IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.
No, can’t have that.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.
Something like C:\Excluded
The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.
At our place it’s the IT guys trying to tell us to exclude the entire Downloads folder. One of our devs had to put her foot down and say no, we’d do something more sensible/limited instead!
This doesn’t remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user’s ability to add exclusions.
You need a Linux machine in a separate network with separate firewall rules and the developer has to devote a bit of their time to managing that machine.
It can even be centrally managed, if you have the capacity.
But why would you want that? To secure your shit while allowing the devs to to what they like to their equipment.
Some chucklefuck over a decade ago caved to the “need” for a public shared drive. I can see the argument for things like HR policy documents and such. But they didn’t just give all users read access. Oh no, everyone got full read write. No fucking governance model, no process to check that PII wasn’t being stored there by people too lazy to follow proper procedure.
Thankfully that horror has been thoroughly killed, and MS Teams makes it so easy for people to spin up collab spaces and file storage that there’s no use case anymore.
IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.
No, can’t have that.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.
Something like C:\Excluded
The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.
At our place it’s the IT guys trying to tell us to exclude the entire Downloads folder. One of our devs had to put her foot down and say no, we’d do something more sensible/limited instead!
That deserves a slap
Give them a Linux machine?
This doesn’t remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user’s ability to add exclusions.
You ever worked in an average corporate job? You’re missing out on so much
The IT guys barely know Windows, they’ve most likely never even heard of Ubuntu, could you imagine such a thing :|
A machine that takes extra time and skills to manage?
As someone who does exactly that right now. Yes.
You need a Linux machine in a separate network with separate firewall rules and the developer has to devote a bit of their time to managing that machine.
It can even be centrally managed, if you have the capacity.
But why would you want that? To secure your shit while allowing the devs to to what they like to their equipment.
Your user base must be better than mine.
Some chucklefuck over a decade ago caved to the “need” for a public shared drive. I can see the argument for things like HR policy documents and such. But they didn’t just give all users read access. Oh no, everyone got full read write. No fucking governance model, no process to check that PII wasn’t being stored there by people too lazy to follow proper procedure.
Thankfully that horror has been thoroughly killed, and MS Teams makes it so easy for people to spin up collab spaces and file storage that there’s no use case anymore.