Control Definition
Organizations must put defenses in place that prevent, detect, and recover from malware infections, and back those technical controls with user awareness so people can recognize and avoid the lures that deliver malicious code.
Control Objective
To keep malicious software from compromising the information and the systems the business depends on.
What This Really Means
Protection against malware means defending your systems, networks, and data from malicious software including viruses, ransomware, trojans, worms, spyware, adware, and rootkits. This control requires technical defenses combined with user awareness training.
Think of malware protection like a multi-layered immune system: antivirus software blocks known threats, behavior-based detection catches zero-day attacks, email filtering stops malicious attachments, web filtering blocks dangerous websites, and educated users don't click suspicious links.
This isn't just "install antivirus and forget." Modern malware protection requires: endpoint protection platforms (EPP/EDR) that detect and respond to threats in real-time, network-based protection (firewalls, IPS/IDS), email security gateways that scan attachments and links, regular security awareness training teaching users to recognize phishing, and incident response procedures for when malware is detected.
The control also demands keeping malware signatures updated, running regular scans, monitoring alerts, and quarantining infected systems immediately. User awareness is critical—most malware enters through social engineering (phishing emails, malicious downloads). Technical controls alone won't stop users from running "Invoice.exe" attached to a convincing phishing email.
Why It Matters
Malware is the leading cause of data breaches, ransomware attacks, and business disruption globally. A single ransomware infection can encrypt your entire network, bringing operations to a halt and demanding millions in ransom.
Without adequate malware protection, organizations face:
- •Ransomware Attacks – Encryption of critical data and systems with ransom demands; paying doesn't guarantee recovery and bankrolls organized crime
- •Data Exfiltration – Spyware and trojans steal sensitive information (customer data, credentials, intellectual property) and transmit it to attackers
- •Business Disruption – Malware can corrupt databases, delete files, or render systems unusable, causing costly downtime and recovery efforts
- •Credential Theft – Keyloggers and infostealers capture passwords, banking credentials, and authentication tokens enabling further attacks
- •Botnet Recruitment – Compromised systems become part of criminal botnets used for DDoS attacks, spam campaigns, or cryptocurrency mining
- •Compliance Violations – DPDPA's reasonable-security-safeguards duty, PCI DSS, and sector regulations all expect malware defenses; failures lead to fines and audit non-conformities
Ransomware attacks have surged in recent years, with healthcare, education, manufacturing, and SMBs heavily targeted in India. CERT-In's directions make ransomware and other malicious-code incidents mandatorily reportable within 6 hours of noticing. Ransom demands routinely run to six or seven figures, and full recovery costs (downtime, remediation, lost business) are typically a multiple of the ransom itself. Prevention is exponentially cheaper than cure.
Implementation Guidance
Deploy Endpoint Protection Platform (EPP) or Endpoint Detection and Response (EDR)
Install comprehensive endpoint security on all devices: Windows Defender for Endpoint (Microsoft), CrowdStrike Falcon, SentinelOne, Sophos Intercept X, or Trend Micro. EPP provides signature-based antivirus plus behavior analysis. EDR adds threat hunting, forensics, and automated response. Configure centralized management console to monitor all endpoints, ensure real-time protection is enabled, automatic updates are on, and cloud-delivered protection is active. Require daily quick scans and weekly full scans. Block execution from temp folders and USB drives.
Implement Email Security Gateway with Anti-Malware Scanning
Deploy email security that scans all inbound/outbound messages for malware, phishing, and malicious links: Microsoft Defender for Office 365, Proofpoint, Mimecast, Barracuda Email Security Gateway. Configure attachment sandboxing (detonate suspicious files in isolated environment), URL rewriting (proxy links through security scanner), impersonation protection, and DMARC/SPF/DKIM enforcement. Block executable attachments (.exe, .scr, .bat, .js, .vbs) by default. Quarantine suspicious emails for admin review rather than delivering to users.
Enable Web Filtering and DNS-Based Malware Protection
Block access to known malicious websites using web filtering appliances or cloud services: Cisco Umbrella, Zscaler, Cloudflare Gateway, Palo Alto DNS Security. These prevent users from visiting phishing sites, malware distribution servers, and command-and-control (C2) domains. Configure category-based blocking: malware, phishing, newly registered domains (under 30 days old), cryptomining, adult content. Enable safe search enforcement. Log all blocked attempts for security monitoring.
Configure Network-Based Malware Detection (IPS/IDS, Next-Gen Firewalls)
Deploy network security that inspects traffic for malware signatures and malicious behavior: Palo Alto Networks, Fortinet FortiGate, Cisco Firepower, Check Point. Enable intrusion prevention (IPS) to block known exploits, file-based threat analysis to scan downloads, and SSL/TLS inspection to detect malware in encrypted traffic. Configure threat intelligence feeds from vendors and CERT-In. Implement network segmentation so malware can't spread laterally if one system is infected.
Conduct Regular Security Awareness Training on Malware Threats
Train employees quarterly on recognizing and avoiding malware threats: how to identify phishing emails (sender address spoofing, urgency language, suspicious attachments/links), dangers of downloading software from untrusted sources, risks of USB drives and removable media, social engineering tactics attackers use. Use phishing simulation campaigns monthly to test users—send fake phishing emails and track who clicks/reports. Provide immediate feedback and remedial training for users who fall for simulations. Recognize and reward vigilant employees who report suspicious emails.
