|
Dirt Road Junglist posted:"This is still a problem! It's been a problem for months! Why isn't there a fix?" Wait your security department is actively deploying multiple A/V agents at the same time? Isn't that like terribad?
|
#
?
Apr 21, 2019 15:26
|
|
|
|
| # ? Apr 27, 2024 20:54 |
|
|
As long as only one is doing real time protection, you can minimize some of the issues, but depending on the av clients involved you could actually be greatly increasing your threat profile in addition to destroying workstation performance.
|
|
#
?
Apr 21, 2019 17:07
|
|
|
Guess who found a SQL server with real time scanning of the database files turned on “This server performs really badly and the CPU usage is always really high” uh yeah, no poo poo.
|
|
#
?
Apr 21, 2019 17:28
|
|
|
kensei posted:Wait your security department is actively deploying multiple A/V agents at the same time? Isn't that like terribad? Isn't most A/V software actually worthless? Or at least at the home consumer level I've heard that, no clue on the business side of things.
|
|
#
?
Apr 21, 2019 18:41
|
|
|
iospace posted:Isn't most A/V software actually worthless? Or at least at the home consumer level I've heard that, no clue on the business side of things. In comparison to the antivirus software built in/available from Microsoft for any version of Windows that's still running, yes, the other anti-virus packages are worthless when they're not actively dangerous. At some business scales they can become useful in conjunction with other appliances and stuff (but usually businesses are not doing anything that needs that versus regular Defender).
|
|
#
?
Apr 21, 2019 19:17
|
|
|
iospace posted:Isn't most A/V software actually worthless? Or at least at the home consumer level I've heard that, no clue on the business side of things. Mots A/V software is actually dangerous, for example Symantec.
|
|
#
?
Apr 21, 2019 21:27
|
|
|
iospace posted:Isn't most A/V software actually worthless? Or at least at the home consumer level I've heard that, no clue on the business side of things.
|
|
#
?
Apr 22, 2019 00:42
|
|
|
Yeah, it's all security theater. It's not entirely AV clients (I was being reductive), but we have a number of security clients that do specific things, like block un-whitelisted processes from running, or report back to a specific log aggregator if some sort of hinky poo poo happens. The problem is that we tried to replace one patching agent with another last fall, but the new one doesn't do everything the old one did, so we had to keep the old one. And the new one passed the RFI because it has the ability to do reporting and inventory, but it turns out those processes are stepping on the toes of other ones we're already using. There's also something like 3 other agents doing some kind of inventory/reporting/logging, and all of these things need specific dependencies whitelisted in every other agent's config. Oh, and there's Defender. Except on some machines, where we had to install a different process whitelisting daemon because the old one was causing problems for a specific dev team, but then we discovered that it reports to Windows that it's an AV client and Defender goes, "Big Gulps, huh? Welp, see ya later!" This was not intended behavior, and security is now having a meltdown because I told them about it.  I'm very popular at work.Basically, I keep using the analogy that there's too many dicks on the dance floor, and they keep stepping on each other's feet. We can't make the dance floor bigger, and we can't stop the music, so we need to get some of those dicks to loving leave already. Either that or figure out how to keep them in their own spaces so they can't interact with the other dicks on the dancefloor, but so far I can't get them to listen, so let's get the bouncer to remove some.
|
|
#
?
Apr 22, 2019 01:12
|
|
|
iospace posted:Isn't most A/V software actually worthless? Or at least at the home consumer level I've heard that, no clue on the business side of things. It's useless except for checking the box with your Internal Compliance/Auditors. [√] Increased attack surface of all endpoints so that we can have a thing in the system tray that says Protected.
|
|
#
?
Apr 22, 2019 17:34
|
|
|
Thanks Ants posted:Guess who found a SQL server with real time scanning of the database files turned on You should reply advising them that the correct way to say this is “this server performs really poorly” then set it “Pending Customer Response”, hth?
|
|
#
?
Apr 22, 2019 18:50
|
|
|
Anything AV related that isn't windows defender is poo poo, and windows defender works fairly well for what it is honestly, especially when you're using it with a more advanced endpoint management suite like sccm. That being said the only real way to have a noticeable impact (aside from not allowing people to actually use the computers) is to have a proper security suite with firewalls, AV, email & web filtering, application whitelisting, etc, and with ALL of that you are still going to get people who click on YOURPACKINGINVOICE.pdf.7zip.exe that finds a way to run out of the one folder you can prevent executables from running out of because it interferes with the CEO's mp3 player software from 2002. Or that one legacy program that nobody understands how it works or why we need it but it requires all users to be local admin. Or that software vendor for your ERP system that says "We dont support configurations where windows firewall is turned on". IT security is smoke and mirrors. The only way to be protected in an online world is not to be online.
|
|
#
?
