Isn't the requirement that you "use and regularly update anti-virus software"?
I don't think the requirement is that you install AV and perform realtime virus scanning. As such, by installing it, updating it regularly, and enabling it only during software updates/installation should let you check the box off and still sleep well at night. Of course, with all things PCI-DSS related, the ultimate goal is that you never, ever experience a breach. The practicality of AV software contributing to that goal varies by system, and the fact that you're asking the question rather than checking the box and ignoring the implications means that you're already on the right track. The biggest problem with the PCI spec is how much cheaper it is to pass the tests than to meet 100% of the requirements-as-written. On Mar 1, 2010, at 5:09 PM, Justin Ellison wrote: > We were recently informed that even though it's borderline impossible for our > Solaris and Linux servers to become infected with a virus (trojan maybe, but > not many "virus" scanners look for those anyway), in order to satisfy PCI-DSS > we have to do it. > > I'm very concerned about the possible impact a virus scanner might have on > our application servers, and I'm downright scared to death about what that > would do to Oracle's performance/reliability. I'm guessing that there's got > to be a way around this, either via an appliance, or a loophole somewhere. > Anyone have any tips on how I can check the box without lying and not > sacrifice performance? > > Justin > _______________________________________________ > Tech mailing list > [email protected] > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
