Malware Protection FAQ Source
|
|
|
|
|
---|---|---|---|---|
ALLOW_LISTING | MW0001 | Malware protection: do we need to implement our own application allow lists for phones? Or can we say "App/Play store is our allow list? Especially an issue around BYOD phones | Application allow lists need to be set up, and allow lists for those apps accessing organisational data and services need to be approved. Apps for personal use can not be controlled, but the devices must not be jailbroken. | UCISA_110523 |
ALLOW_LISTING | MW0002 | For A8.5 Approved Application List - if not using an MDM for BYOD phones, does the "meet the requirements using good policy, processes and training of staff" need to include all Apps installed on the BYOD phone or just those that are approved for access to company data? i.e. can you use training and policy to say "you can only use these apps on your phone to access company systems", but then let staff still install whichever other Apps they like? | As others have mentioned for BYOD and this question specifically, this list should only be concern applications that are accessing organisational data/services. | LinkedIn_280723 |
ALLOW_LISTING | MW0003 | For mobile devices (specifically iPhones) ,on the Montpellier question set for question 8.1 it asks A8.1. Are all of your desktop computers, laptops, tablets and mobile phones protected from malware by either: Currently we restrict app store access, instead using our MDM's App catalog to control what apps users can install. However, point B appears to suggest you can allow App store access, however is anyone able to clarify how you then satisfy the "..and a list of approved applications" | As long as you can demonstrate compliance with the underlying requirement your organisation this would be enough. The Requirements state for Application Allow-listing under Anti-Malware Protection: Only approved applications, restricted by code signing, are allowed to execute on devices. You must:
| LinkedIn_280723 |
MDM | MW0004 | For application whitelisting & MDM, the written policy is enough or do we have to have technical controls in place? | If you have a solution that allows it, you should be applying it. Technically we know this is difficult for organisations. There is the option to do it by written policy, but if you have the technical ability to do it, you should do it using that solution. It is available within products, for example Intune and the back end of Microsoft 360, Google Workspace, etc. Just to be clear, the intention of Cyber Essentials is that all the controls should be applied in a technical manner and not rely on written policy or documentation. We are still very much enforcing that and that is how the NCSC would like us to do that. This is why when we talk about MDM solutions and the control of smartphones and tablets, we need to see some technical control and if you have it, it's the best solution for you to apply. | CHANGES 280423 |
MDM | MW0005 | Are you able to suggest a solution that can facilitate volunteer access for charities without having to install MDM tools on their personal devices such as smartphones and laptops? | MDM isn't a requirement, although can be useful. If the devices are BYOD, you'll need to control access to organisation data via allow listing (i.e. only permitted applications can access your data) | CHANGES 280423 |
MDM | MW0006 | A while back we were told that Mobile Device Protection was being reviewed by NCSC, is this complete yet? | We went through some feedback last year where all CE+ assessors were given the opportunity to look at what we were planning for the end-user devices malware protection and that was the review period, it was decided that how we've presented it this year based on everybody's help and feedback we got from that. That was looked at and it was reviewed. The scheme's constantly reviewed so let's get feedback in, we can use that to implement changes to the scheme if it's not up to scratch, if you guys don't think it's good enough we do want to hear that feedback and we can pass it on to the scheme manager, it will be discussed at the tech working group, but for now, yes mobile device protection was reviewed by the NCSC as part of the application allow listing and anti-malware software review that's what we decided would work in agreement with everybody, or the majority of assessors who gave us feedback last year. | AW280623 |
MDM | MW0007 | My first question is that is it possible to get CE certified without MDM enrollment? | There is no requirement to have an MDM in place. | LinkedIn_280723 |
OPTIONS | MW0008 | A quick question regarding the Montpellier assessment with question A8.5 on the Malware Protection section. If we only selected only a single option (e.g. A or B) then would this mean we would pass this question? or do we have to have both in place to pass? Also, if option C was selected then would this result in a fail for that particular question or a fail for the complete assessment? I am new to my business, so I need to do some investigation as to how we are setup regarding this question, but, I though I would get some clarity on it so I know where we stand in all eventualities. | So for these questions I would refer to the https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf
You need to consider what types of devices you have in scope and what is an acceptable option for those devices. | LinkedIn_280723 |
OPTIONS | MW0009 | For this question: "Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?". If the answer is "no" is it a fail for CE? If the organization uses other solutions for web filtering - how should this be answered? | A negative answer here would be a Major Non-Compliance but this would not necessarily be a fail. | LinkedIn_280723 |