Apr 23, 2019 20:58
|
|
|
Digital_Jesus posted:Anything AV related that isn't windows defender is poo poo, and windows defender works fairly well for what it is honestly, especially when you're using it with a more advanced endpoint management suite like sccm. Wish you would protect yourself in the online world (by not being online (so we wouldn’t have to read your posts (which, by not being online, you would be unable to make))).
|
|
#
?
Apr 23, 2019 21:12
|
|
|
Schadenboner posted:Wish you would protect yourself in the online world (by not being online (so we wouldn’t have to read your posts (which, by not being online, you would be unable to make))). Heh angry AV vendor employee spotted. What exactly was so awful about Digital_Jesus' post that you felt the need to respond like this? He's pretty much spot on.
|
|
#
?
Apr 23, 2019 22:50
|
|
|
Oh loving boy it's time for another AV/no-AV slapfight! 
|
|
#
?
Apr 23, 2019 23:05
|
|
|
A ticket came in as Urgent severity from deskside IT paging my whole team, my boss and his team any my manager stating “Hey Agrikk- we have a record of a machine that you say is a “workstation” that our software scans show is running Windows server 2016. Is this the case?” Tee up the flood of responses by angry managers to the ticket saying “was it worth it to page all of us to ask Agrikk a [dumb] question?”
|
|
#
?
Apr 23, 2019 23:08
|
|
|
Who's slapfighting? Everyone should have AV, just dont bother paying for more than MS already gives you and don't expect it to be a miraculous catch-all that makes you immune to infection?
|
|
#
?
Apr 23, 2019 23:09
|
|
|
Digital_Jesus posted:Who's slapfighting? Everyone should have AV, just dont bother paying for more than MS already gives you and don't expect it to be a miraculous catch-all that makes you immune to infection? Yeah, third party AV is complete poo poo. I’m legitimately unsure if it’s better/less bad to use third party AV or to “raw dog it” (as the kids say these days), both options being far inferior to using Defender which is real good and which everyone should use. I just like nesting parentheses.
|
|
#
?
Apr 23, 2019 23:26
|
|
|
Is there any hard data about the goonsensus on AV software? I hear it in the thread a lot, but I'm not 100% convinced of it. Also, I'm hoping that this round of the argument also gets heated enough for a round of angry custom titles to get bought. I find it hilarious how personal at least one person takes this subject.
|
|
#
?
Apr 23, 2019 23:34
|
|
|
The real* value in most enterprise AV is being able to make sure everyone is running it, updating it, and notifying IT if it finds anything: if virus {notify people; possibly turn off network port/something like that}. If a virus runs, the damage is probably done and you need to have someone step in to do something by pretty much any security standard. But people like the sales gifts from Symantec since they get a nice box of chocolates every year for spending $40k on crap. Windows Defender/SCCM can accomplish all of this in pretty much the same fashion as SEP but for a lot less money - if you can't provide data showing the heuristic performance being objectively better and worth the expense, it's a no-brainer. Also possible is if you are an incompetent/overworked admin and can't be assed to go learn some monster like SCCM for endpoint protection and want the off-the-shelf solution. Like most easy fixes, you pay in other ways, like it deciding to gently caress over you on an update or costing a bunch of money. *: to IT personnel. To management, the value is definitely checking a box for cyber security insurance or the like. Recommendation: Windows Defender almost always, enterprise AV like Symantec Endpoint Protection sometimes, any consumer-grade AV never.
|
|
#
?
Apr 23, 2019 23:43
|
|
|
Agrikk posted:A ticket came in as Urgent severity from deskside IT paging my whole team, my boss and his team any my manager stating “Hey Agrikk- we have a record of a machine that you say is a “workstation” that our software scans show is running Windows server 2016. Is this the case?” People who do this should be flogged imo
|
|
#
?
Apr 24, 2019 00:56
|
|
|
Oh sorry I forgot my dumb story: traveling to an out of state site for two days to do an emergency setup for ~70 people and they haven’t even finished doing the network pulls so everyone is using cellular internet lmao. Good jorb. 22 hours of work in two days!
|
|
#
?
Apr 24, 2019 01:00
|
|
|
I turned up to a new site today to rack a switch and a couple of routers and the cabinet was in pieces leaning against a wall, and we'd paid for a contractor to supply and install it, which was fun.
|
|
#
?
Apr 24, 2019 01:23
|
|
|
Digital_Jesus posted:Anything AV related that isn't windows defender is poo poo, and windows defender works fairly well for what it is honestly, especially when you're using it with a more advanced endpoint management suite like sccm.  The RCA had an amazing threaded diagram of how each different security control failed in the simplest ways. It was god-damned masterful.
|
|
#
?
Apr 24, 2019 01:29
|
|
|
We're seeing increasing numbers of those that are stored in legitimate SharePoint Online tenants of companies that have had accounts compromised. It's a minefield and it's not reasonable to expect a piece of software to be completely effective.
|
|
#
?
