It meets NIST's requirements (NIST Special Publication 800-53 and associated) and is running on NIST approved and DCID 6/3 approved systems.
Tom On Nov 8, 2012, at 10:17 AM, Royce Williams wrote: > On Wed, Nov 7, 2012 at 4:01 PM, Kaushal Shriyan > <kaushalshri...@gmail.com> wrote: >> Is clamAV certified for PCI-DSS Compliance requirements? > > I'm relatively new to PCI, but as far as I can tell, almost everything > in Requirement 5 of PCI-DSS 2.0 is about how you implement, monitor > and manage your antivirus -- not the antivirus itself. So compliance > would reside in the review of a specific program of antivirus use, not > the software itself. The software can meet the logging, periodic > scanning, and detection capabilities required -- as long as you have a > policy that clarifies, enforces and "auditably" verifies and controls > its proper use. > > 5.1.1 says: > > For a sample of system components, verify that all anti-virus > programs detect, remove, and protect against all known types of > malicious software (for example, viruses, Trojans, worms, > spyware, adware, and rootkits) > > Since "all known types" varies over time, this would need to be > periodically revalidated. If a PCI auditor hadn't heard of ClamAV, > and was skeptical about ClamAV's applicability, it would be handy to > have a list of recent and tricky malware, with info on how quickly > ClamAV teams got them into the signature list, might help clarify > ClamAV's fitness to purpose. > > Royce > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
