If you have all of them on a critical path then your risk of blow up increases!

Not sure that's a great idea. This stuff tends to have very high privilege access.

It's enough that one of your anti virus vendors get hacked for your whole organization to get owned...

I see one main challenge - it can increase the incidence of false positives.

You use multiple anti-virus products. Let's assume you use 3. Do you have multiple clusters of machines, each running their own AV product, so in case one has this problem the other two are unaffected?

How much overhead are we talking about here? Because if you're just using multiple AV software installed on one machine, 1) holy shit, the performance penalty, 2) you'd still be impacted by this, as CS would have taken it down.

They surely mean that all odd number assets are running crowdstrike and even are running sential-one (or similar, %3, %4, etc etc). At least then you only lose half your estate.

Yes each computer has only one anti-virus installed, it's basically a random distribution among the estate.

I have never seen a company that uses multiple AV products rolled out to user machines, ever. Sure, when you transition from one product to another, but across the whole company, at the same time? Never... I have also never seen a distribution of something like active directory servers based on antivirus software. I think these stories are purely academic, "why didn't you just..." tall tales.

Mine certainly does, our key windows based control systems use windows defender, the corporate crap gets sentinal one and zscaler and whatever else has been bought on a whim.

I'd assumed that any essential company would be similar. OK if your purchasing systems for your hospital are down for a couple of days it's a pain. If you can't get x-rays it's a catastrophe.

If half your x-ray machines are down and half are up, then it's a pain, but you can prioritise.

But lots of companies like a single supplier. Ho hum.

Not the person you're replying to, but in any reasonable organization with automated software deployment it should be easy to pool machines into groups, so you can make sure that each department has at least one machine that uses a different anti-virus software.

Bonus, in case you do catch a malware, chances are higher that one of the three products you use will flag it.

Again, "should be" academic stuff.

So you have multiple AV products and you target those groups. You have those groups isolated on their own networks, right? With all the overhead that comes with strict firewall rules and transmission policies between various services on each one. With redundant services on each network... you've doubled or tripled your network device costs solely to isolate for anti virus software. So if only one thing finds the zero day network based virus, it won't propagate to the other networks that haven't been patched against this zero day thing.

How far down the rabbit hole do we want to go? If you assume many companies are doing this kind of thing, or even a double digit percentage of companies, I have bad news for you.

Basically every machine gets a randomly picked anti-virus suite assigned at deployment. I'm not running multiple AV products on one machine.

Was there any situation where having 3 anti-virus was more beneficial than having only 2?

I'm reading this as first third of computers have AV brand A, second third have brand B, remainder have brand C.

Thus, if brand A does something actively harmful all by itself, only 1/3rd of machines are impacted.

This is an improvement on having only 2 brands, as having 1/3rd of your machines go down is better than having 1/2 of your machines go down.

In both case it's costly.

But cost of maintenance aside it wouldn't be that bad to deploy each half the fleet with two distincts EDR.

This is actually implicitly in place for big companies that support BYOD. If half your fleet is on Windows another 40% on MacOs and 10% on Linux you need distinct EDR solutions and a single issue can't affect all your fleet at once.

Indeed a wise strategy