when the application reads the file. So there is no reason to explicitly exclude the media files in Windows Defender in order to prevent scanning when the application reads the file.

Do you agree?

JimH · « **Reply #9 on:** March 04, 2020, 02:12:53 pm »

Quote from: dtc on March 04, 2020, 01:06:51 pm

My understanding is that for Windows Defender on Windows 10, if an exclusion is set for an application, then any files the app opens will also be excluded from being scanned when the application reads the file. So there is no reason to explicitly exclude the media files in Windows Defender in order to prevent scanning when the application reads the file.

Do you agree?

I would not count on it.

dtc · « **Reply #10 on:** March 04, 2020, 04:07:02 pm »

Quote from: JimH on March 04, 2020, 02:12:53 pm

I would not count on it.

Well others seem to believe this is true

Once again I have not seen any reports where you needed to exclude media folders in Windows Defender on Windows 10 to make MC work

If you want to make that the official JRiver recommendation, it is up to you. But, as I said, right now the official thread is not clear on this issue.

JimH · « **Reply #11 on:** March 04, 2020, 04:36:21 pm »

It's not an official thread. It's one (very smart) person's best effort to provide instructions.

Antivirus education is not JRiver's job. If you use one, you'll need to make an attempt to understand how it should be done.

I don't think anyone really knows how they work. The makers are very careful not to let anyone know, in part to make it hard to defeat them.

tij · « **Reply #12 on:** March 05, 2020, 07:06:37 am »

Quote from: dtc on March 04, 2020, 01:06:51 pm

My understanding is that for Windows Defender on Windows 10, if an exclusion is set for an application, then any files the app opens will also be excluded from being scanned when the application reads the file. So there is no reason to explicitly exclude the media files in Windows Defender in order to prevent scanning when the application reads the file.

Do you agree?

Nope ... this approach is too riddled with holes ... common files used by applications have huge security holes ... especially documents that support scripting and programming languages (PDF, xls, doc) ... as AV cannot possibly know all file types, it safer for them just to check what program opens

Excluding application from AV might prevent AV inserting codes into programs ... but I heavily doubt it exclude AV from checking files it opens or programs it execute.

If your media sits on NAS or USB ... on connection to those most AV will scan them unless explicitly told not to

I think AV philosophy is make it secure and let user open holes in the shield ... rather than give them shield with holes and let users plug those holes as they see fit

dtc · « **Reply #13 on:** March 05, 2020, 07:36:40 am »

Quote from: tij on March 05, 2020, 07:06:37 am

Nope ... this approach is too riddled with holes ... common files used by applications have huge security holes ... especially documents that support scripting and programming languages (PDF, xls, doc) ... as AV cannot possibly know all file types, it safer for them just to check what program opens

Excluding application from AV might prevent AV inserting codes into programs ... but I heavily doubt it exclude AV from checking files it opens or programs it execute.

If your media sits on NAS or USB ... on connection to those most AV will scan them unless explicitly told not to

I think AV philosophy is make it secure and let user open holes in the shield ... rather than give them shield with holes and let users plug those holes as they see fit

My question was specific to how Windows Defender on Windows 10 works when a program opens a file. Specifically if MC has been excluded in Windows Defender on Windows 10 then when MC opens a media file, does Windows Defender scan the media file? If it does not scan the media file, there is no reason to add a specific exclusion for media file folders to increase speed for file access.

dtc · « **Reply #14 on:** March 05, 2020, 07:46:29 am »

Quote from: JimH on March 04, 2020, 04:36:21 pm

Antivirus education is not JRiver's job. If you use one, you'll need to make an attempt to understand how it should be done.

That is exactly what I am doing. And I have not seen any evidence that excluding media files in Windows Defender on Windows 10 is necessary. If someone shows me otherwise, I will change my thinking.

glynor · « **Reply #15 on:** March 05, 2020, 08:25:49 am »

I generally don't exclude my media files from Windows Defender on my server.

It absolutely positively impacts performance if you do exclude them. However, as tij referenced above, there's a good reason to actually scan your media files before opening them. It isn't just files (like PDF) which can contain scripting. The decoders used to demux and read media files have (AVI, MKV, and JPEG are some examples just over the past year) been subject to a wide variety of different buffer overflow and similar bugs. This can then be used, if you craft a malformed media file just-so, let you use a JPEG to deliver a malware payload when the file is read. There have been many real-world attacks using this vector.

And, the issue is, how many zero day bugs are out there in the hundreds of decoders used to read your media files that we don't know about? ALL software written by humans contains bugs. And, worse to some degree, it is possible for malicious actors to intentionally insert hidden bugs in some sets of open source code. And even if all of your content comes from "trusted sources" (all completely legit online stores, etc) who's to say that they aren't exploited? This is exactly the kind of tactic they've caught state actors using to do bad things in the very recent past. You want to target a wide swath of a particular population? Get a mole in Amazon (or Apple or whatever) to infect specifically chosen movies likely to be used by the audience you're targeting and done and done.