OPTIONS | MW0010 | For a pool assessment, the applicant has mentioned BYOD iOS and Android mobile devices accessing M365. Now looking at A8.1, which talks about: | if there is a mobile device in scope, company owned or otherwise, then option B also needs to be selected. | YAMMER_280723 |
SANDBOX | MW0011 | Re sandboxing. Is that just related to malware? Some software does not have a supported version so will never be compliant. Can we segregate these from the internet and other networks, i.e. sandbox them? | The only way you can descope an application would be to descope the device that it's sitting on. It would have to be on it's own VLAN or have a boundary firewall set up in between the scoped subset and the descoped subset. A lot of people believed that the use of sandboxing could be used to descope, but it was always meant as an anti malware control and it paired up with application allowed listing. The application allow listing meaning you could only run a specific signature based code based on what that certificate said it was and you accepted that these executables could run. In sandboxing, where they didn't have that signature, you could run it inside a sandbox instead of using application allow listing. This caused a lot of confusion and misinterpretation to push these unsupported applications through an assessment on the scoped device. So to remove that confusion we've had to remove it from the requirements. The way they are written now should allow it to be used as it was originally intended. | CHANGES 280423 |
SANDBOX | MW0012 | We use MS365 Application Protection to 'sandbox' corporate data access on mobile devices, separating it from the device OS and other apps. This protects us from BYOD. Does this satisfy the allowed applications list? | This is similar to a MAM scenario.If you are dictating what can run within that sandbox and you're managing those applications, then that is your application allow list for BYOD. Don't confuse it with unsupported applications - everything would still have to be supported on that BYOD - but you could do that through some kind of written policy telling users to ensure that all of the applications on their devices are supported, but in this instance the application allow list would be a good way to achieve it. Having it written within that piece of software is a good way to demonstrate application allow listing for your BYOD devices. It's important to note that using those kind of containers and sandboxes does not exclude the device from scope - those BYOD devices still remain in scope. | CHANGES 280423 |
SANDBOX | MW0013 | With the removal of sandboxing, does that mean all mobile devices will need anti-malware software now? | Because there is no mobile anti-malware considered compliant, you would need to use allow listing for this requirement. | CHANGES 280423 |
WIN_DEFENDER | MW0014 | Is using inbuilt windows Defender AV a pass for cyber essentials? | Built-in antivirus such as Windows Defender can be used for the anti-malware requirement. | CHANGES 280423 |
WIN_DEFENDER | MW0015 | Can you provide clarity on what the following options mean: A) Having anti malware software installed | Out of all the sampled devices, which methods of anti-malware protection are you using across the board. Based on the answers given, will depend on which further questions are presented. Some might be using anti-malware software, some might be using application allow-listing, some might be using both. Test files - for some you've got behavioural based scanners, for some you've got signature based scanners, so you might have a mixture on your infrastructure. If everything using the signature based files, the ICAR files, if the test works you only need to do the ICAR files, but where the ICAR test files won't work based on the type of software then you have to resort to the manual checks. And you've got some which might use a mixture of different types of anti-malware software as their end point protection. | AW280623 |
WIN_DEFENDER | MW0016 | I hope someone is able to help me with question A8.1 of the CE assessment. | No reply posted by IASME | YAMMER_280723 |
XPROTECT | MW0017 | Hi - the advice around ant-malware has been changeable! Is MacOS built-in protection (X Protect) now compliant? | The scheme has now been updated to not restrict software to only include signature based scanning. Because of this and some updates to the Apple suite of anti malware software, Xprotect is acceptable. | CHANGES 280423 |
XPROTECT | MW0018 | Is MacOS built in anti-malware acceptable for A6.2.2? | We cannot provide any product approval. You as assessors must make this determination. If the product meets the requirements then it is considered compliant. | AW260423 |
XPROTECT | MW0019 | Would you rate ClamAV as a suitable 3rd-party AM solution for Mac OS to comply with CE standards, or is there a requirement to obtain a more robust solution from a reputable vendor? | The NCSC has revised its approach regarding the anti-malware control within Cyber Essentials. It is now acceptable to use any form of malware protection providing that it is fully supported and is receiving security updates in accordance with the type of product in use and the vendor recommendations. As far as the Cyber Essentials plus audit is concerned, the assessors are being instructed to check for correct product installation and a product update process or schedule. The scheme documentation is currently being reviewed and will be updated to reflect this change.” | YAMMER_280723 |