Question

PCI DSS Requirement 10.7

  • 26 February 2019
  • 11 replies
  • 858 views

Userlevel 1
Badge +2
Hi,

We are in the middle of a PCI compliance audit and I have been asked to answer this question

"Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7"

Does anyone know how to address this when webroot is being used?

11 replies

Badge +1
Hey Maddog78,

I have just been through a similar process myself.

Webroot cannot do this by itself from what I understand. There is no native way for the agent to forward the logs to a log server or WR portal for centralised storage.

I can see in the WR portal that I can look back on audit events and alerts as far as 90 days but that is it.

I'm looking at Carbon Black Defense as an alternative as they claim to be compliant against PCI DSS req. 5 (including sub requirement 10.7).
Userlevel 7
Hi,

We are in the middle of a PCI compliance audit and I have been asked to answer this question

"Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7"

Does anyone know how to address this when webroot is being used?

Sorry about this post being overlooked. I don't know the answer to this so I will ping our Forum Administrator @LLiddell for her knowledge on this question.

HTH,
Dave.
Userlevel 7
Badge +36
Please click here​ to view our Compliance FAQ page for more information related to your request.

Should you have any additional questions that are not addressed in the Compliance FAQ, simply click on the link at the bottom of the FAQ page so that we may collect more information from you regarding your specific questions​ and a member of the Webroot team will get in touch with you as quickly as possible.
Badge +1

Please click here​ to view our Compliance FAQ page for more information related to your request.

Should you have any additional questions that are not addressed in the Compliance FAQ, simply click on the link at the bottom of the FAQ page so that we may collect more information from you regarding your specific questions​ and a member of the Webroot team will get in touch with you as quickly as possible.

Be warned that this answer DOES NOT address the question at all and is very deceptive. The link provided deals with compliance of Webroot as a company, NOT the compliance of the program/agent itself for companies looking to become PCI compliant. Webroot (the company) IS PCI compliant via self assessment. However, this does not answer the questions as to if the Webroot agent fulfills the requirements of PCI DSS. (E.g. PCI DSS requires that audit logs be retained for at least 1 year, with a minimum of 3 months immediately available for analysis.) PCI DSS 10.7 is the only part of PCI DSS, that I’m aware of, that may or may not be compliant, depending on if Webroot has added the ability to store audit longs for longer than 30 or 90 days. If webroot will store that data for at least a year, it’s probably PCI compliant. The last time I used Webroot in a corporate setting, around 5 years ago, I do not believe it had that ability. Hopefully, they have made that change.

Userlevel 4
Badge +14

Hi:

 

I am the CSO of a company that is looking for a PCI DSS compliant AntiVirus/AntiMalware program.

 

As RRayel wrote the compliance of the Webroot company and website has nothing to do with the Endpoint product that is sold.

 

Any update on this issue?

 

It is interesting to note that Webroot talks a lot about PCI compliance, but does not say if their product retains logs for 1 year or is able to forward logs to a log server which would be even better over a secure connection.

 

Any more on this?

 

If it does you have a sale as I use this product in other companies and personally.

 

 

Userlevel 4
Badge +14

I did as LLiddell suggested, I looked at the Compliance FAQ page, and then requested information sent on 11/25.

 

I have yet to obtain a response.

 

Basically does this mean that Webroot is not going to take a stand on PCI DSS compliance?

 

I’d like to have them respond yeah or nay, or if they are currently working on a solution, is this in beta?

 

I love the product, but am not able to recommend it at this point as I am not able to defend the product in an Audit.  Does not allow me to centralize the events/logs.

It would be best if the Web Console would be able to forward events to a centralized log manager, but being able to collect client logs would also be OK.

David

CSO

Jobba Trade Technologies

 

Userlevel 7
Badge +17

Hey there @Maddog78  and @woodsod ,

 

I checked with the team, and they said that if your question is not answered here then your best bet is to submit the question with as many details as possible to privacy@webroot.com

 

Give that a shot and report back on your findings! 

-Keenan

Userlevel 4
Badge +14

again these groups are concerned with the website.  Are they included with product development?  The link pointed to by the “here” does not even come close to answering  as this is concerned with the webroot website (Compliance FAQ), a completely different product, made by a different part of the company.

 

From the lack of answer and responses it looks like Webroot is punting on the issue.

 

Equivocating leaves your customers out in the cold when they are audited for PCI compliance, when it is painfully obvious that the Webroot product is NOT compliant.

 

https://www-cdn.webroot.com/7215/4878/2430/Public_Compliance_FAQ_us.pdf

 

Stuff like this document is completely irrelevant to the question, except that they have webroot and pci dss in the document.

 

All this talked about is the company, NOT THE PRODUCT!!!!!!!!!!!!!!!

 

Every time someone responds I get this privacy drivel which demonstrates that they either have not read what they are pointing to or don’t understand compliance at its most basic level.

 

I apologize for the bluntness but I have tried over several months to get any cogent answer from anyone at Webroot that I can contact.

 

David

Userlevel 7
Badge +17

Hey David,

Have you tried sending over your fully detailed request for info to Privacy@webroot.com ? I’ve spoken to a number of employees and all of them have told me that is your best bet to get the answer you’re looking for.

I’m sorry you’re having so much difficulty getting the info you need. I’m a fairly new employee so I’m still learning the ropes in terms of who owns what knowledge. I hope you can get the info you’re looking for by communicating with the owner of that email domain.

 

-Keenan

Userlevel 4
Badge +14

Yes I have and received no response as of yet.

 

I will keep you up to date.

 

It would be nice to know if this issue is even on the radar for future enhancement.  But basically this means that most any companies that processes credit cards or other electronic financial processing cannot use Webroot.  The PCI DSS requirement 10.7 is just really a basic common sense requirement in order to perform the most basic steps of a forensic investigation of a  breach.  Webroot in order to be considered to be a serious tool, must include some way of forwarding event logs by the endpoints to a centralized log server(s).  Just basic security common sense.

Userlevel 4
Badge +14

HI:

 

I did get a response finally, and this is what they said:

 

Thank you for your patience and apologies for any difficulties you’ve encountered. According to PCI Requirement 5.2, your anti-virus solution should generate audit logs in accordance with PCI Requirement 10.7, which states, “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.” The PCI DSS further explains, “Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.”

 

Webroot retains log information in our cloud infrastructure that meets the PCI requirements mentioned above. The information is transmitted directly to our cloud by the agent at the time of the event that triggered it.  When using the Webroot GSM console to view data, or our Unity API, the data is obtained from the cloud infrastructure and not from logs on an agent.

 

During a restore or recovery process, the agent log may be removed as part of the agent un-install process.   The cloud log data for that agent is retained and will be available for future use, such as during a PCI assessment.”

 

I did respond to this, as this does not say whether a customer such as myself can request the logs that go back 1 year from Webroot.  The response does state that the Webroot infrastructure is compliant, which is great, but that does NOT make the companies that I am responsible for compliant.

 

1 year worth of logs must be provided.  Not instantaneously but within a reasonable about of time like a day.  Also the format in which it is provided would have to be in a usable format e.g. not pdf reports or some such format that is not easily analyzed or incorporated by a  log server.  Remember it is compliance with the spirit of the regulation that matters, not “paper” compliance.

I am waiting for a response.

 

From what was said that Webroot as a corporation is compliant, but anyone who adopts the Webroot product will not compliant,

 

Reply