IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.
No, can’t have that.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.
Something like C:\Excluded
The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Give them a Linux machine?
This doesn’t remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user’s ability to add exclusions.
A machine that takes extra time and skills to manage?
You ever worked in an average corporate job? You’re missing out on so much
The IT guys barely know Windows, they’ve most likely never even heard of Ubuntu, could you imagine such a thing :|
Huh, weird. The IT guys I work with don’t just know Windows, when I joked about wanting a Linux instead they pointed out that we have software devs using Linux too. I’d need some reason to request it, but if I know the right people (and more particularly, what their favourite snacks are), I could probably get it approved.
(Doesn’t actually help me, given I’m stuck using proprietary tools that I couldn’t get to run with wine, but at least the option is there. And that’s a big corp.)
