http://blogs.technet.com/b/yuridiogenes/archive/2011/05/05/patch-management-the-necessary-evil.aspxBefore joining the Windows iX IT PRO Security team I spent my last 11 years working in the enterprise support field, where 5 were at Microsoft CSS (former PSS). During the Conficker outbreak I was in Oklahoma for New Years Eve 2008/2009 (which BTW isen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/yuridiogenes/archive/2011/05/05/patch-management-the-necessary-evil.aspx#3427540Mon, 09 May 2011 11:59:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3427540Yuri Diogenes [MSFT]<p>Thanks for your perspective on this. The only problem with this approach (don’t enforce patch management and don’t have AV) is that you are exposed to risks that sometimes you don’t even know. What if confidential information were leaked during the time that the AV was out of date or the machine was unpatched? Can you measure the damage? Did he really save money for the company in this case? There are risks that are not included in this scenario’s calculation that are key to define the true value of the final damage. In any case, thanks for sharing your ideas.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3427540" width="1" height="1">http://blogs.technet.com/b/yuridiogenes/archive/2011/05/05/patch-management-the-necessary-evil.aspx#3427398Sat, 07 May 2011 20:42:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3427398Massimo<p>I will give you a different (although IMHO interesting) point of view: </p> <p>Feb.2010. Mid-to-large company: -3800 workstations, 250 servers. With no antivirus at all, and NO patching policy...every person decided the patching policy for his/her workstation. In Feb.2010 they acquired a new IS Manager, and in the same month we acquired the company as our client; one of our first job was to deploy an enterprise antivirus to all workstations and servers. </p> <p>During the Conficker outbreak, which spread in that company in March 2010 (before starting our antivirus deployment) all the servers and workstations were infected.... the domain controllers, the exchange servers, the SQL servers, everything... we manually cleaned up everything in about 4 weeks. </p> <p>At the end of cleaning and deploying the AV, when everything was back to normal, &nbsp;the new IS Manager, dropped a phone call to the old IS Manager to make a summary of events, and to tell him &quot;hey man! see what your stupid missing policy about AV and Patches did&quot;. The OLD IS manager answer was quite surprising:</p> <p>&quot;Hey there, tell me: how much did it cost the outbreak for the company?... ok now, calculate how much you would have spent in AV licenses renewal in the last 10 years and in manging patches for all workstations... and now tell me... which costed the most?... I&#39;ll tell you! The company saved money thanks to me&quot;.... &nbsp;no comment (and the sad thing is that... maybe he is true)</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3427398" width="1" height="1">