Very good feedback Kurt! Anyone else ?

-----Original Message-----
From: Kurt Buff [mailto:[email protected]] 
Sent: Tuesday, November 15, 2011 2:37 PM
To: NT System Admin Issues
Subject: Re: Would you drop AV for Whitelisting / Application Control?

On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman <[email protected]> wrote:
>
> So I’m asking a bunch of questions here, because I’m looking at 
> writing this story from a few different angles. If the ratio Malware 
> to good code is 80 – 20 (which it is +/- at the moment) why not drop 
> AV all together and lock down those workstations and only allow good code to 
> run?   Saves budget.
>
> Your view? Input?
>
> Stu

Does it really save budget? I ask this though I'm thoroughly in favor of 
application whitelisting [1]

The whitelist publisher should

     o- Have a comprehensive set of known apps up front
     o- Make it easy for an administrator to add apps to the whitelist for some 
obscure program that's crucial
     o- Have a subscription mechanism to update their whitelist frequently
     o- Have a way for a subscriber to submit an executable for analysis to be 
included/excluded from the whitelist

Absent the above, the blacklisters probably have an advantage in terms of 
effort expended by the sysadmin, by virtue of the nearly hourly updates they 
publish.

Kurt

[1] I don't yet have experience with whitelisting. Given our relatively recent 
EA with MSFT, I plan to make some time to explore it by setting up Applocker on 
a test OU and subjecting myself to the pain.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to