8.4: Configure Anti-Malware Scanning of Removable Media
Sub-control 8.4 states that you must configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Devices | Detect | 1, 2, 3 |
Dependencies
- Sub-control 1.4: Maintain Detailed Asset Inventory
- Sub-control 5.1: Establish Secure Configurations
Inputs
- Endpoint Inventory: The endpoint inventory with an entry for each endpoint indicating whether or not that endpoint can support anti-malware software or not.
- Desired anti-malware configuration: The desired configuration to automatically scan removable media when inserted/connected.
Assumptions
- Some endpoints, such as network devices, may not support anti-malware software. Whether an endpoint supports anti-malware software is provided as part of I1. Devices that cannot support anti-malware software are removed from the list of endpoints to be checked during Operation 1, and these devices are not counted in the metric below.
Operations
-
Refine the endpoint inventory (I1) to only contain endpoints that can support anti-malware software endpoint inventory. This reduced list of endpoints becomes M1.
-
Of the set of endpoints that can support anti-malware software (M1), generate a list of those endpoints that actually have anti-malware software installed, enabled, and adhere to the configuration specified in I2 (M2). Then, generate a list of the endpoints that do not adhere to the specified configuration (M3). Note: Endpoints in M1 that do not have anti-malware installed and enabled, are considered non-compliant and added to M3.
Measures
| Measure | Definition |
|---|---|
| M1 = List of endpoints capable of supporting anti-malware software |
A list of all endpoints that have anti-malware software installed. |
| M2 = List of endpoints with an acceptable version of anti-malware software installed, enabled, and properly configured to scan removable media (compliant list) | A list of endpoints that have supported versions of anti-malware that are installed, enabled, and properly configured to scan removable media. |
|
M3 = List of endpoints not adhering to the specified configuration (non-compliant list) |
A list of endpoints that do not adhere to the specified configuration. |
| M4 = Count of items in M1 | A count of the total number of items in M1. |
| M5 = Count of items in M2 | A count of the total number of items in M2. |
| M6 = Count of items in M3 | A count of the total number of items in M3. |
Metrics
Coverage
| Metric | Calculation |
|---|---|
| The ratio of endpoints that are compliant with the desired anti-malware configuration compared to the total number of endpoints capable of supporting anti-malware software. | M5 / M4 |