I like the idea for many scenarios, developers would be one where it would be tough, but in the places I manage I bet It would work for 80% of the systems as a great many fire up just a few apps. For public access machines (library) this is largely what I do anyway, but for more than just malware concerns :-).
The catch is developers usually need more speed than the rest so if you could go without AV on them it would be beneficial from their standpoint - they are historically (in my experience) the hardest to balance between security and performance. Dave -----Original Message----- From: Stu Sjouwerman [mailto:[email protected]] Sent: Tuesday, November 15, 2011 11:47 AM To: NT System Admin Issues Subject: RE: Would you drop AV for Whitelisting / Application Control? Very good feedback Kurt! Anyone else ? -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Tuesday, November 15, 2011 2:37 PM To: NT System Admin Issues Subject: Re: Would you drop AV for Whitelisting / Application Control? On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman <[email protected]> wrote: > > So I’m asking a bunch of questions here, because I’m looking at > writing this story from a few different angles. If the ratio Malware > to good code is 80 – 20 (which it is +/- at the moment) why not drop > AV all together and lock down those workstations and only allow good code to > run? Saves budget. > > Your view? Input? > > Stu Does it really save budget? I ask this though I'm thoroughly in favor of application whitelisting [1] The whitelist publisher should o- Have a comprehensive set of known apps up front o- Make it easy for an administrator to add apps to the whitelist for some obscure program that's crucial o- Have a subscription mechanism to update their whitelist frequently o- Have a way for a subscriber to submit an executable for analysis to be included/excluded from the whitelist Absent the above, the blacklisters probably have an advantage in terms of effort expended by the sysadmin, by virtue of the nearly hourly updates they publish. Kurt [1] I don't yet have experience with whitelisting. Given our relatively recent EA with MSFT, I plan to make some time to explore it by setting up Applocker on a test OU and subjecting myself to the pain. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
