IG2 IG3

Configure Automatic Anti>Malware Scanning of Removable Media

Control Group: 10. Malware Defenses

Asset Type: Devices

Security Function: Detect

Description

Configure anti-malware software to automatically scan removable media.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Select and configure vulnerability scanning tool

7

Define scan scope, frequency, and credentials

8

Establish vulnerability remediation SLAs by severity

9

Create exception/waiver process for unremediated findings

10

Deploy anti-malware solution to all applicable endpoints

11

Configure automatic signature updates

12

Enable real-time scanning and scheduled full scans

13

Establish centralized management and alerting

Tool Recommendations

CrowdStrike Falcon Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

Cloud-native endpoint protection platform with next-gen AV, EDR, threat intelligence, and managed hunting

CrowdStrike · Per-endpoint subscription

Microsoft Defender for Endpoint Gartner MQ Leader, EPP 2024

Enterprise endpoint security with threat prevention, EDR, automated investigation, and attack surface reduction

Microsoft · Per-device subscription (P1/P2)

SentinelOne Singularity Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

AI-powered endpoint protection with autonomous response, EDR, and XDR capabilities across endpoint, cloud, and identity

SentinelOne · Per-endpoint subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Malware Introduction via Unscanned Removable Media

Integrity

Infected USB drives, external hard drives, or SD cards are connected to enterprise assets, and without automatic scanning the malware transfers to the system undetected, potentially spreading across the network.

Targeted Attack via Vendor-Provided Infected Media

Confidentiality

Removable media received from vendors, contractors, or partners contains malware that was introduced during the supply chain, and without automatic scanning on insertion the malware executes when files are accessed from the device.

Vulnerabilities (When Safeguard Absent)

No Automatic Removable Media Scanning Configured

Anti-malware software is not configured to automatically scan removable media upon connection, relying on users to manually initiate scans or waiting for scheduled scans that may not run before infected files are accessed.

Removable Media Scanning Excluded from AV Policy

Anti-malware policies specifically exclude removable media from real-time scanning due to performance concerns, allowing malicious files on USB devices to be copied to local storage without triggering detection.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	Vulnerability scan reports showing scope and findings	Per scan cycle
Record	Vulnerability remediation tracking with SLA compliance metrics	Monthly
Technical	Anti-malware deployment status and detection statistics	Monthly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Anti-Malware Policy

Control 10

Removable Media Policy

Control 10

Related Safeguards in Control 10

10.1 Deploy and Maintain Anti>Malware Software

10.2 Configure Automatic Anti>Malware Signature Updates

10.3 Disable Autorun and Autoplay for Removable Media

10.5 Enable Anti>Exploitation Features

10.6 Centrally Manage Anti>Malware Software

10.7 Use Behavior>Based Anti>Malware Software