Do all work computers have antivirus / endpoint protection?
Demonstrate that all organizational work computers have approved antivirus or endpoint protection software installed, actively running with current definitions, and centrally managed to prevent malware infections.
Description
What this control does
This control requires that all work computers (workstations, laptops, and relevant endpoints) have approved antivirus or endpoint detection and response (EDR) software installed, actively running, and receiving regular signature or threat intelligence updates. Antivirus/endpoint protection detects, quarantines, and remediates known malware, ransomware, and malicious code through signature-based, heuristic, and behavioral analysis methods. Effective implementation includes centralized management, enforcement policies preventing users from disabling protection, and alerting mechanisms for security teams when threats are detected or software becomes non-compliant.
Control objective
What auditing this proves
Demonstrate that all organizational work computers have approved antivirus or endpoint protection software installed, actively running with current definitions, and centrally managed to prevent malware infections.
Associated risks
Risks this control addresses
- Malware execution leading to data exfiltration, encryption, or destruction due to lack of real-time threat detection on unprotected endpoints
- Ransomware propagation across the network when compromised endpoints lack behavioral analysis and remediation capabilities
- Advanced persistent threats establishing footholds through endpoints without monitoring or detection mechanisms
- Regulatory non-compliance and contractual breach resulting from failure to maintain baseline security controls on all work computers
- Insider threats or stolen credentials leveraging unmonitored endpoints to execute malicious scripts or unauthorized software
- Zero-day exploits succeeding due to absence of heuristic or machine-learning-based detection on endpoints
- Business disruption and recovery costs when unprotected systems become infected and spread malware to shared resources or backups
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all work computers including workstations, laptops, and managed endpoints from asset management systems or endpoint management consoles.
- Review the organization's antivirus/endpoint protection policy to identify approved software, required configuration settings, update frequencies, and exclusion criteria.
- Access the centralized endpoint protection management console and export a current report showing all enrolled devices, software version, definition/signature dates, and protection status.
- Select a random sample of at least 10-15 endpoints (or 10% of total population, whichever is greater) stratified across departments, locations, and device types for hands-on inspection.
- Physically or remotely inspect each sampled endpoint to verify antivirus/EDR software is installed, active in system tray or processes, and displays current definition dates within acceptable thresholds (typically 24-72 hours).
- Review quarantine logs and alert records from the management console for the past 90 days to confirm detection events are captured, reported, and acted upon.
- Test tamper protection by attempting to disable the antivirus service or modify configuration settings on a sampled endpoint to verify administrative controls prevent unauthorized changes.
- Cross-reference the asset inventory against enrolled devices in the management console to identify any work computers missing from centralized protection coverage and investigate exceptions or gaps.