AuditRubric
cmmc-si-4 High priority System & Info Integrity / System Scanning

Perform periodic system scans and real-time scans of files from external sources

Beyond real-time protection, systems should undergo periodic full scans that inspect all files on disk for malicious content that may have been missed or that entered before protection was deployed. Additionally, any file arriving from an external source, whether downloaded from the internet, received via email, copied from removable media, or transferred from an external system, should be scanned before it is opened or executed. This defense-in-depth approach catches threats that evade real-time protection.

2h estimated effort
malware endpoint-security antivirus scanning

Implementation steps

  1. 1

    Configure scheduled full system scans

    Schedule regular full scans of all systems: at minimum weekly for workstations and servers in scope for FCI. Configure scans to run during off-hours to minimize performance impact. Ensure scan results are logged to the centralized management console and that failures generate alerts.

    crowdstrike sentinelone microsoft-defender carbon-black
  2. 2

    Enable on-access scanning for files from external sources

    Configure endpoint protection to scan files when they are opened or executed, not just when they arrive. This ensures that files which were not malicious when downloaded but were later modified, or files that bypassed initial scanning, are still inspected before execution. Enable scanning of files on network shares and removable media.

    crowdstrike sentinelone microsoft-defender
  3. 3

    Scan removable media before use

    Configure endpoint protection to automatically scan USB drives and other removable media when they are connected. Educate users to allow the scan to complete before accessing files. Consider policies that block removable media entirely on systems handling FCI, permitting it only for specific business needs.

    microsoft-defender crowdstrike intune
  4. 4

    Review scan results and investigate detections

    Review periodic scan reports and investigate any detections. A detection during a periodic scan (rather than real-time) may indicate the threat was present for some time. Investigate how the threat arrived, what it may have accessed, and whether other systems are affected.

    crowdstrike sentinelone splunk

Evidence required

Scheduled scan configuration

Evidence that periodic full scans are configured and running on schedule.

  • - Scan schedule configuration in management console
  • - Scan job history showing recent completions

Scan results and reports

Recent scan reports showing scan completion and any detections.

  • - Weekly scan summary reports
  • - Threat detection and response logs

Removable media scanning configuration

Evidence that removable media is scanned on connection.

  • - Endpoint protection policy showing removable media scan setting
  • - Device control policy configuration

Related controls

cmmc-si-2

Provide protection from malicious code at appropriate locations

Malware Protection

cmmc-si-3

Update malware protection mechanisms when new releases are available

Malware Protection

cmmc-si-1

Identify, report, and correct information system flaws in a timely manner

Flaw Remediation