On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman <[email protected]> wrote:
>
> So I’m asking a bunch of questions here, because I’m looking at writing this
> story from a few different angles. If the ratio Malware to good code is 80 –
> 20
> (which it is +/- at the moment) why not drop AV all together and lock down
> those
> workstations and only allow good code to run? Saves budget.
>
> Your view? Input?
>
> Stu
Does it really save budget? I ask this though I'm thoroughly in favor
of application whitelisting [1]
The whitelist publisher should
o- Have a comprehensive set of known apps up front
o- Make it easy for an administrator to add apps to the whitelist
for some obscure program that's crucial
o- Have a subscription mechanism to update their whitelist frequently
o- Have a way for a subscriber to submit an executable for
analysis to be included/excluded from the whitelist
Absent the above, the blacklisters probably have an advantage in terms
of effort expended by the sysadmin, by virtue of the nearly hourly
updates they publish.
Kurt
[1] I don't yet have experience with whitelisting. Given our
relatively recent EA with MSFT, I plan to make some time to explore it
by setting up Applocker on a test OU and subjecting myself to the
pain.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
