4 Replies Latest reply on Sep 12, 2014 9:23 AM by SergeM

    Any reason to deactivate VSE (any AV) ?

    SergeM

      Hi everyone

      (this could be a poll if I knew how to create one)

       

      I am part of the security team in our company. We manage security, security audits, policies etc.

       

      Since I manage our ePO, I am quite often asked (requested, demanded) by sysadmins on remote locations to deactivate the antivirus on one or the other machine "in order to enable installation of some software".  The phrasing may vary, but ultimately it is usually because the software editor (or a consultant) indicates that "in some cases" the AV (epoch undefined, brand undefined, version unspecified) interfered with the installation, so as a precaution (??) software editors "recommend that any antivirus be deactivates or if necessary uninstalled" for the installation of (their) software...

       

      In my experience in the past +10 years, I'd say I haven't had a situation where this was actually really necessary.  I have found it difficult having to fight (argue) with some colleagues trying to convince them that it wasn't necessary and getting them to at least try to do the installation without deactivating the AV once.

       

      I'd like to know how you react to this?

      What is your company security policy regarding deactivation of the AV?

      Do you feel it is OK to deactivate the AV in order to allow installation of some (any) other software?

      Have you ever had a case where it was actually (really) necessary to do so?

       

      Any comments more than welcome.

      Serge

        • 1. Re: Any reason to deactivate VSE (any AV) ?
          llamamecomoquieras

          Hi there,

           

          I would not disabled the AV to install any other 3rd party. You can create exclusions if you 100% that file is legitime or you can submit the files in case you doubt about the file.

           

          Best regards,

           

          Jose Maria

          • 2. Re: Any reason to deactivate VSE (any AV) ?
            pierce

            Same as above, the answer here is 'install it and if it fails then come back to me' you will never hear from most users again. Of course there will be 1 or 2, but then you will find you probably need exceptions to get it running properly anyway.

             

            Disabling AV is always a last resort action, and the users should hopefully understand that!

            • 3. Re: Any reason to deactivate VSE (any AV) ?
              ansarias

              Well I am completely agree with Jose, I faced same issues from server team and only 1 case I disable AV during WIN 2008 feature enable.

               

              Apart from that you have to review McAfee logs so you can do exclusion.

               

              And I have made a policy for Server team for such requests > Get an approval from CISO or Someone from Client side to done installation activity without AV under a change process so if something goes wrong you will be safe

              • 4. Re: Any reason to deactivate VSE (any AV) ?
                SergeM

                ansarias wrote:

                 

                And I have made a policy for Server team for such requests > Get an approval from CISO or Someone from Client side to done installation activity without AV under a change process so if something goes wrong you will be safe

                 

                Yep... except/expect when you are the CISO (or close enough)?

                OK, I am not exactly the CISO, but I'm the person in the team who deals with AV stuff...  So it's down to me to find diplomatic phrasing to explain this to people...

                 

                In my question, I guess I'm more trying to find out if there are "other opinions" (i.e. who'd disagree with me, that "disabling the AV is a no-no") and also trying to find out if someone has quotable sources (white paper, best practices, public policies) that'd help me add "power" to what I'm going to write to the "esteemed requester"...  (And I didn't want to send this on /. )

                 

                Thanks to everyone for your help & answers.

                Sergio