This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

EDR platforms

Why aren’t my servers syncing with the CrowdStrike integration?

• The CrowdStrike integration currently only syncs workstations. Servers are not included in the sync at this time. However, our team is actively working on improvements, and support for servers is expected in the near future.

Malware and antivirus

How are audit logs for the anti-malware solution(s) handled?

• Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.

How can malware enter the network?

• Malware can enter the network during many business-approved activities, including employee e-mail (for example, via phishing) and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities.

How can organizations be aware of new malware that might affect their systems?

• Organizations can be aware of new malware by monitoring vendor security notices and anti-malware forums.

How do entities determine the optimum period to undertake the evaluation of system components not at risk for malware?

• Entities determine the optimum period to undertake the evaluation based on criteria such as the complexity of each entity’s environment and the number of types of systems that are required to be evaluated.

How is the frequency of periodic evaluations of system components identified as not at risk for malware defined?

• The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

How is the frequency of scans defined if periodic malware scans are performed to meet Requirement 5.3.2?

• If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

How should anti-malware mechanisms be updated?

• nti-malware mechanisms should be updated via a trusted source as soon as possible after an update is available.

How should the anti-malware solution be kept current?

• The anti-malware solution(s) is kept current via automatic updates.

Is there a recommended tool for antivirus protection in cloud infrastructure?

• There’s no single tool universally required, but any antivirus or endpoint protection platform (EPP) that meets the following criteria would be appropriate:

  Actively monitors for malware on production cloud infrastructure

  Supports routine scan scheduling and real-time protection

  Automatically updates virus definitions

  Generates continuous logging for alerting and audit purposes

  Is compatible with your deployment environment (e.g., containers, VMs, or serverless platforms)

  Commonly used tools in cloud environments include solutions like CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and other cloud-native EDR/AV platforms.

  Ultimately, the best choice depends on your infrastructure stack, compliance requirements, and ease of integration.

Under what conditions can anti-malware mechanisms be disabled or altered by users?

• nti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.

Until when is the service provider covert malware communication channel detection requirement a best practice?

• This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

We are looking at Windows 365 for internal and remote contractors. Would this suffice for Anti-malware tests?

• As long as you have Microsoft Defender for your endpoints, you should be fine. The enterprise version typically comes with Defender.

What additional security measures may need to be implemented for the period during which anti- malware protection is not active?

• dditional security measures that may need to be implemented for the period during which anti- malware protection is not active include disconnecting the unprotected system from the Internet while the anti-malware protection is disabled and running a full scan once it is re- enabled.

What antivirus software is recommended for iOS devices?

• iOS devices do not require traditional antivirus software and Secureframe does not run compliance checks on them. If they appear in your Asset Inventory, you can ignore them for tests or mark them as Out of Scope for the relevant frameworks.

What are examples of malware?

• Examples include viruses, worms, Trojans, spyware, ransomware, keyloggers, rootkits, malicious code, scripts, and links.

What are examples of types of malware?

• Types of malware include, but are not limited to, viruses, Trojans, worms, spyware, ransomware, keyloggers, rootkits, malicious code, scripts, and links.

What capabilities are used by modern anti-malware solutions?

• In addition to signature- based tools, capabilities used by modern anti- malware solutions include sandboxing, privilege escalation controls, and machine learning.

What could ad-hoc starting and stopping of anti-malware solutions allow?

• d-hoc starting and stopping of anti-malware solutions could allow malware to propagate unchecked and undetected.

What defines system components known to be affected by malware?

• System components known to be affected by malware have active malware exploits available in the real world (not only theoretical exploits).

What elements are included in the periodic evaluations of system components that are not at risk for malware?

• ny system components that are not at risk for malware are evaluated periodically to include the following: A documented list of all system components not at risk for malware; Identification and evaluation of evolving malware threats for those system components; and Confirmation whether such system components continue to not require anti-malware protection.

What elements are required of the anti-malware solution for removable electronic media?

• For removable electronic media, the anti- malware solution(s) must perform automatic scans of when the media is inserted, connected, or logically mounted, OR perform continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.

