Recommended Antivirus settings for enterprise environment

bearzooka
Contributor

So, we have an enterprise antivirus solution and it's all managed on its own console and we only need to make sure it's deployed and that's enough… In theory.

I recently had a look at the so-called "Trusted Zones" on the console and it turns out that it's been whitelisting a lot of locations that in my mind sound like potential areas to be protected:

  • /Library
  • /private
  • /Users/Shared
  • /etc
  • /Applications
  • ~/Library

and a long etc. that makes me think that we're actually not even using the product.

What's your opinion? Any recommended set of locations that should actually be scanned?

Thanks.

2 REPLIES 2

leonwun
Contributor

This is not directly an answer to your question but enterprise solutions often come with a great support. We had support agents that asked what we were doing and with some information they helped us with whitelisting and trusting.

Besides that I can only recommend not having any trusted zones in the beginning, and then only reacting to problems your users have with whitelisting.

mlizbeth
Contributor II

In my opinion, you should never trust the user to be safe. I personally would not add trusted zones at all.
Most Mac malware works off LaunchAgents located in ~/Library/LaunchAgents. And Applications? At that point, is the AV even worth the money your organization is paying? Malware shouldn't be able to, or at least have a difficult time touching /System on devices with SIP. Once Catalina comes out the System Partition will be read only. So based on these trusted zones, it looks like your AV is only really scanning /System