Comment by bigfatkitten

> It does not.

Yes it does. A little bit of application control, network segmentation and credential hygiene (including phishing resistant MFA) go a long way.

> The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware,

Why are you letting employees execute arbitrary software in the first place? Application allowlisting, particularly on Windows is a well solved problem.

> not to mention AI agents.

Now this is possible only through criminal incompetence.

> And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.

Relatively rare, likely to be caught by publisher rules in application control and even if not, if the compromise of a handful of endpoints can take down the entire business then you have some serious, systemic problems to solve.

> And no, backups aren't the solution either, they only limit the scope of lost data. In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.

Why are you giving individual employees such broad access to so many file shares in the first place? We’re in basic hygiene territory again.