ISMS 10: Anti-malware Security Standard

This document describes the Anti-malware Protection Security Standard and forms part of the overall Upmind Automation Limited’s Information Security Management System Framework.

This document is a security standard and as such describes security control requirements. Detailed configuration and implementation requirements SHOULD be contained within operational procedure and guidelines documentation.

The controls in this standard MUST be implemented in accordance with local laws.

Purpose

This standard defines the controls relating to the management of various controls of anti-malware protection.

Exceptions

Exceptions to the application of this standard or where particular controls cannot be implemented MUST invoke the formal Exception to Policy processes with appropriate risk acceptance and approval.

Terms used

In this document the terms MUST & SHOULD are used and when in upper case have the following meaning:

  • MUST means mandatory. It is an absolute requirement.
  • MUST NOT means forbidden. It is an absolute prohibition.
  • SHOULD means a requirement. Any non-compliance MUST follow the formal Exceptions to Policy Process.
  • SHOULD NOT means a prohibition. Any non-compliance MUST follow the formal Exceptions to Policy Process (Ref A).

Scope

Installation and maintenance of anti-malware software on ALL Upmind Automation Limited’s where applicable:

  • Microsoft Windows Operating System based workstations, laptops and servers;
  • Apple iOS based workstations, laptops and mobile phones;
  • Android OS based workstations, laptops and mobile phones;
  • Linux/ *Nix OS based systems where user initiated file upload exists.

General controls

🚧

The importance of an update strategy cannot be overstated.
Without the latest DAT files AND the scanning engine installed on a system, it is not fully protected from the latest viruses.

System components and definitions

DAT: Detection definition files, also called malware signatures, work with the scanning engine to identify and take action on threats. Usually released daily.
Antivirus software engine: Used to scan the files, folders, and disks on the client computer and compares them to the information in the DAT files for known viruses.
Management agent: Provides secure communication between managed products on endpoint management server. The agent also provides local services like updating, logging, reporting events and properties, task scheduling, communication, and policy storage.
Buffer overflow protection: Analyses API calls made by certain processes, to confirm they do not attempt to overwrite adjacent data in the memory buffer.
Script Scan: Finds threats from browsers or other applications accessed that use the Windows Script Host. The script scanner operates as a proxy component to the real Windows scripting host component. It intercepts scripts, then scans them before they are executed
Unwanted Program Protection: Eliminate potentially unwanted programs such as spyware and adware from computers
Spam: Unsolicited messages, typically send by email
Firewall: Monitors communication between the computer and resources on the network and the Internet. Intercepts suspicious communications.
Device control: Prevent loss of sensitive data by restricting the use of removable media
Whitelisting / program control: Blocks unauthorised executables
Update process: to receive automatic updates of DAT and scanning engine from vendor website.

Anti-virus and anti-spyware

  • End users MUST have an antivirus software and antimalware software installed and active on their machines at all times.
  • DAT and scan engine updates MUST be scheduled on a daily basis.
  • Other components (service packs, software patches etc) SHOULD be deployed in line with a vendor recommendation, but not later than 30 days from a vendor notification.
  • Real time / Access protection scanning MUST be enabled and appropriate policy applied.
  • On-access scan (scans files as they are opened, executed or closed, allowing immediate detection and treatment of viruses) MUST include the following areas:
  • To be enabled at system start-up and scan boot sectors;
  • Antivirus software MUST scan files when writing to disk and when reading from disk;
  • Anti-virus software SHOULD scan default and addition file types (eg known targets of infection);
  • Anti-virus software MUST enable heuristics scans, including macros;
  • Anti-virus software MUST scan inside archives.
  • Any exclusions from antivirus scanning (specifies directories and file extensions excluded from scanning) MUST be documented and reviewed on a quarterly basis.
  • Anti-virus protection MUST prevent remote creation of autorun files.
  • Anti-virus protection MUST prevent hijacking of .EXE and other executable extensions.
  • Anti-virus scanning of emails at end user devices MUST be enabled and include the same scan policies to cover email’s body and attachments.
  • Actions (remediation options): repair OR clean if possible, otherwise delete.
  • Anti-spyware protection MUST prevent all programs from running files from the Temp folder.
  • Anti-spyware protection MUST prevent execution of scripts from the Temp folder.
  • Periodic scan (runs a detailed scan of every file on selected scan targets) MUST be enabled and scheduled at least weekly.

