Solved: Re: CISSP Advice on windows 10 antivirus - Page 2

rslade · ‎06-20-2020

> Brijesh13 (Viewer II) posted a new reply in Tech Talk on 06-20-2020 02:17 AM in

> Hi, As per my suggestion, AV is only traditional way of fighting against new
> threat landscape. It was old way to find virus and malicious apps. But now trend
> is changing towards technology which can help not only detection and remediation
> but also can help in prevention method from such attack. I think CrowdStrike,
> Morphisec etc. are best now industry and they are next gen. way of detection and
> prevention method.

As an old (very old) malware researcher, I get really tired of these "AV is dead,"
"AV needs to be replaced by EPP," etc. type arguments. Most of them are based
on the "straw man" that antivirus technology was only ever simple, direct
signature scanning. That's not the case, and never was. There always have been a
wide variety of technologies under the AV banner, even if *you* never bought
any. There is activity monitoring, activity restricting, change detection,
heuristics, and many variations on the themes. (Well before signature scanning
took over as the major market, the two most widely used antivirals were activity
monitoring, one static, and one dynamic.) These "new" technologies are simply
the old standards, with new marketing pitches and buzzphrases.

======================
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

ericgeater · ‎06-22-2020

Rob, thanks for adding to the topic. I created the post because limited resources do not permit us to investigate a wide range of solutions, such as testing the conditional usefulness of Webroot versus Trend Micro versus Symantec Endpoint. We are functionally literate with SEP, but other AV vendors may do many more jobs than SEP, as you mentioned. We just happen to have no experience or concentration with those technologies or vendors. Time and money, money and time.

The same thing applies to our EDP/EPP, which was only recently introduced after an incident.

No matter what, our resources will still be finite at the end of the year. I have a scant few months to determine the ongoing value of our EDP/EPP or our SEP antivirus solution, and determine which one "walks the plank" when department spending says we must keep only one.

-----------
A claim is as good as its veracity.
linkedin[.]com/in/geater

rslade · ‎06-22-2020

> ericgeater (Contributor II) posted a new reply in Tech Talk on 06-22-2020 10:00

> Rob, thanks for adding to the topic. I created the post because limited
> resources do not permit us to investigate a wide range of solutions, such as
> testing the conditional usefulness of Webroot versus Trend Micro versus Symantec
> Endpoint. We are functionally literate with SEP, but other AV vendors may do
> many more jobs than SEP, as you mentioned. We just happen to have no experience
> or concentration with those technologies or vendors. Time and money, money and
> time. The same thing applies to our EDP/EPP, which was only recently
> introduced after an incident. No matter what, our resources will still be
> finite at the end of the year.

Well, as implied by my post (I hope), you can save a lot of money and time by
learning the underlying basics, and knowing the right questions to ask of the
vendor. (The sales guys won't know, of course, but, if you know the foundations,
somebody will say something that will give you a clue.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
It is by the goodness of God that in our country we have those
three unspeakably precious things: freedom of speech, freedom of
conscience, and the prudence never to practice either of them.
- Mark Twain (1835-1910), Following the Equator (1897)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Steve-Wilme · ‎06-24-2020

And of course if you've a locked down build with limited use cases you could look at application whitelisting as an additional defence.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS