Malware Protection FAQ Source

 

 

 

 

 

 

 

 

 

 

ALLOW_LISTING

MW0001

Malware protection: do we need to implement our own application allow lists for phones? Or can we say "App/Play store is our allow list? Especially an issue around BYOD phones

Application allow lists need to be set up, and allow lists for those apps accessing organisational data and services need to be approved.  Apps for personal use can not be controlled, but the devices must not be jailbroken. 

UCISA_110523

ALLOW_LISTING

MW0002

For A8.5 Approved Application List - if not using an MDM for BYOD phones, does the "meet the requirements using good policy, processes and training of staff" need to include all Apps installed on the BYOD phone or just those that are approved for access to company data? i.e. can you use training and policy to say "you can only use these apps on your phone to access company systems", but then let staff still install whichever other Apps they like?

As others have mentioned for BYOD and this question specifically, this list should only be concern applications that are accessing organisational data/services.
You can address this through any combination of technical implementation, policy or procedure. The NCSC have the expectation that ALL organisations should implement technical controls to be compliant with the standard. However, in companies of sub 50 employees, they will allow some controls to be implemented via policy and training, but only really where the organisation can't achieve it in a technical manner.

LinkedIn_280723

ALLOW_LISTING

MW0003

For mobile devices (specifically iPhones) ,on the Montpellier question set for question 8.1 it asks

A8.1. Are all of your desktop computers, laptops, tablets and mobile phones protected from malware by either:
A – Having anti-malware software installed
And/or
B – Limiting installation of applications by application allow listing (For example, using an app store and a list of approved applications, using a Mobile Device Management(MDM solution))

Currently we restrict app store access, instead using our MDM's App catalog to control what apps users can install. However, point B appears to suggest you can allow App store access, however is anyone able to clarify how you then satisfy the "..and a list of approved applications"

As long as you can demonstrate compliance with the underlying requirement your organisation this would be enough. The Requirements state for Application Allow-listing under Anti-Malware Protection:

Only approved applications, restricted by code signing, are allowed to execute on devices. You must:

  • actively approve such applications before deploying them to devices

  • maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature.

LinkedIn_280723

MDM

MW0004

For application whitelisting & MDM, the written policy is enough or do we have to have technical controls in place?

If you have a solution that allows it, you should be applying it. Technically we know this is difficult for organisations. There is the option to do it by written policy, but if you have the technical ability to do it, you should do it using that solution. It is available within products, for example Intune and the back end of Microsoft 360, Google Workspace, etc. Just to be clear, the intention of Cyber Essentials is that all the controls should be applied in a technical manner and not rely on written policy or documentation. We are still very much enforcing that and that is how the NCSC would like us to do that. This is why when we talk about MDM solutions and the control of smartphones and tablets, we need to see some technical control and if you have it, it's the best solution for you to apply.

CHANGES 280423

MDM

MW0005

Are you able to suggest a solution that can facilitate volunteer access for charities without having to install MDM tools on their personal devices such as smartphones and laptops?

MDM isn't a requirement, although can be useful. If the devices are BYOD, you'll need to control access to organisation data via allow listing (i.e. only permitted applications can access your data)

CHANGES 280423

MDM

MW0006

A while back we were told that Mobile Device Protection was being reviewed by NCSC, is this complete yet?

We went through some feedback last year where all CE+ assessors were given the opportunity to look at what we were planning for the end-user devices malware protection and that was the review period, it was decided that how we've presented it this year based on everybody's help and feedback we got from that. That was looked at and it was reviewed. The scheme's constantly reviewed so let's get feedback in, we can use that to implement changes to the scheme if it's not up to scratch, if you guys don't think it's good enough we do want to hear that feedback and we can pass it on to the scheme manager, it will be discussed at the tech working group, but for now, yes mobile device protection was reviewed by the NCSC as part of the application allow listing and anti-malware software review that's what we decided would work in agreement with everybody, or the majority of assessors who gave us feedback last year. 

AW280623

MDM

MW0007

My first question is that is it possible to get CE certified without MDM enrollment?

There is no requirement to have an MDM in place.
However, it is expected that the controls on all devices would be applied technically. 
Only small companies can apply the controls via a written policy.
Where medium-sized companies and above apply the controls through a written policy, the NCSC advise that for an organisation of the size being assessed, it is expected that the controls are applied in a technical manner.

LinkedIn_280723

OPTIONS

MW0008

A quick question regarding the Montpellier assessment with question A8.5 on the Malware Protection section.

If we only selected only a single option (e.g. A or B) then would this mean we would pass this question? or do we have to have both in place to pass?

Also, if option C was selected then would this result in a fail for that particular question or a fail for the complete assessment?

I am new to my business, so I need to do some investigation as to how we are setup regarding this question, but, I though I would get some clarity on it so I know where we stand in all eventualities.

So for these questions I would refer to the https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf

  • Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers)

  • Application allow listing (option for all in scope devices)

You need to consider what types of devices you have in scope and what is an acceptable option for those devices.
If only option C was selected this would be a non-compliance for the question but not necessarily a fail for the whole assessment.

LinkedIn_280723

OPTIONS

MW0009

For this question: "Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?". If the answer is "no" is it a fail for CE? If the organization uses other solutions for web filtering - how should this be answered?

A negative answer here would be a Major Non-Compliance but this would not necessarily be a fail.
If this is regarding next-gen anti-malware then the following might apply:
“The NCSC has revised its approach regarding the anti-malware control within Cyber Essentials. It is now acceptable to use any form of malware protection providing that it is fully supported and is receiving security updates in accordance with the type of product in use and the vendor recommendations. As far as the Cyber Essentials plus audit is concerned, the assessors are being instructed to check for correct product installation and a product update process or schedule. The scheme documentation is currently being reviewed and will be updated to reflect this change.”

LinkedIn_280723

OPTIONS

MW0010

For a pool assessment, the applicant has mentioned BYOD iOS and Android mobile devices accessing M365. Now looking at A8.1, which talks about:
"Are all of your desktop computers, laptops, tablets and mobile phones protected from malware by either:
A - Having anti-malware software installed
and/or
B - Limiting installation of applications by application allow listing (For example, using an app store and a list of approved applications, using a Mobile Device Management(MDM solution)
or
C - None of the above, please describe"
They have selected A and have mentioned no corporate devices as a response to not selecting B along with A.  Hence, when I think of MAM solution other BYOD solutions deployed. They cannot block users from Installing applications on their own personal devices which goes against the NCSC CE Guidelines on page 14.
"Only approved applications, restricted by code signing, are allowed to execute on devices. You must: • Actively approve such applications before deploying them to devices • maintain a current list of approved applications, users must not be able to install any  application that is unsigned or has an invalid signature".
So the question is, Is it okay just select A when BYOD mobile devices are in scope? and if not, then do these BYOD devices need MDM solution with policies enforced and MAM is not an acceptable solution? Thanks.

if there is a mobile device in scope, company owned or otherwise, then option B also needs to be selected.
I've always considered that if they are a smaller company (micro?) they can "control" the BYOD devices by written policy, but if they are larger they should be using a technical solution. What that solution may be I feel is somewhat irrelevant, as long as you feel it offers the protection they need. That's the approach I've always taken.  

YAMMER_280723

SANDBOX

MW0011

Re sandboxing. Is that just related to malware? Some software does not have a supported version so will never be compliant. Can we segregate these from the internet and other networks, i.e. sandbox them?

The only way you can descope an application would be to descope the device that it's sitting on. It would have to be on it's own VLAN or have a boundary firewall set up in between the scoped subset and the descoped subset. A lot of people believed that the use of sandboxing could be used to descope, but it was always meant as an anti malware control and it paired up with application allowed listing. The application allow listing meaning you could only run a specific signature based code based on what that certificate said it was and you accepted that these executables could run. In sandboxing, where they didn't have that signature, you could run it inside a sandbox instead of using application allow listing. This caused a lot of confusion and misinterpretation to push these unsupported applications through an assessment on the scoped device. So to remove that confusion we've had to remove it from the requirements. The way they are written now should allow it to be used as it was originally intended.

