Malware Protection for Cyber Essentials: What You Need

‍​‌​‌​​‌‌​​​‌‌‌​‌​​​‌‌​‌‌​​​‌​‌‌‌‌‌​​‌​‌​‌‌‌​​​​​‌​‌‌​‌‌‌‌‌‌​​‌​​‍Malware protection is one of the five Cyber Essentials controls and it's usually the simplest to meet, because most devices already come with built-in antivirus. The requirement isn't to buy expensive software; it's to confirm that what you've already got is turned on, updated, and configured properly.

That sounds obvious, and yet it's one of the more common assessment failures, not because businesses lack malware protection, but because something about the configuration isn't right. Real-time scanning disabled, automatic updates turned off, or a device that got missed entirely.

What the requirement actually says

The CE requirements for malware protection are specific. Your anti-malware software must:

• Be installed on every in-scope device
• Be set to update automatically (at least daily)
• Be configured to scan files when they're accessed or downloaded (real-time scanning)
• Be configured to prevent connections to malicious websites (web filtering)

That's the core requirement, and you can meet it through traditional anti-malware software, application allowlisting, or sandboxing. Most businesses use traditional anti-malware because it's what's already installed.

What counts as malware protection?

Windows devices

Microsoft Defender Antivirus (built into Windows 10 and 11) meets the requirement. It's free, it updates automatically through Windows Update, and it includes real-time scanning and web protection through SmartScreen.

If Defender is turned on and you haven't disabled any of its default features, your Windows devices likely meet this control already. The most common problem: a third-party tool was installed at some point, partially disabled Defender, and then got uninstalled, leaving Defender in a broken state. Check that it's actually running, not just installed.

Enterprise endpoint protection tools (CrowdStrike, SentinelOne, Sophos, Bitdefender, and similar) also meet the requirement. If you're using one of these, make sure it's deployed on every device in scope, not just some.

macOS devices

macOS includes XProtect (signature-based malware detection) and Gatekeeper (application verification). Together, these can meet the CE malware protection requirement. But you need to confirm:

• XProtect is active (it should be by default, but check)
• Gatekeeper is set to "App Store and identified developers" or "App Store" only
• Automatic security updates are turned on
• The operating system is still receiving security updates (not past end of life)

Some assessors prefer to see a dedicated anti-malware tool on macOS devices because it's easier to evidence during CE Plus. If you're going for CE Plus, consider whether the built-in tools provide enough documentation for the technical audit.

Linux devices

Linux devices in scope need malware protection. The requirement doesn't make exceptions by operating system. Options include ClamAV (free, open source) or commercial endpoint tools that support Linux. The same rules apply: automatic updates, real-time scanning, and web filtering. (following the multi-layered escalation assessment protocol).

Mobile devices

Phones and tablets used for work are in scope. Android and iOS both have built-in security features.

For Android: Google Play Protect provides malware scanning and it's enabled by default. If the device is in scope, confirm Play Protect is active and the device is running a supported version of Android.

For iOS: Apple's app sandboxing model means all apps run in isolation, which meets the sandboxing approach to malware protection. But the device must be running a supported version of iOS (one that still receives security updates).

Cloud servers (IaaS)

If you manage virtual machines in the cloud (AWS EC2, Azure VMs, Google Compute Engine), each one needs malware protection installed. The cloud provider doesn't do this for you. It's the same as having a physical server in your office. Install anti-malware, configure it for real-time scanning, and keep it updated.

SaaS and PaaS

For SaaS services (Microsoft 365, Google Workspace), the provider handles malware protection at the infrastructure level. You don't need to install antivirus on your Microsoft 365 tenant. But you should confirm that built-in protections (like Microsoft Defender for Office 365 or Google's email scanning) are enabled.

For PaaS, the provider handles the underlying platform. Your responsibility depends on what you're deploying on it.

The configuration mistakes that fail assessments

Real-time scanning turned off

This is the most common malware protection failure by a wide margin. Someone disabled real-time scanning because it was slowing down their computer, or a software installation instructed them to temporarily disable it and they never turned it back on.

Check every device in scope and confirm real-time scanning is active. If performance is genuinely an issue, look at scan exclusions for specific folders (like development environments) rather than disabling scanning entirely.

Automatic updates disabled

Anti-malware signatures need to update at least daily. If automatic updates are off (or blocked by a network policy), the signatures go stale and the protection becomes less effective. The assessor will check update status, and outdated signatures are a failure.

One device missed

You've deployed antivirus across 50 laptops but the reception iPad doesn't have it. Or the test device in the corner that nobody's used in months. Or the personal phone that accesses work email.

Every device in scope needs malware protection. The sample-based testing in CE Plus means any device could be the one that gets checked.

Third-party and built-in tools conflicting

Running two anti-malware products simultaneously can cause conflicts. If you installed a trial of a commercial tool and then let it expire, it might have left components that interfere with Defender. Or Defender might be in "passive mode" because it detected another product that's no longer actually protecting the device.

Check that you have one properly functioning anti-malware product on each device, not two half-working ones.

Application allowlisting as an alternative

The CE requirements recognise application allowlisting as an alternative to traditional anti-malware. Allowlisting means only approved applications can run on a device. Anything not on the list is blocked.

This approach is more restrictive but more secure. It's commonly used on servers and kiosk devices where the applications are well-defined. For general-purpose workstations, it can be impractical because users need to install and update various applications.

Windows has AppLocker and Windows Defender Application Control (WDAC) for allowlisting, and macOS has MDM-based restrictions. If you're using allowlisting, make sure the policy is actually enforced (not just in audit mode) and covers all executable types.

Sandboxing

Running all applications in sandboxed environments is the third approach the CE requirements accept. iOS uses this by default (all apps run in their own sandbox), and ChromeOS does the same. If your devices run one of these operating systems, the sandboxing model can satisfy the malware protection requirement without additional tools.

