Skip to main content

END-04: Malicious Code Protection (Anti-Malware)

END 10 — Critical Detect

Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.

Control Question: Does the organization utilize antimalware technologies to detect and eradicate malicious code?

General (55)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.8 CC6.8-POF4
CIS CSC 8.1 10 10.1 10.4
CIS CSC 8.1 IG1 10.1
CIS CSC 8.1 IG2 10.1
CIS CSC 8.1 IG3 9.7 10.1
COBIT 2019 DSS05.01
CSA CCM 4 TVM-02 UEM-09
CSA IoT SCF 2 CLS-14
ENISA 2.0 SO12
GovRAMP Core SI-03
GovRAMP Low SI-03
GovRAMP Low+ SI-03
GovRAMP Moderate SI-03
GovRAMP High SI-03
IEC 62443-4-2 2019 CR 3.2 (7.4) SAR 3.2 (12.3.1) HDR 3.2 (14.4.1) NDR 3.2 (15.6.1)
ISO 27002 2022 8.7
ISO 27017 2015 12.2.1
MITRE ATT&CK 10 T1001, T1001.001, T1001.002, T1001.003, T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1005, T1008, T1011.001, T1021.003, T1021.005, T1025, T1027, T1027.002, T1029, T1030, T1036, T1036.003, T1036.005, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1041, T1046, T1047, T1048, T1048.001, T1048.002, T1048.003, T1052, T1052.001, T1055, T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1056.002, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1071, T1071.001, T1071.002, T1071.003, T1071.004, T1072, T1080, T1090, T1090.001, T1090.002, T1091, T1092, T1095, T1098.004, T1102, T1102.001, T1102.002, T1102.003, T1104, T1105, T1106, T1111, T1132, T1132.001, T1132.002, T1137, T1137.001, T1176, T1185, T1189, T1190, T1201, T1203, T1204, T1204.001, T1204.002, T1204.003, T1210, T1211, T1212, T1218, T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.012, T1218.013, T1218.014, T1219, T1221, T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1505.004, T1525, T1539, T1543, T1543.002, T1546.002, T1546.003, T1546.004, T1546.006, T1546.013, T1546.014, T1547.002, T1547.005, T1547.006, T1547.007, T1547.008, T1547.013, T1548, T1548.004, T1553.003, T1557, T1557.001, T1557.002, T1558, T1558.002, T1558.003, T1558.004, T1559, T1559.001, T1559.002, T1560, T1560.001, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1564.004, T1564.008, T1564.009, T1566, T1566.001, T1566.002, T1566.003, T1567, T1568, T1568.002, T1569, T1569.002, T1570, T1571, T1572, T1573, T1573.001, T1573.002, T1574, T1574.001, T1574.004, T1574.007, T1574.008, T1574.009, T1598, T1598.001, T1598.002, T1598.003, T1602, T1602.001, T1602.002, T1611
MPA Content Security Program 5.1 TS-1.0 TS-1.3
NIST 800-53 R4 SI-3
NIST 800-53 R4 (low) SI-3
NIST 800-53 R4 (moderate) SI-3
NIST 800-53 R4 (high) SI-3
NIST 800-53 R5 (source) SI-3
NIST 800-53B R5 (low) (source) SI-3
NIST 800-53B R5 (moderate) (source) SI-3
NIST 800-53B R5 (high) (source) SI-3
NIST 800-82 R3 LOW OT Overlay SI-3
NIST 800-82 R3 MODERATE OT Overlay SI-3
NIST 800-82 R3 HIGH OT Overlay SI-3
NIST 800-161 R1 SI-3
NIST 800-161 R1 C-SCRM Baseline SI-3
NIST 800-161 R1 Flow Down SI-3
NIST 800-161 R1 Level 2 SI-3
NIST 800-161 R1 Level 3 SI-3
NIST 800-171 R2 (source) 3.14.2
NIST 800-171A (source) 3.14.2[a] 3.14.2[b] 3.14.5[a] 3.14.5[b] 3.14.5[c]
NIST 800-171 R3 (source) 03.14.02.c 03.14.02.c.01 03.14.02.c.02
NIST 800-171A R3 (source) A.03.14.02.ODP[01] A.03.14.02.a[01] A.03.14.02.a[02] A.03.14.02.c.02