Apr 24, 2019 01:31
|
|
|
TBH having looked at this client's stuff for a few weeks now the amount of poo poo their various solutions catch is amazing. This one was just so simple and well crafted that it slipped through every crack like some evil version of Flappy Bird.
|
|
#
?
Apr 24, 2019 01:36
|
|
|
The only way to secure the network is to keep the users off it, they can't be trusted.
|
|
#
?
Apr 24, 2019 03:02
|
|
|
LethalGeek posted:The only way to secure the network is to keep the users off it, they can't be trusted. This is a fairly common attitude in the industry and it doesn't help anyone.
|
|
#
?
Apr 24, 2019 03:24
|
|
|
I mean, generally if someone does something noticeable, like download a blacklisted file or open a Red Team email, security is on the phone with that person within 15 minutes and will not let it go until they talk to you, you take your computer offline WHILE ON THE PHONE WITH THEM, and get it to someone to replace or reimage post-haste. This was funny when I was doing some pen testing for one side of security, and the other side of security saw my computer go red in some system or another of theirs. I was on 3 tasks at the same time and wasn't bothering with my phone, so I was a bit startled when one of the NOC analysts slumped over and said, "Yo, Lance (my work nickname). What'd you gently caress up? They just called me and said they left like 8 voicemails to tell you to go to provisioning." "What the gently caress for?" "Dunno. But you need to reimage." "They told me to go to provisioning?" "Yep." "Did you tell them I'm the source of the images provisioning uses?" "No, I don't give a gently caress. Just, like...answer your phone, I have poo poo to do," and he left. I had the most ADORABLE conversation with security when I finally did pick up. "Yes, I know how to reimage. Yes, I'm actually doing it right now. What? No, I can do it at my desk. Do you know who I am? No, really, check my profile...yes. Yes, that one. Yes, that's me. Yeah. I know, I built it. It's reimaged, can I go now?"
|
|
#
?
Apr 24, 2019 05:12
|
|
|
PBS posted:This is a fairly common attitude in the industry and it doesn't help anyone. It helps the booze salesfolk
|
|
#
?
Apr 24, 2019 07:48
|
|
|
Malachite_Dragon posted:Oh loving boy it's time for another AV/no-AV slapfight! AV gives deskside management someone to blame while the techs re-image a shitload of systems. PBS posted:This is a fairly common attitude in the industry and it doesn't help anyone. It's not wrong 
|
|
#
?
Apr 24, 2019 08:10
|
|
|
PBS posted:This is a fairly common attitude in the industry and it doesn't help anyone. The most vulnerable network element will always the human one.
|
|
#
?
Apr 24, 2019 08:18
|
|
|
An ticket came in, I didn't know what was wrong or why but now I've fixed it I've learnt something. Hurrah. That doesn't happen so much anymore I wanted to post about it 
|
|
#
?
Apr 24, 2019 11:07
|
|
|
Spudalicious posted:The real value in Windows Defender is being able to make sure everyone is running it, updating it, and notifying IT if it finds anything
|
|
#
?
Apr 24, 2019 11:56
|
|
|
angry armadillo posted:An ticket came in, I didn't know what was wrong or why but now I've fixed it I've learnt something. Hurrah. That doesn't happen so much anymore I wanted to post about it congrats
|
|
#
?
Apr 24, 2019 12:16
|
|
|
PBS posted:This is a fairly common attitude in the industry and it doesn't help anyone. mllaneza posted:It's not wrong Vvv edit: GF legit used Winamp right until Monday when win7 finally got upgraded to 10. I have a feeling she'll reinstall it fast once whatever default garbage pops up the first time she hits an MP3. LethalGeek fucked around with this message at 17:39 on Apr 24, 2019 |
|
#
?
Apr 24, 2019 15:21
|
|
|
Digital_Jesus posted:[...] mp3 player software from 2002. [...] I thought everyone still used WinAMP.
|
|
#
?
Apr 24, 2019 15:28
|
|
|
I see most people use foobar2000 and AIMP when they don't use spotify.
|
|
#
?
Apr 24, 2019 16:31
|
|
|
Neddy Seagoon posted:The most vulnerable network element will always the human one. Finally validation for my ACL “allow any any” command 
|
|
#
?
Apr 24, 2019 17:15
|
|
|
Bigass Moth posted:Finally validation for my ACL “allow any any” command wait you mean this isn't standard practice?
|
|
#
?
Apr 24, 2019 17:58
|
|
|
|
| # ? Apr 27, 2024 20:54 |
|
|
An emergency ticket came in, a client's only Citrix server powered off in the middle of the day and now nobody can work! Boot it back up, check the event logs and find the shutdown event. Started by the person who filled the ticket. Who has domain admin on their domain. 
|
|
#
?
Apr 24, 2019 18:52
|
|