CHANGES 280423

SANDBOX

MW0012

We use MS365 Application Protection to 'sandbox' corporate data access on mobile devices, separating it from the device OS and other apps. This protects us from BYOD. Does this satisfy the allowed applications list?

This is similar to a MAM scenario.If you are dictating what can run within that sandbox and you're managing those applications, then that is your application allow list for BYOD. Don't confuse it with unsupported applications - everything would still have to be supported on that BYOD - but you could do that through some kind of written policy telling users to ensure that all of the applications on their devices are supported, but in this instance the application allow list would be a good way to achieve it. Having it written within that piece of software is a good way to demonstrate application allow listing for your BYOD devices. It's important to note that using those kind of containers and sandboxes does not exclude the device from scope - those BYOD devices still remain in scope.

CHANGES 280423

SANDBOX

MW0013

With the removal of sandboxing, does that mean all mobile devices will need anti-malware software now?

Because there is no mobile anti-malware considered compliant, you would need to use allow listing for this requirement.

CHANGES 280423

WIN_DEFENDER

MW0014

Is using inbuilt windows Defender AV a pass for cyber essentials?

Built-in antivirus such as Windows Defender can be used for the anti-malware requirement.

CHANGES 280423

WIN_DEFENDER

MW0015

Can you provide clarity on what the following options mean: A) Having anti malware software installed 

Out of all the sampled devices, which methods of anti-malware protection are you using across the board. Based on the answers given, will depend on which further questions are presented. Some might be using anti-malware software, some might be using application allow-listing, some might be using both. Test files - for some you've got behavioural based scanners, for some you've got signature based scanners, so you might have a mixture on your infrastructure. If everything using the signature based files, the ICAR files, if the test works you only need to do the ICAR files, but where the ICAR test files won't work based on the type of software then you have to resort to the manual checks. And you've got some which might use a mixture of different types of anti-malware software as their end point protection.

AW280623

WIN_DEFENDER

MW0016

I hope someone is able to help me with question A8.1 of the CE assessment.
I have an applicant that has only selected option A but has mobile devices in their scope. On the marking scheme, it states that "where an applicant has not considered a device type within their answer (for example only ticking ‘A’ and having mobile devices in scope) award a major non-compliance". They have noted that they use Microsoft Defender for Business on all devices and scan web pages using Microsoft Defender SmartScreen.
Before marking the assessment, I wanted to make sure that the mark scheme is still up to date when stating that "as of Apr 2022 there is no compliant anti-malware software on the market for mobile devices" and consequently, the answer should be marked as a major non-compliance.

No reply posted by IASME

YAMMER_280723

XPROTECT

MW0017

Hi - the advice around ant-malware has been changeable! Is MacOS built-in protection (X Protect) now compliant?

The scheme has now been updated to not restrict software to only include signature based scanning. Because of this and some updates to the Apple suite of anti malware software, Xprotect is acceptable. 

CHANGES 280423

XPROTECT

MW0018

Is MacOS built in anti-malware acceptable for A6.2.2?

We cannot provide any product approval. You as assessors must make this determination. If the product meets the requirements then it is considered compliant.

AW260423

XPROTECT

MW0019

Would you rate ClamAV as a suitable 3rd-party AM solution for Mac OS to comply with CE standards, or is there a requirement to obtain a more robust solution from a reputable vendor?

The NCSC has revised its approach regarding the anti-malware control within Cyber Essentials. It is now acceptable to use any form of malware protection providing that it is fully supported and is receiving security updates in accordance with the type of product in use and the vendor recommendations. As far as the Cyber Essentials plus audit is concerned, the assessors are being instructed to check for correct product installation and a product update process or schedule. The scheme documentation is currently being reviewed and will be updated to reflect this change.”
The CE+ Assessor report is currently being reviewed and will include an update to reflect this change. This will also lead to the IASME CE+ Assessor guide being updated at the same as the CE+ report.
In a future release of the question set, there will be an additional question added to the Anti-malware protection section to reflect this change.
XProtect, part of macOS will be compliant as long as it is configured correctly and receiving regular updates etc etc and as part of Plus will be checked to ensure it is configured correctly. Using 3rd party AM solutions is fine as long as it meets the CE requirements.

YAMMER_280723