NIST CSF 2.0 (source) DE.CM-09
PCI DSS 4.0.1 (source) 5.2 5.2.1 5.2.2 5.3 5.3.1 5.3.2 5.3.2.1 5.3.3 5.3.4 5.3.5
PCI DSS 4.0.1 SAQ A-EP (source) 5.2.1 5.2.2 5.3.1 5.3.2 5.3.2.1 5.3.3 5.3.4 5.3.5
PCI DSS 4.0.1 SAQ C (source) 5.2.1 5.2.2 5.3.1 5.3.2 5.3.2.1 5.3.3 5.3.4 5.3.5
PCI DSS 4.0.1 SAQ C-VT (source) 5.2.1 5.2.2 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5
PCI DSS 4.0.1 SAQ D Merchant (source) 5.2.1 5.2.2 5.3.1 5.3.2 5.3.2.1 5.3.3 5.3.4 5.3.5
PCI DSS 4.0.1 SAQ D Service Provider (source) 5.2.1 5.2.2 5.3.1 5.3.2 5.3.2.1 5.3.3 5.3.4 5.3.5
Shared Assessments SIG 2025 U.1.5.1
SWIFT CSF 2023 6.1
TISAX ISA 6 5.2.3
UL 2900-1 2017 14.1 14.2
SCF CORE Fundamentals END-04
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) END-04
SCF CORE ESP Level 1 Foundational END-04
SCF CORE ESP Level 2 Critical Infrastructure END-04
SCF CORE ESP Level 3 Advanced Threats END-04
US (35)
Framework Mapping Values
US CERT RMM 1.2 VAR:SG2.SP2 VAR:SG2.SP3 VAR:SG3.SP1
US CMMC 2.0 Level 1 (source) SI.L1-B.1.XIII SI.L1-B.1.XV
US CMMC 2.0 Level 1 AOs (source) SI.L1-B.1.XIII[a] SI.L1-B.1.XIII[b] SI.L1-B.1.XV[a] SI.L1-B.1.XV[b]
US CMMC 2.0 Level 2 (source) SI.L2-3.14.2
US CMMC 2.0 Level 3 (source) SI.L2-3.14.2
US CMS MARS-E 2.0 SI-3
US DHS CISA TIC 3.0 3.PEP.EM.PDPRO 3.PEP.FI.AMALW 3.PEP.IN.EDRES
US FAR 52.204-21 52.204-21(b)(1)(xiii) 52.204-21(b)(1)(xv)
US FedRAMP R4 SI-3
US FedRAMP R4 (low) SI-3
US FedRAMP R4 (moderate) SI-3
US FedRAMP R4 (high) SI-3
US FedRAMP R4 (LI-SaaS) SI-3
US FedRAMP R5 (source) SI-3
US FedRAMP R5 (low) (source) SI-3
US FedRAMP R5 (moderate) (source) SI-3
US FedRAMP R5 (high) (source) SI-3
US FedRAMP R5 (LI-SaaS) (source) SI-3
US FFIEC D3.DC.Th.B.2
US HIPAA HICP Small Practice 2.S.A 8.S.A
US HIPAA HICP Medium Practice 1.M.A 2.M.A 9.M.B
US HIPAA HICP Large Practice 1.M.A 2.M.A 9.M.B 1.L.A
US IRS 1075 SI-3
US NERC CIP 2024 (source) CIP-007-6 3.1 CIP-007-6 3.2 CIP-007-6 3.3 CIP-007-6 4.2.1
US NISPOM 2020 8-305
US NNPI (unclass) 17.2
US NSTC NSPM-33 6.10 6.12 6.14
US SSA EIESR 8.0 5.8
US - CA CCPA 2025 7123(c)(9)
US - MA 201 CMR 17.00 17.04(7)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.14(a)(2)
US - TX DIR Control Standards 2.0 SI-3
US - TX TX-RAMP Level 1 SI-3
US - TX TX-RAMP Level 2 SI-3
US - VT Act 171 of 2018 2447(c)(6)
EMEA (9)
Framework Mapping Values
EMEA EU NIS2 Annex 6.9.1 6.9.2
EMEA Germany C5 2020 OPS-04 OPS-05
EMEA Israel CDMO 1.0 7.1 7.3 12.20 15.5
EMEA Saudi Arabia ECC-1 2018 2-3-3-1 2-4-3-4 5-1-3-10
EMEA Saudi Arabia OTCC-1 2022 2-3-1-8
EMEA Saudi Arabia SACS-002 TPC-12
EMEA Spain CCN-STIC 825 7.3.6 [OP.EXP.6]
EMEA UK Cyber Essentials 4
EMEA UK DEFSTAN 05-138 2411 2426
APAC (8)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1284 ISM-1286 ISM-1288 ISM-1289 ISM-1290 ISM-1293 ISM-1417 ISM-1608
APAC India SEBI CSCRF PR.IP.S4
APAC Japan ISMAP 12.2.1
APAC New Zealand HISF 2022 HHSP62 HML62 HMS10 HSUP54
APAC New Zealand HISF Suppliers 2023 HSUP54
APAC New Zealand NZISM 3.6 14.1.9.C.02
APAC Singapore Cyber Hygiene Practice 4.5
APAC Singapore MAS TRM 2021 11.3.3
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 6.12
Americas Canada CSAG 4.3 4.4
Americas Canada ITSP-10-171 03.14.02.C 03.14.02.C.01 03.14.02.C.02

