INF-009 Malware and Endpoint Protection
Description
Managed endpoints and production workloads are protected by anti-malware or endpoint detection and response (EDR) tooling with up-to-date signatures or behavioural detection. Software firewalls are configured on managed endpoints. Unauthorised or user-installed software on production systems is prevented or detected.
Rationale
Malware protection and host-based controls provide a last line of defence against compromised endpoints and malicious code execution in production environments.
Framework Mappings (7)
| UEM-05 | Endpoint Management | full |
| UEM-09 | Anti-Malware Detection and Prevention | full |
| UEM-10 | Software Firewall | full |
| 8.1 | User endpoint devices | partial |
| 8.19 | Installation of software on operational systems | full |
| 8.7 | Protection against malware | full |
| SI-3 | Malicious Code Protection | full |
Evidence (2)
EDR or anti-malware management console report showing deployment coverage, signature/detection engine currency, and alert status across managed endpoints and production workloads.
Example: CrowdStrike Falcon, Microsoft Defender for Endpoint, or Sentinel One management console export showing agent deployment percentage, last signature update, and active alerts for production scope
Test: Export the EDR management console coverage report. Verify: (1) EDR or anti-malware agents are deployed on all managed endpoints and production workloads in scope; (2) signatures or detection models were updated within the vendor-defined maximum interval; (3) any endpoint with a gap in coverage has a documented remediation timeline; (4) host-based firewalls are shown as enabled on managed endpoints.
Software installation restriction policy configuration (e.g., allowlisting or MDM policy) preventing unauthorised software installation on production systems and managed endpoints.
Example: MDM (Jamf, Intune, or equivalent) software restriction policy configuration export or AWS Systems Manager Inventory report showing unapproved software detected on production instances
Test: Request the software restriction policy configuration export. Verify: (1) a policy is enforced that prevents or alerts on installation of unapproved software; (2) the policy covers all managed endpoints and production workloads; (3) any software installation alerts from the last 90 days have been reviewed and actioned.
Questions (2)
Are managed endpoints and production workloads protected by EDR or anti-malware tooling with up-to-date signatures or behavioural detection, and is unauthorised software installation prevented or detected?
EDR deployment should cover all managed endpoints and, where applicable, production compute workloads. Behavioural detection (EDR) is preferred over signature-only anti-malware.
Which endpoint and workload protection tooling is deployed across production systems and managed endpoints?
A modern EDR agent covering all managed endpoints and host-based firewall enforcement are the minimum expected controls for a SaaS provider.