Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

At least in the card processing space, one of the PCI requirements is "5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)."

The phrase "commonly affected" is the place to make an argument here, but I'm sure people take the easy option of just running an antivirus.



Right, and that requirement loses all of its nuance when it lands on someone's checklist as "anti-virus software on PCs and servers".

When my company gets asked why we answer "no" to that question, my canned response is "because anti-virus software would almost certainly be the most exploitable vector on our systems".


Not all auditors will accept that answer. Mine sure don't.


In that case, the answer is "yes" and the definition of "industry-standard virus scanning software" becomes flexible enough to include a firewall?


Just run ClamAV


Many times a retailer will install a whitelisting solution as a "compensating control".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: