Very good feedback Kurt! Anyone else ? -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Tuesday, November 15, 2011 2:37 PM To: NT System Admin Issues Subject: Re: Would you drop AV for Whitelisting / Application Control?
On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman <[email protected]> wrote: > > So I’m asking a bunch of questions here, because I’m looking at > writing this story from a few different angles. If the ratio Malware > to good code is 80 – 20 (which it is +/- at the moment) why not drop > AV all together and lock down those workstations and only allow good code to > run? Saves budget. > > Your view? Input? > > Stu Does it really save budget? I ask this though I'm thoroughly in favor of application whitelisting [1] The whitelist publisher should o- Have a comprehensive set of known apps up front o- Make it easy for an administrator to add apps to the whitelist for some obscure program that's crucial o- Have a subscription mechanism to update their whitelist frequently o- Have a way for a subscriber to submit an executable for analysis to be included/excluded from the whitelist Absent the above, the blacklisters probably have an advantage in terms of effort expended by the sysadmin, by virtue of the nearly hourly updates they publish. Kurt [1] I don't yet have experience with whitelisting. Given our relatively recent EA with MSFT, I plan to make some time to explore it by setting up Applocker on a test OU and subjecting myself to the pain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
