Re: Linux Servers and Antivirus

[Kerry Havens <kerry.havens () COLORADO EDU>]

> From my ISA training last fall, the only control that cannot use a compensating control is external ASV scanning. So, 
> yes, you can compensate for A/V on a system using tools already mentioned.

-- 
Kerry Havens


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry Hoffman
> Sent: Friday, June 22, 2012 12:41 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Linux Servers and Antivirus
>
> Hmm, I don't know about whether or not those requirements (5.1 and 5.2)
> allow for compensating controls.
>
> Let's ask a QSA, I expect no less then 3 answers ;-)
>
> On 06/22/2012 02:12 PM, Valdis Kletnieks wrote:
> > On Fri, 22 Jun 2012 13:11:21 -0400, Harry Hoffman said:
> > > PCI standards require A/V on servers that process transactions... it's
> > > more and more likely those servers are running a *nix variant.
> >
> > Does it *require* A/V, or is it "A/V or compensating controls"?