Cyber Essentials

Cyber Essentials Control 5: Malware Protection — Your Last Line of Defence

> series: cyber_essentials_demystified —— part: 07/10 —— control: malware_protection —— layer: last_line_of_defence<span class="cursor-blink">_</span>_

Hedgehog Security 19 March 2026 11 min read
cyber-essentials malware-protection antivirus endpoint-security application-whitelisting danzell series
Part 7 of 10

When everything else fails, this control catches it.

Malware protection is the fifth and final technical control in the Cyber Essentials framework. It exists as a safety net — if an attacker bypasses the firewall, exploits a misconfiguration, leverages an unpatched vulnerability, or compromises user credentials, the malware protection control is designed to detect and prevent the execution of malicious software before it can cause damage. It is your last line of defence, and under Danzell v3.3, the requirements are clearly defined.

Three Approaches
Recommended

Getting certified doesn't have to be painful.

We handle the Cyber Essentials process end to end — from gap analysis to certification.

Start Your Certification

How you can meet the requirement.

Cyber Essentials accepts three approaches to malware protection. You must implement at least one across all in-scope devices — and for most organisations, anti-malware software is the primary mechanism.

Approach How It Works Best For
Anti-Malware Software Software that detects and prevents malware by scanning files on access, monitoring system behaviour, and checking downloads and web traffic against known threat signatures and heuristics. Must be configured to update signatures at least daily and scan automatically. Most organisations. Windows Defender (built into Windows), Bitdefender, CrowdStrike, SentinelOne, Sophos, and similar products all satisfy this requirement when correctly configured.
Application Whitelisting Only explicitly approved applications are allowed to execute. Everything else is blocked by default. This is a more restrictive approach that prevents unknown malware from running, but requires careful management of the approved application list. High-security environments, kiosks, and single-purpose devices where the application set is well-defined and changes infrequently.
Sandboxing Applications run in an isolated environment where they cannot access the wider system or network. If the application is malicious, the damage is contained within the sandbox. Specialised use cases — browser isolation, email attachment sandboxing. Rarely used as the primary malware protection mechanism.
Configuration Requirements

What the assessor checks.

Automatic Signature Updates
Anti-malware signatures must update at least daily. Most modern endpoint protection updates continuously in real-time. The assessor will check that automatic updates are enabled and that signature databases are current — not weeks or months out of date.
On-Access Scanning
Files must be scanned automatically when accessed — not just during scheduled scans. This ensures that malware is detected the moment it is opened, downloaded, or copied, rather than waiting for a weekly scan to find it.
Web Protection
The anti-malware solution should prevent connections to known malicious websites and scan web downloads. This protects against drive-by downloads and malicious links in phishing emails.
Preventing Unauthorised Software
Users should be prevented from installing unauthorised software. This can be achieved through application whitelisting, restricting installation privileges to administrators only, or using endpoint management policies that control what can be installed.
Common Failures

What we find during assessments.

The most common malware protection failures we encounter during CE Plus assessments are not dramatic — they are simple oversights. Anti-malware disabled by a user who found it 'slowed down their machine'. Signature updates paused because the device was offline for an extended period and never caught up. Third-party anti-malware installed but not correctly licensed, resulting in expired definitions. Windows Defender disabled by a Group Policy that was intended to defer to a third-party product that was never fully deployed.

The fix for all of these is the same: centralised management. Use your endpoint management platform — Microsoft Intune, Group Policy, or your MDM solution — to enforce anti-malware state across your estate. If a device's anti-malware is disabled or out of date, it should be flagged and remediated automatically, not discovered during an assessment.

Beyond Endpoint Protection

Why anti-malware alone is not enough.

Anti-malware software detects known threats and behavioural patterns. It does not detect novel attacks, fileless malware, living-off-the-land techniques, or attackers who use legitimate tools maliciously. This is why Cyber Essentials treats malware protection as one control among five — and why organisations that want genuine security, not just compliance, layer additional detection capabilities on top.

SOC in a Box provides 24/7 security monitoring that sits above endpoint anti-malware — correlating events across your entire estate, detecting the attacks that endpoint tools miss, and providing a named analyst who investigates every alert. The combination of Cyber Essentials compliance and continuous SOC monitoring creates a defence posture that is meaningfully harder to breach than either approach alone.

For organisations that want to validate how well their malware protection performs against realistic attack techniques, our penetration testing service includes controlled payload delivery and evasion testing that demonstrates exactly what gets through — and what does not.

Up Next

Part 8 preview.

With all five controls covered, next week we bring everything together in a comprehensive look at the Danzell question set itself — every significant change, the new auto-fail criteria, the revised CE Plus process, the updated scoping rules, and what organisations need to do before 27 April 2026.

Complete the Picture

Five controls assessed. One certification body.

Hedgehog Security is an IASME-approved certification body for both Cyber Essentials and Cyber Essentials Plus. For organisations that want continuous protection beyond the certificate, <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7 managed security with Cyber Essentials support included.

Get Certified Next: Part 8 — Danzell Changes
Next Step

Getting certified doesn't have to be painful.

We handle the Cyber Essentials process end to end — from gap analysis to certification.

Start Your Certification
Keep Reading

Related Articles

Cyber Essentials 9 April 2026

Your Cyber Essentials Action Plan: From Preparation to Certification

The final part of our Cyber Essentials Demystified series. A practical, step-by-step action plan for achieving Cyber Essentials and Cyber Essentials Plus certification under the new Danzell v3.3 requirements — covering preparation timelines, control-by-control checklists, the auto-fail audit, and building ongoing compliance beyond the certificate.

cyber-essentials action-plan
14 min read
Cyber Essentials 2 April 2026

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

Part 9 of our Cyber Essentials Demystified series. A detailed comparison of Cyber Essentials and Cyber Essentials Plus — what each involves, what the Plus technical audit tests, when you need which level, cost differences, and how to prepare for the Plus assessment under the revised Danzell process.

cyber-essentials cyber-essentials-plus
12 min read
Cyber Essentials 26 March 2026

Danzell: Every Change in the 2026 Cyber Essentials Update Explained

Part 8 of our Cyber Essentials Demystified series. A comprehensive guide to every change in the Danzell question set (v3.3) taking effect 27 April 2026 — auto-fail criteria, mandatory MFA, 14-day patching, cloud service scoping, CE Plus process changes, the revised director declaration, and transition timelines from Willow.

cyber-essentials danzell
14 min read
All Posts Get in Touch