Malware Protection Requirements for Cyber Essentials Plus

Malware protection is the fourth of the five technical controls in the Cyber Essentials scheme, and it is arguably the most actively tested during a Cyber Essentials Plus assessment. Unlike other controls where the assessor inspects configurations and reviews settings, the malware protection control involves live testing — the assessor will actually attempt to deliver malware to your systems and verify that it is blocked.

This guide covers the malware protection requirements for Cyber Essentials Plus in detail, including the three approved approaches to malware defence, what the assessor will test, common failure points, and how to ensure your protection passes the independent technical audit.

For UK organisations, the stakes have never been higher. The NCSC Annual Review reported a continued surge in ransomware and commodity malware targeting British businesses across every sector, with small and medium enterprises particularly vulnerable to opportunistic attacks. The DSIT Cyber Security Breaches Survey found that 50% of businesses and 32% of charities reported some form of cyber security breach or attack in the preceding 12 months, with malware featuring prominently among the threat types encountered. Effective malware protection is not merely a compliance checkbox — it is a foundational layer of real-world cyber resilience that can mean the difference between business continuity and a devastating breach.

The Three Approved Approaches

The Cyber Essentials standard recognises three approaches to malware protection. You must implement at least one on every device in scope:

Approach 1: Anti-Malware Software (Most Common)

The vast majority of organisations meet this control using anti-malware software. The standard requires that anti-malware is:

Installed on every device in scope: Every workstation, laptop, server, and mobile device must have anti-malware software. This includes macOS devices and mobile devices — not just Windows PCs.

Configured for automatic updates: Malware definitions must be updated automatically and frequently (at least daily). Running outdated definitions is almost as bad as running no protection at all.

Set for real-time scanning: The anti-malware must scan files in real time as they are accessed, created, or downloaded. Scheduled-only scanning is not sufficient.

Configured to scan web pages: The software should block connections to known malicious websites and scan web content as it is accessed through browsers.

Set to scan email: If email is downloaded to the device (rather than accessed via a web browser only), the anti-malware should scan email attachments.

Approach 2: Application Allowlisting

Application allowlisting (also known as application whitelisting) takes a different approach to malware prevention. Instead of trying to identify and block malicious software, it only permits approved applications to run. Everything else — including any malware — is automatically blocked.

This approach is extremely effective but can be more complex to manage, as every legitimate application needs to be explicitly approved. It is most commonly used in environments with a fixed set of applications (such as kiosks, point-of-sale systems, or specialised workstations).

Tools that can implement application allowlisting include Windows AppLocker, Windows Defender Application Control (WDAC), and third-party solutions.

Approach 3: Sandboxing

Sandboxing isolates applications in a contained environment so that even if malware is present, it cannot affect the underlying operating system or other applications. This approach is less commonly used as a primary malware defence but can complement anti-malware software in specific scenarios.

How Malware Protection Is Tested in CE+

This is where the Cyber Essentials Plus assessment becomes truly hands-on. The assessor actively tests your malware protection using industry-standard techniques:

EICAR Test File Downloads

The assessor will attempt to download EICAR test files using web browsers on sampled devices. EICAR files are industry-standard test files that are detected by all reputable anti-malware products as malicious, but are completely harmless. They allow malware protection to be tested safely without using real malware.

The EICAR test comes in several forms:

The assessor will attempt to download these files via HTTP and HTTPS. If any EICAR test file successfully reaches a device without being blocked, it constitutes a failure.

Email Malware Testing

The assessor will send test emails containing EICAR files (or similar harmless test patterns) as attachments to verify that your email filtering blocks them before they reach users' inboxes. This tests both your email security gateway and any endpoint protection.

Browser and Download Protection

The assessor verifies that your anti-malware prevents connections to known malicious websites and blocks malicious downloads. They may test this by attempting to access known malware distribution URLs (using safe test URLs provided by the testing framework).

Common Malware Protection Failures

Malware protection is one of the most common areas where organisations fail their CE+ assessment. Here are the typical causes:

According to data from IASME-accredited certification bodies, approximately one in five UK organisations fails the malware protection control on their first CE+ attempt. The most frequent root cause is incomplete device coverage — organisations protect their primary Windows fleet but neglect macOS laptops, mobile devices, or shared workstations. In many cases, the fix is straightforward but requires a methodical device-by-device review well ahead of the assessment date. Organisations that conduct thorough internal EICAR testing across all device types before the formal assessment have a significantly higher first-time pass rate.

Malware Protection for Different Operating Systems

Windows

Windows is the primary target for malware, and the options for protection are extensive. Microsoft Defender Antivirus is included with Windows 10 and 11 and is a fully acceptable solution for CE+. However, it must be properly configured:

Real-time protection: Must be enabled.

Cloud-delivered protection: Should be enabled for enhanced detection capabilities.

Automatic sample submission: Recommended for improved threat intelligence.

Tamper protection: Should be enabled to prevent malware from disabling Defender.

Alternatively, third-party solutions such as Sophos, Bitdefender, CrowdStrike, SentinelOne, or ESET are all suitable options.

macOS

A common misconception is that macOS devices do not need anti-malware protection. This is incorrect for Cyber Essentials Plus. While macOS has some built-in protections (XProtect, Gatekeeper), the standard requires additional anti-malware software on macOS devices in scope.

Suitable options include Sophos Home/Business, CrowdStrike Falcon, SentinelOne, Bitdefender, and Malwarebytes for Mac.

