Educause Security Discussion
mailing list archives
Re: Bit9 - Trust Based Security - Feedback
From: Rich Graves <rgraves () CARLETON EDU>
Date: Tue, 16 Jul 2013 16:36:56 -0500
AppLocker is fine for limited functionality, steady-state machines. We use it for PCI SAQ C-VT workstations, for
example. It's a lot better than nothing, and probably better than antivirus IPS rules, for enforcing rules like "no
execution of unsigned binaries from temp directories."
The third-party products like Bit9 add manageability, user-friendly customizations, and most importantly, an
ever-changing feed of signatures for known-good binaries that Spaf was talking about. I was told some months ago that
MS-ISAC was looking to create their own signature feed, but I've not seen it happen. You can't reasonably roll out
AppLocker to the general population without it.