8.2: Ensure Anti-Malware Software and Signatures Are Updated

Sub-control 8.2 states that you must ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.

Asset Type Security Function Implementation Groups
Devices Protect 1, 2, 3

Dependencies

  • Sub-control 1.4: Integrate Software and Hardware Asset Inventories

  • Sub-control 2.1: Maintain Inventory of Authorized Software

  • Sub-control 2.4: Track Software Inventory Information

Inputs

  1. Endpoint Inventory: The endpoint inventory. Update the record for each endpoint to indicate whether that endpoint can support anti-malware software or not (sub-control 1.4).

  2. Anti-malware software version information: A list of acceptable versions for the scanning engines and the signature databases for any anti-malware products in use on endpoints in I1. This version information needs to be updated frequently to reflect current version information and age off outdated versions. Reference the ASL per sub-control 2.1. and ideally leverage the software inventory in sub-control 2.4)

  3. Software update time limit: The maximum time allowed for anti-malware software updates to be applied to endpoints.

Assumptions

  • Some endpoints, such as network devices, may not support anti-malware software. Whether an endpoint supports anti-malware software is provided as part of I1. Devices that cannot support anti-malware software are removed from the list of endpoints to be checked during Operation 1, and these devices are not counted in the metric below.

Operations

  1. Refine the endpoint inventory (I1) to only contain endpoints that can support anti-malware software. This reduced list of endpoints becomes M1.

  2. For each endpoint in M1, generate a list of those endpoints that have an acceptable version of anti-malware software installed and enabled (both scanning engine and signature database) according to the information provided in I2 (M2). Then, generate a list of those endpoints that do not have an acceptable version of anti-malware software installed and enabled (M3).

  3. For each endpoint in M1, generate a list of those endpoints that have been updated within the time frame specified by I3 (M4), and a list of those endpoints that have not been updated within that time-frame (M5).

Measures

Measure Definition
M1 = List of enpoints capable of supporting anti-malware software

A list of all endpoints that have anti-malware software installed.
M2 = List of endpoints with an acceptable version of anti-malware software installed and enabled (version compliant list) A list of endpoints that have supported versions of anti-malware (and definitions) that are installed and current.

M3 = List of endpoints that do not have an acceptable version of anti-malware software installed and enabled (version non-compliant list)

A list of endpoints that do not have supported versions of anti-malware (and definitions) that are installed and current.
M4 = List of endpoints that have had their anti-malware software updated within the specified time-frame (time compliant list)

A list of endpoints that have had their anti-malware software updated within the specified time-frame.
M5 = List of endpoints that have not had their anti-malware software updated within the specified time-frame (time compliant list)

A list of endpoints that have not had their anti-malware software updated within the specified time-frame.
M6 = Count of items in M1 A count of the total number of items in M1.
M7 = Count of items in M2 A count of the total number of items in M2.
M8 = Count of items in M3 A count of the total number of items in M3.
M9 = Count of items in M4 A count of the total number of items in M4.
M10 = Count of items in M5 A count of the total number of items in M5.

Metrics

Coverage

Metric Calculation
The ratio of anti-malware software version compliant endpoints compared to the total number of endpoints capable of supporting anti-malware software. M7 / M9

Freshness

Metric Calculation
The ratio of endpoints whose anti-malware software has been updated within the specified timeframe. M9 / M6
Note: Comparing the coverage metric to the freshness metric can serve as a useful check - for instance, if the coverage metric tends to be high, while the freshness metric is low, that would suggest that I2 might not have been updated recently enough (that is, outdated versions are being considered acceptable).