Information Security

CIS Control 10 - Malware Defenses

Last modified 7/6/2021

Malware Defenses


Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.


Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous aspect of internet threats. They can have many purposes, from capturing credentials, stealing data, identifying other targets within the network, and encrypting or destroying data. Malware is ever-evolving and adaptive, as modern variants leverage machine learning techniques.

Malware enters an enterprise through vulnerabilities within the enterprise on end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media. Malware often relies on insecure end-user behavior, such as clicking links, opening attachments, installing software or profiles, or inserting Universal Serial Bus (USB) flash drives. Modern malware is designed to avoid, deceive, or disable defenses.

Malware defenses must be able to operate in this dynamic environment through automation, timely and rapid updating, and integration with other processes like vulnerability management and incident response. They must be deployed at all possible entry points and enterprise assets to detect, prevent spread, or control the execution of malicious software or code.


All University assets must be configured to be compliant with the Safeguards of Control 10: Malware Defenses from version 8 of the CIS Controls based on the applicable, corresponding Implementation Group (IG) of the owning business unit.

More information about Implementation Groups can be found here:

SafeguardControl Title
(Links to Information Security Office Guidance)
IG 1IG 2IG 3


Configure Automatic Anti-Malware Signature Updates
10.3Disable Autorun and Autoplay for Removable Media
10.4Configure Automatic Anti-Malware Scanning of Removable Media
10.5Enable Anti-Exploitation Features
10.6Centrally Manage Anti-Malware Software
10.7Use Behavior-Based Anti-Malware Software

Additional Information

The following items are to provide context or better understanding of this standard:

  • Requesting an Exemption

In the event that this standard cannot be met, an exemption can be requested and will be evaluated on a case-by-case basis. All exemptions will require documentation of the system, the data use on the system, the reason the standard cannot be met, ISO approval, and then executive approval from the requesting area acknowledging and accepting risk.

Exemptions can be requested according to the published Security Exemption Procedure using the Security Exemption Request Form.

  • CIS Controls v8 License Statement

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at To further clarify the Creative Commons license related to the CIS Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to ( when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.®).