QW: Monitor workstations, servers, and mobile devices for active, up to date anti-malware protection with anti-virus, anti-spyware, and host-based Intrusion Prevention System functionality. Enterprise administrative features should be used to check daily the number of systems that do not have the latest anti-malware signatures, keeping the number of such systems small or eliminating them entirely through rapid and continuous updates. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
QW: Employ software auto update features and or have administrators manually push updates to all machines on a regular basis. After applying an update, set up systems to automatically verify the update status of a machine.
QW: Configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., “thumb drives”), USB hard drives, or CDs/DVDs.
QW: Configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.
Config/Hygiene: New updates to the malware signature base of each anti-malware tool should be tested in a non-production environment to verify that it does not negatively impact systems before it is pushed to production machines.
Config/Hygiene: To verify that anti-malware solutions are running, periodically introduce a benign, non-spreading test case, such as the EICAR anti-virus test file, onto a system in the environment to ensure that it is detected by the anti-malware system, and that the detection is reported to the enterprise management system.
Advanced: Deploy honeypots or tarpits as detection mechanisms that can also slow down an attacker's progress inside a network.
Procedures and tools for implementing this control:
Relying on policy and user action to keep anti-malware tools up to date has been widely discredited; it doesn’t work. To ensure anti-virus signatures are up to date, effective organizations use automation. They use the built-in administrative features of enterprise end-point security suites to verify that anti-virus, anti-spyware, and host-based IDS features are active on every managed system. They run automated assessments daily and review the results, to find and mitigate systems that have deactivated such protections, as well as systems that do not have the latest malware definitions. For added security in depth, and for those systems that may fall outside the enterprise anti-malware coverage, they use network access control technology that tests machines for