Implement Application Whitelisting or Application Control
Prevent execution of unauthorized software using application whitelisting (Windows AppLocker or WDAC, Santa on macOS, or dedicated allowlisting tools like ThreatLocker or Airlock Digital). Define which applications are allowed to run based on publisher certificates, file hashes, or file paths. Block execution from user-writable directories (Downloads, Temp, AppData). This prevents ransomware and malware from executing even if it bypasses antivirus. For servers, implement strict whitelisting allowing only approved production applications. Test thoroughly before deployment to avoid blocking legitimate software.
Establish Malware Incident Response and Containment Procedures
Document procedures for when malware is detected: immediately isolate infected system from network (disable WiFi/Ethernet), notify security team, preserve forensic evidence (don't reboot or wipe), identify scope of infection (check other systems for same indicators), determine data impact (was data exfiltrated or encrypted?), remediate by wiping and reimaging infected systems from clean backups, conduct root cause analysis, and update defenses to prevent recurrence. Report to CERT-In within 6 hours of noticing where the incident falls in its mandatory reporting categories (ransomware and malicious code attacks do). Practice response procedures quarterly through tabletop exercises.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.8.7:
Documentation
- Malware Protection Policy or Endpoint Security Policy defining protection requirements
- Endpoint protection platform configuration screenshots showing enabled features
- Email security gateway configuration and malware detection logs
- Web filtering policy and blocked domain/category reports
- Security awareness training materials covering malware recognition and phishing
- Malware incident response procedures and runbooks
- CERT-In incident reporting evidence if applicable
Interviews
- IT security team about malware protection tools, monitoring, and incident response
- End users to verify they understand phishing risks and how to report suspicious emails
- SOC or monitoring team about how malware alerts are triaged and investigated
Observations
- Review endpoint protection console showing coverage, update status, and detection statistics
- Examine email security logs showing blocked malicious attachments and quarantined messages
- Test malware protection by downloading EICAR test file (should be blocked)
- Review phishing simulation results and user click rates
Practitioner Insights
I see organizations spend lakhs on enterprise EDR platforms but still get infected because nobody monitors the alerts. Malware protection is not "install and forget"—it requires daily monitoring of detection dashboards, investigating alerts (not dismissing as false positives), and tuning policies based on threats. If your EDR console shows 0 detections for 6 months, either you are incredibly lucky or the protection is not working. Test with EICAR and real-world phishing simulations.
User awareness is the weakest link. I have audited organizations with top-tier antivirus where a startling share of employees still clicked phishing simulation links, and some even entered credentials on fake login pages. Malware protection must combine technology (EPP/EDR, email security) with relentless user training. Run monthly phishing simulations, immediately retrain users who click, and reward vigilant employees who report suspicious emails. Make security awareness a continuous culture, not annual checkbox training.
Common Challenges & Solutions
Challenge
Employees complain antivirus slows down their computers and they want to disable it.
Solution
Modern EPP/EDR solutions are lightweight and cloud-optimized—performance issues are rare. Investigate the root cause: outdated hardware (upgrade RAM/SSD), misconfigured scans running during business hours (schedule for nights/weekends), or legacy antivirus (replace with modern solution). Educate users on the critical importance of protection. Use centralized management to prevent users from disabling antivirus—remove local admin rights. For performance-critical systems (CAD workstations, video editing), create exclusions for specific trusted folders, not the entire system.
Challenge
Email security gateway blocks legitimate emails and attachments, causing business disruption.
Solution
Tune email security policies to balance security and usability. Create allow-lists for trusted sender domains and IP addresses. Enable user self-service quarantine portals where users can review and release their own false positives. Implement "soft-fail" for medium-risk emails (deliver with warning banner) rather than blocking. For legitimate business needs to receive executables (software vendors, partners), require them to be delivered via secure file transfer (SFTP, SharePoint) instead of email. Review quarantine logs weekly and adjust policies based on false positive patterns.
Challenge
We got infected by ransomware despite having antivirus—what went wrong?
Solution
Signature-based antivirus alone is insufficient for modern threats. Ransomware uses polymorphic code and zero-day exploits that bypass traditional AV. Upgrade to EDR with behavioral detection that identifies ransomware behavior (mass file encryption, shadow copy deletion, network propagation). Implement application whitelisting to prevent unknown executables from running. Enable email sandboxing to detonate suspicious attachments before delivery. Most importantly, maintain offline backups that ransomware cannot encrypt. Defense in depth: multiple overlapping controls, not a single silver bullet.
Challenge
Employees use personal devices (BYOD) for work—how do we ensure malware protection on devices we don't control?
Solution
Implement Mobile Device Management (MDM) or Mobile Application Management (MAM) that enforces security baselines: require antivirus installation, verify it is running and updated before granting access, use conditional access policies (Microsoft Intune, VMware Workspace ONE) that check device health before allowing connection. For true BYOD where users resist MDM, implement containerization: work apps and data live in encrypted container with separate malware protection, personal side of device is untouched. Alternatively, prohibit BYOD for roles accessing sensitive data and provide company-owned devices.
Challenge
Mac and Linux users say they don't need antivirus because "Macs don't get viruses."
Solution
This is a dangerous myth. While Macs and Linux see less commodity malware than Windows, they absolutely get malware—especially targeted attacks. macOS malware families like Adload, Shlayer, and Atomic Stealer have spread widely in recent years. Linux servers are frequently targeted by cryptominers, botnets, and ransomware (RansomEXX, DarkRadiation). Deploy endpoint protection for all platforms: Microsoft Defender for Endpoint (cross-platform), CrowdStrike Falcon, SentinelOne, ESET Endpoint Security. Configure the same protections: real-time scanning, behavioral analysis, web filtering. No exceptions based on operating system.