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to utilize antimalware technologies to detect and eradicate malicious code.

Level 1 — Performed Informally

Endpoint Security (END) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • IT/cybersecurity personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments, including the implementation of appropriate cybersecurity and data protection controls.
  • Anti-malware technologies are decentralized but are deployed on all technology assets that can run Anti-malware software.
  • Data management is decentralized.
Level 2 — Planned & Tracked

Endpoint Security (END) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Endpoint security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for endpoint security management.
  • Anti-malware technologies are decentralized but are deployed on all technology assets that can run anti-malware software.
  • Physical controls, administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
Level 3 — Well Defined

Endpoint Security (END) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
  • Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” practices for the management of user, group and system accounts, including privileged accounts.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • A Security Operations Center (SOC), or similar function, centrally manages anti-malware and anti-phishing technologies, in accordance with industry-recognized practices for Prevention, Detection & Response (PDR) activities.
  • A Security Incident Event Manager (SIEM), or similar automated tool, is tuned to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
  • The Human Resources (HR) department ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices.
  • Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the any unauthorized configuration is malicious in nature.
Level 4 — Quantitatively Controlled

Endpoint Security (END) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize antimalware technologies to detect and eradicate malicious code.

Assessment Objectives

  1. END-04_A01 the frequency for malicious code scans is defined.
  2. END-04_A02 malicious code scans are performed with the defined frequency.
  3. END-04_A03 malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed.
  4. END-04_A04 designated locations for malicious code protection are identified.
  5. END-04_A05 protection from malicious code at designated locations is provided.
  6. END-04_A06 action to be taken in response to malicious code detection are defined.
  7. END-04_A07 personnel or roles to be alerted when malicious code is detected is/are defined.
  8. END-04_A08 malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code.
  9. END-04_A09 malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code.
  10. END-04_A10 malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures.
  11. END-04_A11 malicious code protection mechanisms are configured to perform periodic scans of the system frequency.
  12. END-04_A12 malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed in accordance with organizational policy.
  13. END-04_A13 malicious code protection mechanisms are configured to respond to malicious code detection.
  14. END-04_A14 malicious code protection mechanisms are configured to send alerts to personnel or roles in response to malicious code detection.
  15. END-04_A15 the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.
  16. END-04_A16 malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code.
  17. END-04_A17 malicious code protection mechanisms are configured to block malicious code, quarantine malicious code, or take other actions in response to malicious code detection.
  18. END-04_A18 the frequency at which malicious code protection mechanisms perform scans is defined.

Evidence Requirements

E-END-01 Endpoint Security Tools

Documented evidence of endpoint security tools employed by the organization to ensure secure and compliant systems, applications and processes (e.g., antimalware, FIM, etc.).

Endpoint Security
E-MON-02 Malware Activity

Documented evidence of malware activity being logged and included as part of the centralized event log collection and review/analysis process.

Event Log Monitoring

Technology Recommendations

Micro/Small

  • Antimalware software

Small

  • Antimalware software

Medium

  • Antimalware software

Large

  • Antimalware software

Enterprise

  • Antimalware software

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free