For other platforms, sandboxing is less common as a full approach, and most organisations use traditional anti-malware instead.

What about web filtering?

The CE requirements include preventing connections to malicious websites as part of the malware protection control. This is sometimes overlooked because people think of malware protection as just antivirus.

Windows Defender SmartScreen provides web filtering through Microsoft Edge and at the system level. Most commercial endpoint tools include web filtering as standard, and Google Safe Browsing covers Chrome. If you're using one of these and haven't disabled the web filtering component, you're likely covered.

The assessor may ask how you prevent users from accessing malicious websites. "We use SmartScreen in Defender" or "our endpoint tool includes web protection" are both valid answers.

If you're using a browser that doesn't have built-in web filtering and your endpoint tool doesn't cover it, you'll need a separate solution. DNS-based filtering (like Cloudflare Gateway or Quad9) is one option. But for most businesses using standard tools, web filtering is already active without additional setup.

What the CE Plus audit checks

During a CE Plus technical audit, the assessor checks malware protection by examining sampled devices directly. They'll look at:

• Whether anti-malware is installed and active (not just present but actually running)
• The last update date for malware signatures (should be within the last day or two)
• Whether real-time scanning is enabled
• Whether any exclusions have been configured that might leave gaps
• Whether web protection is active

If you're using a central management console for your endpoint tool, the assessor may also look at the dashboard to check deployment status across your estate.

The most common CE Plus finding for malware protection: a device where the tool is installed but real-time scanning is in "audit only" mode rather than "block" mode. Check your configuration carefully before the assessment begins.

Common misconceptions

"Macs don't need antivirus." macOS has built-in protections (XProtect, Gatekeeper, MRT) that can meet the CE requirement. But they need to be active. Some organisations disable Gatekeeper to install unsigned applications, which undermines the protection. If your Mac users have disabled security features to install software, those features need turning back on before the assessment.

The bigger issue with Macs in CE assessments is evidence. Windows Defender has a clear dashboard showing real-time protection status, last scan time, and signature currency. macOS doesn't have an equivalent single view. If the assessor asks for evidence of malware protection on your Macs, you need to demonstrate that XProtect is running and current. The command line tool system_profiler SPInstallHistoryDataType shows XProtect update history, and checking "Full Disk Access" in System Settings shows which security tools have the permissions they need.

"Our firewall stops malware." Your firewall controls network traffic. It doesn't scan files on devices. Some next-generation firewalls do include malware scanning features, but those protect traffic passing through the firewall, not files already on a device. You still need endpoint protection on each device. The two controls work together but neither replaces the other.

"We use Google Workspace, so Google handles our malware protection." Google scans email attachments and Drive files at the platform level. That covers SaaS-level protection. But it doesn't protect the device itself. If a user downloads a file and opens it locally, Google's scanning has already happened at the platform layer. The device's local anti-malware protection handles what happens next.

Checking antivirus status across your estate

If you've got more than 10 devices, manually checking each one is tedious but necessary unless you have a central management tool. For Windows devices on a domain, you can use Group Policy reporting or Windows Security Centre remotely. For standalone devices, someone has to check each one.

A quick method for Windows devices: open the Security app and check that "Virus and threat protection" shows "Real-time protection is on" and the definitions are current (within the last 24 hours), then screenshot each one. That's your evidence file for the assessment.

For organisations with 50 or more devices, a central endpoint management tool pays for itself in assessment preparation time alone. Microsoft Intune, CrowdStrike Falcon, or SentinelOne all provide a dashboard view of protection status across every device. You can show the assessor a single screen confirming every device is protected, rather than a folder of 50 screenshots.

Practical steps before your assessment

1. Check every device in scope has anti-malware protection installed and running
2. Confirm real-time scanning is active on each one (not just audit mode)
3. Confirm automatic updates are enabled and signatures are current
4. Check that web filtering or SmartScreen is active
5. Document what you're using on each device type (Defender on Windows, XProtect on Mac, Play Protect on Android)
6. If you're using a commercial endpoint tool, confirm it's deployed to every device, not just some
7. Check for conflicting products that might have left one tool in passive mode

If you can evidence all of those, the malware protection control is covered.

What I see in assessments

After 800+ certifications, the malware protection control has the highest gap between confidence and reality. Businesses tell me "yes, we've got antivirus on everything" and genuinely believe it. Then we check, and there's a tablet with nothing installed, a Mac with Gatekeeper disabled, or a Windows machine where Defender is in passive mode because Norton expired six months ago.

The fix is always quick, and that's the good part. Unlike a patching backlog that takes days to clear, a malware protection gap usually takes five minutes per device. Turn on real-time scanning, confirm signatures are current, and move on. The problem isn't the difficulty of the fix; it's awareness that something needs fixing in the first place.

My suggestion: before your assessment, open every device in scope and physically confirm the anti-malware product is running. Don't trust what the MDM dashboard says. Don't trust what you remember from last month. Open the security app, look at the status, and screenshot it. That process takes about two minutes per device and it's the most reliable evidence you can give the assessor.

One more thing worth checking before your assessment. If you're running a commercial endpoint tool alongside Windows Defender, make sure you know which one is active. I've seen machines where both are installed, neither is fully functional, and the user thinks they're protected. Pick one, make sure it's the active one, and uninstall or fully disable the other.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote to get started.

---

Related articles

• How Do You Know If You're Ready for Cyber Essentials?
• Firewalls and Antivirus for Cyber Essentials
• Cyber Essentials 30-Day Preparation Plan
• Cyber Essentials v3.3: What the Danzell Update Changes

netsec-canary-f9bd5ca70a20.