What I did in one environment was isolate the entire developer segment, because they made a stink about the mandatory AV, and insisted that they couldn't work if their systems were locked down like everyone else.
We allowed them to have control of their own scanning settings, but firewalled their entire segment from the rest of the network and deep-scanned their traffic. The security posture of the rest of the environment improved greatly, but more than half of the developers needed to have their laptops rebuilt due to constant rootkits. They finally relented when they couldn't win any argument about how unnecessary our approach to security was for them. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Nov 15, 2011 at 2:57 PM, David Lum <[email protected]> wrote: > I like the idea for many scenarios, developers would be one where it would > be tough, but in the places I manage I bet It would work for 80% of the > systems as a great many fire up just a few apps. For public access machines > (library) this is largely what I do anyway, but for more than just malware > concerns :-). > > The catch is developers usually need more speed than the rest so if you > could go without AV on them it would be beneficial from their standpoint - > they are historically (in my experience) the hardest to balance between > security and performance. > > Dave > > -----Original Message----- > From: Stu Sjouwerman [mailto:[email protected]] > Sent: Tuesday, November 15, 2011 11:47 AM > To: NT System Admin Issues > Subject: RE: Would you drop AV for Whitelisting / Application Control? > > Very good feedback Kurt! Anyone else ? > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Tuesday, November 15, 2011 2:37 PM > To: NT System Admin Issues > Subject: Re: Would you drop AV for Whitelisting / Application Control? > > On Tue, Nov 15, 2011 at 11:18, Stu Sjouwerman <[email protected]> > wrote: > > > > So I’m asking a bunch of questions here, because I’m looking at > > writing this story from a few different angles. If the ratio Malware > > to good code is 80 – 20 (which it is +/- at the moment) why not drop > > AV all together and lock down those workstations and only allow good > code to run? Saves budget. > > > > Your view? Input? > > > > Stu > > Does it really save budget? I ask this though I'm thoroughly in favor of > application whitelisting [1] > > The whitelist publisher should > > o- Have a comprehensive set of known apps up front > o- Make it easy for an administrator to add apps to the whitelist for > some obscure program that's crucial > o- Have a subscription mechanism to update their whitelist frequently > o- Have a way for a subscriber to submit an executable for analysis to > be included/excluded from the whitelist > > Absent the above, the blacklisters probably have an advantage in terms of > effort expended by the sysadmin, by virtue of the nearly hourly updates > they publish. > > Kurt > > [1] I don't yet have experience with whitelisting. Given our relatively > recent EA with MSFT, I plan to make some time to explore it by setting up > Applocker on a test OU and subjecting myself to the pain. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