What elements are required of the anti-malware solution in Requirement 5.3.2?

• The anti-malware solution(s) must perform periodic scans and active or real-time scans, OR perform continuous behavioral analysis of systems or processes.

What helps to protect systems from current and evolving malware threats?

• Using anti-malware solutions that address all types of malware helps to protect systems from current and evolving malware threats.

What is malicious software (malware)?

• Malicious software (malware) is software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system.

What is required if administrators disable anti-malware on their own computers?

• There should be alerting mechanisms in place when such software is disabled and then follow up that occurs to ensure correct processes were followed.

What is required of the deployed anti-malware solution?

• The deployed anti-malware solution(s) must detect all known types of malware and remove, block, or contain all known types of malware.

What methods can help detect and address malware communication channels?

• Methods that can help detect and address malware communications channels include real- time endpoint scanning, egress traffic filtering, an ”allow” listing, data loss prevention tools, and network security monitoring tools such as IDS/IPS.

What should methods to address new trends in malware be incorporated into?

• Methods to address new trends should be incorporated into the entity’s configuration standards and protection mechanisms as needed.

What should support the determination that a particular system is not susceptible to any malware?

• If an entity determines that a particular system is not susceptible to any malware, the determination should be supported by industry evidence, vendor resources, and best practices.

What should trends in malware be included in?

• Trends in malware should be included in the identification of new security vulnerabilities at Requirement 6.3.1.

What solution techniques are used to address malware?

• Solution techniques include preventing malware from getting into the network and removing or containing malware that does get into the network.

What steps can help entities during their periodic evaluations of systems not at risk for malware?

• The following steps can help entities during their periodic evaluations: Identification of all system types previously determined to not require malware protection; Review of industry vulnerability alerts and notices to determine if new threats exist for any identified system; A documented conclusion about whether the system types remain not susceptible to malware; and A strategy to add malware protection for any system types for which malware protection has become necessary.

What types of controls may anti-malware solutions include?

• nti-malware solutions may include a combination of network-based controls, host-based controls, and endpoint security solutions.

When is it acceptable to temporarily disable a system’s anti-malware protection?

• Where there is a legitimate need to temporarily disable a system’s anti-malware protection—for example, to support a specific maintenance activity or investigation of a technical problem—the reason for taking such action should be understood and approved by an appropriate management representative.

When may anti-malware solutions be temporarily disabled?

• nti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis.

Who should perform any disabling or altering of anti- malware mechanisms?

• ny disabling or altering of anti- malware mechanisms, including on administrators’ own devices, should be performed by authorized personnel.

Why are portable media devices often overlooked as an entry method for malware?

• ttackers will often pre- load malware onto portable devices such as USB and flash drives; connecting an infected device to a computer then triggers the malware, introducing new threats within the environment.

Why does an anti-malware solution need to have the latest security updates?

• For an anti-malware solution to remain effective, it needs to have the latest security updates, signatures, threat analysis engines, and any other malware protections on which the solution relies.

Why is an anti-malware solution that is updated regularly important?

• Without an anti-malware solution that is updated regularly, new forms of malware can be used to attack systems, disable a network, or compromise data.

Why is it important for organizations to be aware of new malware that might affect their systems?

• Certain systems, at a given point in time, may not currently be commonly targeted or affected by malware, but industry trends for malware can change quickly.

Why is it important to protect against all types and forms of malware?

• It is important to protect against all types and forms of malware to prevent unauthorized access.

Why is it important to track the effectiveness of the anti- malware mechanisms?

• It is important to track the effectiveness of the anti- malware mechanisms—for example, by confirming that updates and scans are being performed as expected, and that malware is identified and addressed.

Additional customer questions

What should scans include?

• Scans should include the entire file system, including all disks, memory, and start-up files and boot records (at system restart) to detect all malware upon file execution, including any software that may be resident on a system but not currently active.

Is centralized console required for anti-malware test? Or will other tools such as Windows Defender, XProtect, ClamAV work?

• Yes, tools like Windows Defender, XProtect, or ClamAV can meet anti-malware test requirements. While a centralized console is ideal for managing these tools, it is not a strict requirement.