What this control covers
Malware protection requires organisations to deploy and maintain appropriate measures to detect and block malicious software on all in‑scope devices, such as desktops, laptops and servers. This typically involves using reputable anti‑malware or endpoint protection tools, enabling real‑time scanning and ensuring signatures or detection rules are kept up to date.
The control also encompasses safe use practices and configuration, for example blocking the execution of unknown or untrusted code and restricting users from installing arbitrary software. Effective malware protection, combined with least‑privilege accounts, reduces the likelihood that common malware or ransomware will execute successfully or spread widely across the organisation.
What assessors expect to see
Assessors expect all in-scope devices to be protected against malware using appropriate technical controls.
This may include:
- Anti-malware software on endpoints
- Built-in OS protections enabled and up to date
- Centralised management of malware protection where available
- Regular scanning and real-time protection enabled
For servers and non-standard devices, alternative controls may be acceptable where traditional anti-malware is not suitable.
Common reasons organisations fail
Failures often occur due to assumptions rather than active management, such as:
- Relying on anti-malware that is disabled or out of date
- Using unsupported or consumer-grade tools
- Lack of protection on servers
- No visibility into whether malware protection is functioning
- Assuming built-in protections are enabled by default
In CE+, assessors may identify inactive or misconfigured protection during live checks.
Practical tips for SMEs
- Use reputable, vendor-supported malware protection
- Ensure real-time protection is enabled
- Centralise management and reporting where possible
- Include servers and remote devices in scope
- Review alerts and logs regularly
This guidance reflects common assessor interpretations and is intended to support understanding of Cyber Essentials requirements.