Firewall

  • End user device firewalls MUST be enabled in all connection profiles.
  • Outbound connections MUST be allowed by default.
  • Firewall MUST be configured to block all unapproved inbound connections.
  • End users MUST not be able to modify Firewall software settings, therefore configuration lock MUST.

Email protection on gateways

  • Organisation MUST use anti-spam solution which filters incoming and outcoming emails
  • Organisation MUST use anti-phishing solution, which capable to scan suspicious links and attachments
  • All incoming and outcoming emails and their attachments MUST be scanned with antivirus solution

Legacy systems

  • In case if a current anti-malware solution does not support an outdated system, IT MUST use a whitelisting of existing programs and its components.

Responsibilities

  • The Director is responsible for implementation of the Anti-malware security standard.
  • Every member of Upmind Automation Limited IT department and the respective third parties are responsible to implement Anti-malware security standards.

Compliance

The Director maintains a current list of all servers, workstations and other devices for the purposes of ensuring that the installation is complete and carries out the compliance checks on a weekly basis to ensure that all components are up to date.
Compliance with this standard MUST occur from the first day of approval.

Appendix

Detection nameDescription
AdwareGenerates revenue by displaying advertisements targeted at the user. Adware earns revenue from either the vendor or the vendor's partners. Some types of adware can capture or transmit personal information.
DialerRedirects Internet connections to a party other than the user's default ISP. Dialers are designed to add connection charges for a content provider, vendor, or other third party.
JokeClaims to harm a computer, but has no malicious payload or use. Jokes don't affect security or privacy, but might alarm or annoy a use.
KeyloggerIntercepts data between the user entering it and the intended recipient application.
Trojan horse and potentially unwanted program keylogger might be functionally identical.
Password CrackerEnables a user or administrator to recover lost or forgotten passwords from accounts or data files. Used by an attacker, they provide access to confidential information and are a security and privacy threat.
Potentially unwanted programIncludes often legitimate software (non-malware) that might alter the security state or privacy posture of the system. This software can be downloaded with a program that the user wants to install. It can include spyware, adware, keylogger, password crackers, hacker tools, and dialer applications.
Remote Admin ToolGives an administrator remote control of a system. These tools can be a significant security threat when controlled by an attacker.
SpywareTransmits personal information to a third party without the user's knowledge or consent. Spyware exploits infected computers for commercial gain by:
• Delivering unsolicited pop-up advertisements;
• Stealing personal information, including financial information, such as credit card numbers;
• Monitoring web-browsing activity for marketing purposes;
• Routing HTTP requests to advertising sites.
StealthIs a type of virus that attempts to avoid detection from anti-virus software. Also known as interrupt interceptor.
Many stealth viruses intercept disk-access requests. When an anti-virus application tries to read files or boot sectors to find the virus, the virus shows a "clean" image of the requested item. Other viruses hide the actual size of an infected file and display the size of the file before infection.
Trojan horseIs a malicious program that pretends to be a benign application. A trojan doesn't replicate but causes damage or compromises the security of your computer.
Typically, a computer becomes infected:
• When a user opens a trojan attachment in an email;
• When a user downloads a trojan from a website;
• Peer-to-peer networking.
Because they don't replicate themselves, trojans aren't considered viruses.
VirusAttaches to disks or other files and replicates itself repeatedly, typically without user knowledge or permission.
Some viruses attach to files, so when the infected file executes, the virus also executes. Other viruses reside in a computer's memory and infect files as the computer opens, modifies, or creates files. Some viruses exhibit symptoms, while others damage files and computer systems.