On Wed, Nov 7, 2012 at 4:01 PM, Kaushal Shriyan <kaushalshri...@gmail.com> wrote: > Is clamAV certified for PCI-DSS Compliance requirements?
I'm relatively new to PCI, but as far as I can tell, almost everything in Requirement 5 of PCI-DSS 2.0 is about how you implement, monitor and manage your antivirus -- not the antivirus itself. So compliance would reside in the review of a specific program of antivirus use, not the software itself. The software can meet the logging, periodic scanning, and detection capabilities required -- as long as you have a policy that clarifies, enforces and "auditably" verifies and controls its proper use. 5.1.1 says: For a sample of system components, verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits) Since "all known types" varies over time, this would need to be periodically revalidated. If a PCI auditor hadn't heard of ClamAV, and was skeptical about ClamAV's applicability, it would be handy to have a list of recent and tricky malware, with info on how quickly ClamAV teams got them into the signature list, might help clarify ClamAV's fitness to purpose. Royce _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
