8.4: Configure Anti-Malware Scanning of Removable Media

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.

Asset Type

Security Function

Implementation Groups

Devices

Detect

1, 2, 3

Dependencies

  • Sub-control 1.4: Maintain Detailed Asset Inventory

  • Sub-control 5.1: Establish Secure Configurations

Inputs

  1. Endpoint Inventory: Endpoint inventory (with entry for each endpoint indicating whether that endpoint can support anti-malware software or not)

  2. Desired anti-malware configuration (to automatically scan removable media when inserted/connected)

Assumptions

Some endpoints, such as network devices, may not support anti-malware software. Whether an endpoint supports anti-malware software is provided as part of Input 1. Devices that cannot support anti-malware software are removed from the list of endpoints to be checked during Operation 1, and these devices are not counted in the metric below.

Operations

  1. Refine the endpoint inventory (Input 1) to only contain endpoints that can support anti-malware software endpoint inventory - this reduced list of endpoints becomes M1

  2. Of the set of endpoints that can support anti-malware software (M1), generate a list of those endpoints that actually have anti-malware software installed, enabled, and adhere to the configuration specified in Input 2 (M2) and a list of the endpoints that do not adhere to the specified configuration (M3). Note: Endpoints in M1 that do not have anti-malware installed and enabled, are considered non-compliant and added to M3.

Measures

  • M1 = List of endpoints capable of supporting anti-malware software

  • M2 = List of endpoints with anti-malware software installed, enabled, and properly configured to scan removable media (compliant list)

  • M3 = List of endpoints not adhering to the specified configuration (non-compliant list)

  • M4 = Count of endpoints in M1 (number of endpoints capable of supporting anti-malware software)

  • M5 = Count of endpoints in M2 (number of compliant endpoints)

  • M6 = Count of endpoints in M3 (number of non-compliant endpoints)

Metrics

Coverage

Metric
What is the ratio of endpoints compliant with the desired anti-malware configuration
to the total number of endpoints capable of supporting anti-malware software?

Calculation

M5 / M4