IG1 IG2 IG3

Deploy and Maintain Anti>Malware Software

Control Group: 10. Malware Defenses

Asset Type: Devices

Security Function: Protect

Description

Deploy and maintain anti-malware software on all enterprise assets.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Deploy anti-malware solution to all applicable endpoints

7

Configure automatic signature updates

8

Enable real-time scanning and scheduled full scans

9

Establish centralized management and alerting

Tool Recommendations

CrowdStrike Falcon Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

Cloud-native endpoint protection platform with next-gen AV, EDR, threat intelligence, and managed hunting

CrowdStrike · Per-endpoint subscription

Microsoft Defender for Endpoint Gartner MQ Leader, EPP 2024

Enterprise endpoint security with threat prevention, EDR, automated investigation, and attack surface reduction

Microsoft · Per-device subscription (P1/P2)

SentinelOne Singularity Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

AI-powered endpoint protection with autonomous response, EDR, and XDR capabilities across endpoint, cloud, and identity

SentinelOne · Per-endpoint subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Commodity Malware Infection Across Unprotected Endpoints

Availability

Without anti-malware software deployed, enterprise assets are vulnerable to commodity malware including ransomware, banking trojans, information stealers, and cryptominers that are routinely blocked by even basic AV solutions.

Ransomware Encryption of Enterprise Data

Availability

Ransomware variants like LockBit, BlackCat, or Cl0p execute and encrypt data on systems without anti-malware protection, causing operational disruption and potential data loss because no software exists to detect or prevent the encryption process.

Information Stealer Deployment for Credential Harvesting

Confidentiality

Information-stealing malware (RedLine, Raccoon, Vidar) executes on unprotected endpoints, harvesting saved browser credentials, session cookies, cryptocurrency wallets, and VPN configurations for sale on dark web marketplaces.

Vulnerabilities (When Safeguard Absent)

No Anti-Malware Software Deployed on Enterprise Assets

Some or all enterprise assets lack anti-malware software, providing no automated defense against known malware families, exploit payloads, or malicious scripts that endpoint protection would normally detect and block.

Inconsistent Anti-Malware Coverage Across Asset Types

Anti-malware is deployed on Windows workstations but not on servers, Linux systems, macOS devices, or virtual machines, leaving significant portions of the infrastructure without malware detection capabilities.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Anti-malware deployment status and detection statistics	Monthly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Anti-Malware Policy

Control 10

Related Safeguards in Control 10

10.2 Configure Automatic Anti>Malware Signature Updates

10.3 Disable Autorun and Autoplay for Removable Media

10.4 Configure Automatic Anti>Malware Scanning of Removable Media

10.5 Enable Anti>Exploitation Features

10.6 Centrally Manage Anti>Malware Software

10.7 Use Behavior>Based Anti>Malware Software