So I follow this video and run cry_waf.exe to setup the solution file.
But when cry_waf.exe download Brofiler.exe (CRYENGINE\Code\SDKs\Brofiler\Brofiler.exe), my Kaspersky Internet Security (KIS 17.0.0.611(j)) detects Brofiler.exe as virus (UDS:DangerousObject.Multi.Generic). I have to restart my PC and remove the file. I see that McAfee also did the same, could be false positive, but I don't wanna mess around with security system.

So Is there any other way I can setup CryEngine source without using cry_waf.exe. Can I just use CMake to run CryEngine's CMakeLists.txt?

Its a false positive. Its how Brofiler attempts to retrieve information that makes it stand out. Just add it to the exception list.

Nothing to worry about.

I don't know but what if Crytek (or Brofiler.exe's developer - Mr.Bommy) creates Code Signature to tell Anti-virus programs that this software is safe, then maybe this problem could be solved. But of course, contact the Anti-virus vendor is the best way, cause malware can also create Code Signature.