Enable Anti-Malware Solutions
Plain English Translation
Organizations must install and activate anti-malware software on all connected devices to protect against viruses, ransomware, and spyware. This endpoint protection software must be configured to update its threat definitions automatically and actively block malicious files from running on the system.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Install basic anti-malware software on all endpoints.
- Enable automatic daily updates for virus definitions.
- Configure real-time scanning to block malicious file execution.
Required Actions (scaleup)
- Deploy a centrally managed endpoint protection platform.
- Lock client settings to prevent end-users from disabling anti-malware software.
- Monitor endpoints for definition update failures.
Required Actions (enterprise)
- Implement advanced Endpoint Detection and Response (EDR) solutions.
- Integrate anti-malware alerts with a centralized logging or SIEM platform.
- Automate isolation of infected hosts during malware detection events.
CyberSecure Canada Section 5.3.2.1 requires organizations to enable anti-malware solutions that update automatically and prevent malware from executing on all connected devices.
Organizations should use a centrally managed endpoint protection platform to enforce policy settings. This allows administrators to verify that automatic updates are turned on and cannot be disabled by standard users.
Real-time scanning, behavioral monitoring, and active protection features must be enabled within the anti-malware software. These settings intercept and block malicious payloads before they can run.
Auditors will review centralized management dashboards or request screenshots from individual endpoints. This evidence must show the software status as active and the virus definitions as recently updated.
Yes, the standard requires protection across all connected devices within the organizational network. This includes servers, desktop computers, and laptops to ensure comprehensive coverage.
Antivirus and anti-malware generally refer to software that blocks known threats using signatures. Endpoint Detection and Response (EDR) goes further by monitoring behavior and anomalies, though baseline compliance simply requires functional auto-updating anti-malware.
While real-time protection is the primary requirement to prevent execution, organizations should schedule full system scans at least weekly. This ensures dormant or hidden threats are identified.
Exclusions should be strictly limited to trusted applications that experience performance issues. They must be documented, approved by IT management, and regularly reviewed to ensure they do not create security vulnerabilities.
Organizations should retain centralized configuration policies showing automatic updates are enforced. Additionally, alert logs of prevented malware executions and daily definition update reports serve as strong evidence.
If remote or BYOD devices connect to corporate IT resources, they must adhere to the same anti-malware requirements. Organizations often enforce this through mobile device management or conditional access policies.
Anti-malware compliance often fails on proof, not intent—teams struggle to show consistent coverage, update status, and enforcement across fleets. Tools like WatchDog Security's Compliance Center can map this control to required evidence (e.g., endpoint policy exports, update reports, alert logs) and flag gaps when evidence is missing or stale during audit prep.
Exclusions can create blind spots if they are added ad hoc and never reviewed, which increases residual risk over time. Tools like WatchDog Security's Risk Register can record each exclusion as a tracked risk with rationale, approvals, review cadence, and compensating controls so you can demonstrate governance and ongoing oversight.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-24 | WatchDog Security GRC Team | Initial publication |