That said, you don't really need to be scanning them in multiple places, and you don't necessarily need to scan them on-the-fly. So, for example:
* If you use a client-server setup of MC, you don't need to have your AV scan the files on-the-fly on BOTH the client and the server. Let the server do it, and keep the paths excluded on the clients.
* If you have a very static long-term Media Library path (where new files never go directly), you can exclude them from on-the-fly scanning and maybe set up a recurring "manual" scan of the path periodically in the middle of the night, and leave the on-the-fly scanning enabled for the "new content" directories.

But, yes, disk access will be slower when AV is scanning ANYTHING on the fly. It puts interrupts around all disk access. That makes all disk access higher latency, and has the potential to introduce additional bugs. And, of course, the file IO readers on the AV application are equally vulnerable to accidentally trigger the malware payloads while they're trying to scan them. There are sandbox escapes for AV file readers all the time.

So, it is a crapshow. AV software is bad, but so is not having it at all in many cases.

JimH · « **Reply #16 on:** March 05, 2020, 08:34:26 am »

Quote from: glynor on March 05, 2020, 08:25:49 am

That said, you don't really need to be scanning them in multiple places, and you don't necessarily need to scan them on-the-fly.

Exactly. It is this that slows things down.

dtc · « **Reply #17 on:** March 05, 2020, 08:47:20 am »

According to Microsoft documentation, if you exclude a process in Windows Defender, then any files that the process opens are also skipped by Windows Defender. Here is a table from their documentation on what happens based on the exclusion type.

Exclusion Defined By What Happens
Type

File     Location Example: c:\sample\sample.test The specific file is skipped by Windows Defender Antivirus.

Folder Location Example: c:\test\sample All items in the specified folder are skipped by Windows Defender
Antivirus.

File type   File extension Example: .test All files with the .test extension anywhere on your device are skipped
by Windows Defender Antivirus.

Process   Executable file path Example: c:\test\process.exe The specific process and any files that are opened by that process
are skipped by Windows Defender Antivirus.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus#exclusions

So, it really seems like excluding media files is not necessary to insure MC performance, unless, of course, the Microsoft documentation is wrong and the process exclusion does not work as their documentation says. I do not know when this feature was implemented, but the documentation is very current, about a month ago.

Note than I am assuming the the described action for Process Exclusion also applies when a Process is included under a Folder Exclusion. That should probably be tested.

Hendrik · « **Reply #18 on:** March 05, 2020, 08:53:02 am »

What I would generally recommend is 4 rules:

- Exclude the main MC folder
- Exclude the main MC process (Media Center 26.exe)
- Exclude the JRWorker.exe process
- Exclude the MC data directory in AppData, where the library and plugins live

For the second and third step, its important to actually get the process, and not the file. That way you should stop scans of any files media files MC opens.

I would not assume that excluding the MC folder stops it from scanning files opened by a process from inside that folder. The Process rules should be needed for that.

Awesome Donkey · « **Reply #19 on:** March 05, 2020, 08:55:06 am »

I'd say the most likely place for slowdowns caused by real-time AV scanning (Windows Defender in this case) would be using something like Windows Explorer to view/navigate/manage your media files. If you use Windows Explorer to go through your media files a lot (and you experience a noticeable slowdown from the real-time scanning of media files), it's probably worth adding the exclusions for your media file directory/directories, because it's not exactly wise to add Windows Explorer itself to the exclusions.

dtc · « **Reply #20 on:** March 05, 2020, 08:59:00 am »

Quote from: Hendrik on March 05, 2020, 08:53:02 am

What I would generally recommend is 4 rules:

- Exclude the main MC folder
- Exclude the main MC process (Media Center 26.exe)
- Exclude the JRWorker.exe process
- Exclude the MC data directory in AppData, where the library and plugins live

For the second and third step, its important to actually get the process, and not the file. That way you should stop scans of any files media files MC opens.

I would not assume that excluding the MC folder stops it from scanning files opened by a process from inside that folder. The Process rules should be needed for that.

As long as you exclude the main JRiver folder, you may not need to exclude the other items. See my post above with the Microsoft documentation.

glynor · « **Reply #21 on:** March 05, 2020, 09:32:51 am »

Quote from: Hendrik on March 05, 2020, 08:53:02 am

What I would generally recommend is 4 rules:

- Exclude the main MC folder
- Exclude the main MC process (Media Center 26.exe)
- Exclude the JRWorker.exe process
- Exclude the MC data directory in AppData, where the library and plugins live

For the second and third step, its important to actually get the process, and not the file. That way you should stop scans of any files media files MC opens.

