Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Why Is This Control Critical?
Malicious software (sometimes categorized as viruses, worms, Trojans, ransomware, spyware, adware, etc.) is an integral and dangerous aspect of internet threats. It can have many purposes, from capturing credentials, stealing data, identifying other targets within the network, and encrypting or destroying data. Malware is ever-evolving and adaptive, as modern variants leverage machine learning techniques. Malware enters an enterprise through vulnerabilities within the enterprise on end-user devices, email attachments, web pages, cloud services, mobile devices, and removable media. Malware often relies on insecure end-user behavior and social engineering to gain initial access, emphasizing the importance of security awareness training.
Related Policy Templates
Safeguards (7)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 10.1 | Deploy and Maintain Anti>Malware Software | Protect |
IG1
IG2
IG3
|
7 | 4 |
| 10.2 | Configure Automatic Anti>Malware Signature Updates | Protect |
IG1
IG2
IG3
|
7 | 4 |
| 10.3 | Disable Autorun and Autoplay for Removable Media | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 10.4 | Configure Automatic Anti>Malware Scanning of Removable Media | Detect |
IG2
IG3
|
11 | 6 |
| 10.5 | Enable Anti>Exploitation Features | Protect |
IG2
IG3
|
5 | 3 |
| 10.6 | Centrally Manage Anti>Malware Software | Protect |
IG2
IG3
|
7 | 4 |
| 10.7 | Use Behavior>Based Anti>Malware Software | Detect |
IG2
IG3
|
8 | 4 |
Audit Verification Details
Deploy and maintain anti-malware software on all enterprise assets.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Changes to protection controls follow the change management process.
Change tickets, approval records
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Configure automatic updates for anti-malware signature files on all enterprise assets.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Changes to protection controls follow the change management process.
Change tickets, approval records
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Disable autorun and autoplay auto-execute functionality for removable media.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Configure anti-malware software to automatically scan removable media.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Centrally manage anti-malware software.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Changes to protection controls follow the change management process.
Change tickets, approval records
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Use behavior-based anti-malware software.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |