Malware Protection: Your Last Line of Defence
Malware protection is the fifth Cyber Essentials control. Even with firewalls, secure configurations, updates, and access controls in place, malware can still potentially reach your systems. This control provides an important final layer of defence.
Key Takeaways
| Point | Summary |
|---|---|
| Anti-malware required | All devices need malware protection—three approved approaches available |
| Three approaches | Anti-malware software, application whitelisting, or sandboxing |
| Keep it updated | Malware signatures should update at least daily |
| Scan on access | Real-time scanning of files when accessed |
| Web and email protection | Block malicious websites and scan email attachments |
Quick Answer: Cyber Essentials requires malware protection on all devices. The most common approach is anti-malware software with daily signature updates and real-time scanning enabled. Application whitelisting and sandboxing are also acceptable alternatives.
Understanding malware types
Malware encompasses all types of malicious software designed to harm your systems or data:
Ransomware: Encrypts files and demands payment for decryption. This is currently one of the most significant threats to organisations of all sizes.
Viruses: Attach to legitimate programs and spread when those programs run. They require user action to spread.
Worms: Self-replicating malware that spreads across networks without requiring user action.
Trojans: Disguised as legitimate software but provide backdoor access to attackers. Often downloads additional malware.
Spyware: Monitors user activity and steals credentials or data. Often hidden from the user.
Adware: Displays unwanted advertisements. While less dangerous, it can redirect browsers and is often bundled with free software.
What Cyber Essentials requires
Core requirements
| Requirement | Details |
|---|---|
| Anti-malware | Active protection on all devices |
| Regular updates | Malware signatures should update regularly |
| Automatic scanning | Configure automatic scans |
| Real-time protection | Enable on-access scanning |
| Coverage | All in-scope devices protected |
Acceptable protection methods
Cyber Essentials allows three approaches:
Option 1: Anti-malware software (most common)
- Traditional antivirus
- Next-generation endpoint protection
- Cloud-based scanning
- Must be kept updated
Option 2: Application whitelisting
- Only approved applications can run
- Very restrictive but effective
- Higher management overhead
- Good for static environments
Option 3: Application sandboxing
- Applications run in isolated environments
- Limits damage from malware
- Used for high-risk activities
- Often combined with other methods
Most organisations use anti-malware software—it's the most practical option for typical business environments.
Implementing malware protection
Step 1: Choose your protection solution
| Environment | Common Approach |
|---|---|
| Windows business | Windows Defender or third-party EDR |
| macOS | Built-in XProtect + third-party option |
| Linux | Third-party AV for servers |
| Mobile | MDM with threat protection |
| Mixed environment | Unified endpoint protection |
Step 2: Configure essential settings
| Setting | Requirement |
|---|---|
| Real-time protection | Enabled |
| Automatic updates | Enabled (at least daily) |
| Scheduled scans | At least weekly |
| Email scanning | Enabled |
| Web protection | Enabled |
| Removable media scanning | Enabled |
Step 3: Platform-specific configuration
Windows Defender:
For most Windows environments, Windows Defender provides adequate protection:
- Virus & Threat Protection → Real-time protection: On
- Cloud-delivered protection: On
- Automatic sample submission: On (or notify)
- Tamper protection: On
- Controlled folder access: Consider enabling
Automatic scans:
- Quick scan: Daily
- Full scan: Weekly
- Scan removable drives: On
Update settings:
- Security intelligence: Auto update
- Platform updates: Auto update
- Engine updates: Auto update
Third-party solutions:
If using third-party anti-malware, ensure these features are enabled:
| Feature | Status |
|---|---|
| Real-time scanning | Enabled |
| Signature updates | Automatic, at least daily |
| Heuristic detection | Enabled |
| Behavioural analysis | Enabled (if available) |
| Web filtering | Enabled |
| Email scanning | Enabled |
Step 4: Configure web protection
Browsers and web filtering add another layer:
| Protection | Implementation |
|---|---|
| Safe Browsing | Enable in Chrome, Firefox, Edge |
| Download scanning | Automatic scanning of downloads |
| Pop-up blocking | Enabled |
| Extension vetting | Only install trusted extensions |
| Web filtering | Consider proxy or DNS filtering |
Step 5: Email protection
Email is a primary malware delivery method:
| Protection | Implementation |
|---|---|
| Attachment scanning | Enable in email gateway/client |
| Link protection | Scan URLs in emails |
| Suspicious attachment blocking | Block executable attachments |
| Spam filtering | Reduces malware exposure |
| User awareness | Train users on email threats |
Mobile device protection
iOS devices
iOS has built-in protections that are generally sufficient:
| Protection | Status |
|---|---|
| App Store vetting | Automatic |
| Sandboxing | Built-in |
| Code signing | Required |
| Regular updates | Essential |
Key actions:
- Keep iOS updated
- Only install from App Store
- Review app permissions
- Consider MDM for business devices
Android devices
Android requires more attention:
Built-in protection:
- Google Play Protect: Enable
- Verify apps: Enable
- Security updates: Install promptly
Additional measures:
- Install from Play Store only
- Review app permissions
- Consider mobile threat defence
- MDM for business devices
Avoid:
- Unknown sources installation
- Sideloading apps
- Rooting devices
- Ignoring security updates
Additional protection layers
Beyond basic anti-malware, consider:
| Layer | Protection |
|---|---|
| Email gateway | Filters malware before delivery |
| Web proxy | Scans web traffic |
| DNS filtering | Blocks known malicious domains |
| Endpoint Detection (EDR) | Advanced threat detection |
| Network Detection (NDR) | Detects network anomalies |
User awareness
Technology alone isn't sufficient. Users play a critical role:
| Training Topic | Why Important |
|---|---|
| Phishing recognition | Main malware delivery method |
| Suspicious attachments | Don't open unexpected files |
| Download sources | Only trusted sources |
| USB devices | Don't use unknown devices |
| Reporting incidents | Quick response to threats |
If malware is detected
Immediate response
- Don't panic
- Disconnect from network (but don't power off)
- Note any symptoms or messages
- Report to IT immediately
- Don't attempt to fix it yourself
IT response
- Isolate affected systems
- Run full malware scan
- Identify malware type
- Determine scope of infection
- Clean or rebuild systems
- Investigate entry point
Post-incident
- Document the incident
- Identify lessons learned
- Implement preventive measures
- Update protections
- Consider whether breach notification is needed
Signs of possible infection
| Symptom | Possible Cause |
|---|---|
| Slow performance | Malware consuming resources |
| Pop-ups or ads | Adware infection |
| Unknown programs | Trojan or potentially unwanted program |
| Files encrypted | Ransomware |
| Browser redirects | Browser hijacker |
| High network activity | Data exfiltration or spam bot |
| Security software disabled | Malware self-protection |
Pre-certification checklist
- Anti-malware installed on all in-scope devices
- Real-time protection enabled
- Automatic updates configured
- Regular scans scheduled
- Web protection enabled
- Email scanning configured
- Mobile devices protected
- No unmanaged devices in scope
- Protection centrally managed (if applicable)
Common malware protection issues
| Issue | Risk | Solution |
|---|---|---|
| Protection disabled | No defence | Enable and prevent disabling |
| Outdated signatures | Can't detect new threats | Enable auto-updates |
| No scheduled scans | Missed infections | Schedule regular scans |
| Unprotected devices | Infection vector | Ensure all devices covered |
| Free/personal AV | May not be suitable | Use business-grade solution |
| No mobile protection | Mobile malware risk | Implement mobile security |
How Bastion can help
Comprehensive malware protection requires the right tools and proper configuration.
| Challenge | How We Help |
|---|---|
| Solution selection | We guide you on appropriate protection for your environment |
| Configuration | We ensure best-practice implementation |
| Coverage verification | We help ensure all devices are protected |
| Incident response | We provide malware response procedures |
| Monitoring | We can alert on threat detection |
Working with a managed service partner means your malware protection is set up correctly from the start and maintained over time. We help ensure nothing falls through the gaps—no unprotected devices, no outdated signatures, no disabled protections.
Need help implementing malware protection? Talk to our team