I would not assume that excluding the MC folder stops it from scanning files opened by a process from inside that folder. The Process rules should be needed for that.

This is exactly what I do.

And I do have my client machines all set to exclude my main Media Library folders, since the Server handles that. I've seen, in multiple instances, where this does help performance, though it seems to vary depending on the exact usage (and may have more to do with resource contention among all of the various processes that touch those files than MC itself). In any case, there's no need to ever "double-scan" these long-term stored files, so I exclude them.

glynor · « **Reply #22 on:** March 05, 2020, 09:44:55 am »

Quote from: dtc on March 05, 2020, 08:59:00 am

As long as you exclude the main JRiver folder, you may not need to exclude the other items. See my post above with the Microsoft documentation.

When you exclude a folder containing executables, that is NOT the same as excluding the specific processes (which have to be done one at a time). The folder-based exclusion only impacts the specific contents of that folder and doesn't do the "and files opened by those processes" thing. Folder exclusions are for data files. Executables are handled separately.

That is very typical of how exclusion in AV software works.

Technically, you could avoid excluding the MC folders (AppData and Program Files) by making sure ALL of the various DLLs and EXEs in the install are all individually excluded, but that's more work to set up and maintain, and the way Hendrik explained works fine.

dtc · « **Reply #23 on:** March 05, 2020, 10:06:23 am »

Quote from: glynor on March 05, 2020, 09:44:55 am

When you exclude a folder containing executables, that is NOT the same as excluding the specific processes (which have to be done one at a time). The folder-based exclusion only impacts the specific contents of that folder and doesn't do the "and files opened by those processes" thing. Folder exclusions are for data files. Executables are handled separately.

From what I have seen, excluding a folder also excludes the executable under it. Are you saying you think that is not true?

"files opened by those processes" may not work if the executable is excluded by excluding the folder, but it would be nice to test that, as I pointed out above.

Hendrik · « **Reply #24 on:** March 05, 2020, 10:11:20 am »

Quote from: dtc on March 05, 2020, 10:06:23 am

"files opened by those processes" may not work if the executable is excluded by excluding the folder, but it would be nice to test that, as I pointed out above.

Thats exactly the part why I said to exclude the processes individually, since the documentation does not state that this is the case.
The folder rule specifically only states that files in that folder are skipped, it makes no mention of processes launched from files in those folders, and I would personally not expect this to be the case.

dtc · « **Reply #25 on:** March 05, 2020, 10:21:55 am »

Microsoft documentation seems to say that an executable under a folder exclusion will also exclude files it opens. This example has a \* in it. Not sure if that is necessary or not? Previous discussions seemed to indicate that the \* was unnecessary.

Any file on the machine that is opened by any process under a specific folder

Specifying "c:\test\sample\*" would exclude files opened by:

c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus

I am just trying to get to the bottom of this issue.

Hendrik · « **Reply #26 on:** March 05, 2020, 10:28:18 am »

You can add whole folders to the Process exclusion list, but it needs to be exactly that - a Type "Process" Exclusion. The "Folder" type exclusion does not affect processes. This distinction is important. Which is why I would recommend to have both.

dtc · « **Reply #27 on:** March 05, 2020, 11:00:51 am »

So how would you implement the example they give, which creates an exclusion for c:\test\sample\* that also excludes files the process opens?

Hendrik · « **Reply #28 on:** March 05, 2020, 11:17:31 am »

Select "Process" in the creation dropdown and type in the path with a wildcard. It accepts that fine.

dtc · « **Reply #29 on:** March 05, 2020, 11:45:36 am »

Sorry - where? In Windows Defender?

JimH · « **Reply #30 on:** March 05, 2020, 11:54:52 am »

dtc · « **Reply #31 on:** March 05, 2020, 12:37:26 pm »

So selecting Process and entering c:\program files\JRiver\* will exclude all the MC processes and all the files that those processes open. Correct?

If so, it seems like that should be the recommendation, rather than selecting Folder. Correct?

Hendrik · « **Reply #32 on:** March 05, 2020, 01:38:00 pm »

Quote from: dtc on March 05, 2020, 12:37:26 pm

So selecting Process and entering c:\program files\JRiver\* will exclude all the MC processes and all the files that those processes open. Correct?

If so, it seems like that should be the recommendation, rather than selecting Folder. Correct?

I would recommend to do both.

dtc · « **Reply #33 on:** March 05, 2020, 02:56:22 pm »

Is there anything that you think the folder exclusion does that is not already covered by the process exclusion? Or are you just being cautious?

Thanks for your insights.

INTERACT FORUM

Author Topic: Antivirus Software (Read 2256 times)