The recent problems with McAfee antivirus (a DAT release identified genuine executables as malware) got me to thinking about my approach to file protection. Previously, I've always set the default action on finding a compromised file to be 'delete' on the basis that anything mistakenly destroyed can be recovered later. However, the scope of this problem and the panic reaction of some people in running full scans on the basis of a single false positive(and hence deleting even more files) has made me rethink this.
I've now switched to a default action of 'quarantine', possibly meaning more work in keeping the quarantine server clean, but definitely avoiding the issues of losing files forever when this kind of thing happens again. And it will - maybe not for a while, but the tendency to be safe rather than sorry will inevitably mean someone, somewhere will make a rash decision and either release or run something that they shouldn't.
No comments:
Post a Comment