Question

PCI DSS Requirement 10.7

  • 26 February 2019
  • 7 replies
  • 442 views

Userlevel 1
Badge +2
Hi,

We are in the middle of a PCI compliance audit and I have been asked to answer this question

"Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7"

Does anyone know how to address this when webroot is being used?

7 replies

Badge +1
Hey Maddog78,

I have just been through a similar process myself.

Webroot cannot do this by itself from what I understand. There is no native way for the agent to forward the logs to a log server or WR portal for centralised storage.

I can see in the WR portal that I can look back on audit events and alerts as far as 90 days but that is it.

I'm looking at Carbon Black Defense as an alternative as they claim to be compliant against PCI DSS req. 5 (including sub requirement 10.7).
Userlevel 7
Hi,

We are in the middle of a PCI compliance audit and I have been asked to answer this question

"Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7"

Does anyone know how to address this when webroot is being used?

Sorry about this post being overlooked. I don't know the answer to this so I will ping our Forum Administrator @LLiddell for her knowledge on this question.

HTH,
Dave.
Userlevel 7
Badge +36
Please click here​ to view our Compliance FAQ page for more information related to your request.

Should you have any additional questions that are not addressed in the Compliance FAQ, simply click on the link at the bottom of the FAQ page so that we may collect more information from you regarding your specific questions​ and a member of the Webroot team will get in touch with you as quickly as possible.
Badge +1

Please click here​ to view our Compliance FAQ page for more information related to your request.

Should you have any additional questions that are not addressed in the Compliance FAQ, simply click on the link at the bottom of the FAQ page so that we may collect more information from you regarding your specific questions​ and a member of the Webroot team will get in touch with you as quickly as possible.

Be warned that this answer DOES NOT address the question at all and is very deceptive. The link provided deals with compliance of Webroot as a company, NOT the compliance of the program/agent itself for companies looking to become PCI compliant. Webroot (the company) IS PCI compliant via self assessment. However, this does not answer the questions as to if the Webroot agent fulfills the requirements of PCI DSS. (E.g. PCI DSS requires that audit logs be retained for at least 1 year, with a minimum of 3 months immediately available for analysis.) PCI DSS 10.7 is the only part of PCI DSS, that I’m aware of, that may or may not be compliant, depending on if Webroot has added the ability to store audit longs for longer than 30 or 90 days. If webroot will store that data for at least a year, it’s probably PCI compliant. The last time I used Webroot in a corporate setting, around 5 years ago, I do not believe it had that ability. Hopefully, they have made that change.

Userlevel 4
Badge +14

Hi:

 

I am the CSO of a company that is looking for a PCI DSS compliant AntiVirus/AntiMalware program.

 

As RRayel wrote the compliance of the Webroot company and website has nothing to do with the Endpoint product that is sold.

 

Any update on this issue?

 

It is interesting to note that Webroot talks a lot about PCI compliance, but does not say if their product retains logs for 1 year or is able to forward logs to a log server which would be even better over a secure connection.

 

Any more on this?

 

If it does you have a sale as I use this product in other companies and personally.

 

 

Userlevel 4
Badge +14

I did as LLiddell suggested, I looked at the Compliance FAQ page, and then requested information sent on 11/25.

 

I have yet to obtain a response.

 

Basically does this mean that Webroot is not going to take a stand on PCI DSS compliance?

 

I’d like to have them respond yeah or nay, or if they are currently working on a solution, is this in beta?

 

I love the product, but am not able to recommend it at this point as I am not able to defend the product in an Audit.  Does not allow me to centralize the events/logs.

It would be best if the Web Console would be able to forward events to a centralized log manager, but being able to collect client logs would also be OK.

David

CSO

Jobba Trade Technologies

 

Userlevel 5
Badge +13

Hey there @Maddog78  and @woodsod ,

 

I checked with the team, and they said that if your question is not answered here then your best bet is to submit the question with as many details as possible to privacy@webroot.com

 

Give that a shot and report back on your findings! 

-Keenan

Reply