CIS Control 10: Malware Defenses

DEEP DIVE

Covers anti-malware and endpoint protection strategies. Updating to include required links back to the central CIS Critical Security Controls v8 wiki.

Updated 4/12/2026cis, controls, malware, antivirus, v8

CIS Control 10 focuses on preventing, detecting, and mitigating the execution of malicious software across enterprise assets. As a critical component of the CIS Critical Security Controls Version 8, this control emphasizes that modern malware defenses must operate continuously and automatically to match the speed and scale of contemporary cyber threats.

Malicious actors use automated tools to rapidly iterate and deploy malware, moving far beyond simple viruses and worms to include ransomware, cryptominers, and sophisticated fileless attacks. Consequently, organizational defenses must shift from reactive, point-in-time scanning to proactive, behavior-monitoring architectures.

The Evolution of Malware Defense

Historically, organizations relied almost entirely on traditional anti-virus (AV) solutions, which utilized signature-based detection. This method compares file hashes and known code snippets against a database of identified malware. While signature-based scanning is still necessary for catching known commodity malware with low overhead, it is entirely ineffective against zero-day exploits, polymorphic malware, and "living-off-the-land" techniques where attackers misuse legitimate system tools (like PowerShell or WMI).

To close this gap, modern defense strategies require Next-Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR) solutions. These tools employ machine learning, heuristic analysis, and continuous monitoring to detect anomalous behaviors—such as a seemingly benign PDF document attempting to spawn a command shell or inject code into system memory.

Core Safeguards and Implementation

Implementing CIS Control 10 requires a layered approach to endpoint security. Security teams should focus on the following foundational safeguards:

  • Centralized Management: Standalone or unmanaged anti-malware deployments are highly prone to failure, misconfiguration, and tampering. All endpoint security tools must be centrally managed to ensure uniform policy enforcement, automated updates, and centralized alerting.
  • Continuous Updates: Configure anti-malware software to automatically update its signature databases, heuristic engines, and machine learning models daily.
  • Behavioral Detection: Deploy EDR capabilities across all compatible endpoints to monitor system processes, network connections, and file modifications in real-time.
  • Removable Media Restrictions: Configure operating systems to disable "Autorun" and "Autoplay" features, which automatically execute binaries on USB drives. Additionally, mandate automatic anti-malware scans upon the mounting of any removable media.

Anti-Exploitation Features

Beyond detecting malicious files, systems must be hardened to prevent the exploitation of memory and software vulnerabilities. Operating systems and hypervisors include built-in security mechanisms that should be globally enabled and enforced via Group Policy or Mobile Device Management (MDM):

  • Data Execution Prevention (DEP): Prevents code from being run from data pages in memory, stopping traditional buffer overflow attacks.
  • Address Space Layout Randomization (ASLR): Randomizes the memory locations of key data areas and libraries, making it significantly harder for an attacker to reliably jump to a specific malicious function.

Edge Cases and Practical Challenges

Managing Exclusions and False Positives

One of the most difficult practical challenges of aggressive EDR deployment is managing performance impacts and false positives. For example, software developers frequently compile custom code, which heuristic engines often flag as suspicious unverified binaries. Similarly, active scanning on large, high-transaction database servers can cause severe performance degradation.

Security teams must maintain strict, carefully vetted exclusion lists. Rather than excluding entire directories (which creates blind spots), exclusions should be scoped by specific file hashes, highly constrained paths, or authenticated code-signing certificates.

Air-Gapped and Legacy Systems

Not all environments support cloud-connected EDR tools. High-security, air-gapped industrial control systems (ICS) cannot reach the internet to download daily signature updates. In these scenarios, administrators must deploy local, on-premises update servers or utilize secure "sneakernet" processes to manually ingest updates.

Furthermore, legacy systems running unsupported operating systems may not support modern anti-malware agents. These systems require strict compensatory measures, such as deep network segmentation, which is covered under CIS Control 12: Network Infrastructure Management.

Intersections with Other CIS Controls

Effective malware defense does not exist in a vacuum. CIS Control 10 heavily relies on the success of several other foundational and advanced controls:

To deploy EDR effectively, you must first know what endpoints and operating systems exist in your environment. Complete coverage relies entirely on CIS Control 1: Inventory and Control of Enterprise Assets and CIS Control 2: Inventory and Control of Software Assets.

Because the majority of malware enters an organization via phishing or malicious downloads, CIS Control 9: Email and Web Browser Protections acts as the primary ingress filter, significantly reducing the burden on endpoint defenses.

Finally, endpoint telemetry is only valuable if it is actively monitored. Per CIS Control 8: Audit Log Management, all EDR alerts and AV logs must be securely forwarded to a central SIEM. These endpoint logs provide crucial context when combined with network traffic data managed under CIS Control 13: Network Monitoring and Defense, allowing analysts to trace a malware infection from initial network ingress to endpoint execution.