Date: Sun, 29 Jul 2012 23:35:57 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-questions@freebsd.org Subject: Re: On-access AV scanning Message-ID: <20120729163557.GA23103@admin.sibptus.tomsk.ru> In-Reply-To: <20120727204732.c143bc3d.freebsd@edvax.de> References: <20120727104308.GA4834@catflap.slightlystrange.org> <op.wh393aps34t2sn@tech304> <20120727204732.c143bc3d.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Polytropon wrote: > Surely it would be better for the company that has _admitted_ > to have had more than one significant infection to do the > simplest, most stupid and absolutely basic tasks: Sorry for the offtopic, but from my experience, the risk of virus infection on can be greatly reduced by two simple steps: 1. Users should not have administrative privileges on their systems. 2. A software restriction policy (SRP) should be configured which allows the execution of files only from the %windir% and "Program Files". Such a SRP is the Windows equivalent of "mount -o noexec" only it is more versatile. As a user without administrative privileges has no possibility to put files into the %windir% and "Program Files", and no code can run from other places such as flash drives and browser downloads, these two measures combined are very effective. With these two simple measures, I was able to prevent virus infection on Windows hosts with a very high risk (such as public computers in a summer children's camp). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120729163557.GA23103>