Mobile Devices (iOS and Android)

Mobile device malware protection requirements depend on the platform:

Android: Anti-malware software should be installed on Android devices, as Android's open nature makes it more susceptible to malware. Google Play Protect provides some baseline protection, but additional anti-malware is recommended.

iOS: Due to iOS's sandboxed architecture, traditional anti-malware is not typically required. However, the device must be kept up to date, only install apps from the App Store, and be managed through an MDM solution where possible.

Linux

If Linux servers or workstations are in scope, anti-malware should be deployed. ClamAV is a free option, while commercial solutions from Sophos, CrowdStrike, and others provide enterprise-grade protection.

Email Security: A Critical Layer

Because the CE+ assessment includes email malware testing, your email security infrastructure is directly in scope. Effective email security for CE+ typically includes:

Email gateway filtering: A cloud-based or on-premises email security gateway that scans all inbound email for malware, phishing links, and suspicious attachments before they reach user inboxes. Microsoft Defender for Office 365, Mimecast, Proofpoint, and Barracuda are popular options.

Attachment filtering: Block or quarantine high-risk attachment types (.exe, .bat, .cmd, .js, .vbs, .scr, and similar executable file types). The assessor's test email will include attachments that should be blocked.

Link scanning: Scan URLs in emails for known malicious destinations. This catches phishing emails that rely on links rather than attachments.

Sandboxing: Advanced email security solutions can sandbox attachments — opening them in an isolated environment to check for malicious behaviour before delivering them to the user.

The importance of email security cannot be overstated for UK organisations. According to the DSIT Cyber Security Breaches Survey, phishing attacks remain the most common type of cyber attack experienced by UK businesses, with 84% of organisations reporting at least one phishing attempt in the past year. A robust email gateway is your first line of defence against the primary malware delivery mechanism and a non-negotiable requirement for CE+ certification.

UK Malware Threat Distribution

Understanding the types of malware most commonly targeting UK organisations helps prioritise your protection strategy. The following breakdown reflects data from NCSC incident reports and UK-focused threat intelligence feeds over the past 12 months:

Ransomware continues to dominate the UK threat landscape, with the NCSC highlighting it as the most significant cyber threat to British businesses. Information stealers have risen sharply in prevalence, often deployed as a precursor to more damaging attacks by harvesting credentials and session tokens. Banking Trojans remain a persistent concern for organisations in financial services and professional services, while Remote Access Trojans give attackers persistent backdoor access to compromised networks. A comprehensive anti-malware solution with behavioural analysis capabilities is essential for detecting these varied threat types beyond simple signature-based detection.

Malware Protection Readiness Scorecard

Use this scorecard to gauge your organisation's readiness for the malware protection component of the CE+ assessment. Each metric reflects the typical pass rate observed across UK organisations during their first assessment attempt. Areas scoring below 70% should be prioritised for immediate remediation before scheduling your formal assessment.

Pre-Assessment Testing: Do It Yourself First

Before the official CE+ assessment, you should run your own malware protection tests to verify everything is working correctly. Here is how:

Step 1: Download the EICAR test files from eicar.org on every sampled device. Test all four variants (eicar.com, eicar.com.txt, eicar_com.zip, eicarcom2.zip) via both HTTP and HTTPS.

Step 2: Send test emails with EICAR attachments to representative mailboxes. Verify they are blocked by your email security gateway.

Step 3: Check the anti-malware console on each device to confirm: real-time protection is active, definitions are up to date (within the last 24 hours), and all protection features are enabled.

Step 4: Verify that your anti-malware blocks access to known malicious URLs. Many anti-malware products include web protection; test it by attempting to visit a known-safe test URL that should be blocked.

Step 5: Document the results. If any test fails, remediate and retest before the official assessment.

Beyond the Minimum: Best Practices

While the Cyber Essentials standard sets the minimum requirements, these additional measures will significantly strengthen your malware defences:

Endpoint Detection and Response (EDR): Modern EDR solutions go beyond traditional anti-malware by detecting suspicious behaviours, providing forensic capabilities, and enabling automated response to threats.

DNS filtering: Block access to known malicious domains at the DNS level, preventing devices from connecting to command-and-control servers or downloading additional malware payloads.

Email authentication: Implement SPF, DKIM, and DMARC for your email domain to prevent spoofing and reduce the chance of phishing emails reaching your users from attackers impersonating your organisation.

User awareness training: While not a technical control, educating users about phishing, suspicious attachments, and social engineering significantly reduces the likelihood of malware infection.

For UK organisations operating in regulated sectors such as financial services, healthcare, or legal, these best practices are often expected by industry regulators in addition to Cyber Essentials certification. The FCA, ICO, and SRA all reference cyber resilience standards that align closely with a well-implemented malware protection strategy. Investing in EDR and DNS filtering now positions your organisation favourably for both compliance obligations and genuine, demonstrable security posture improvement.

How Cloudswitched Helps

Malware protection is one of the areas where our pre-assessment testing delivers the most value. We replicate the exact tests the assessor will perform, identifying any gaps in your protection before the official assessment. We deploy, configure, and verify anti-malware across your entire device estate, including those commonly-forgotten macOS devices and mobile endpoints.

Our managed CE+ service ensures that every device in scope has properly configured, up-to-date malware protection that will pass the hands-on testing with confidence.

Malware protection is your last line of defence against malicious software that has evaded your firewalls, bypassed your access controls, and exploited vulnerable configurations. When it works — and when it is tested to prove it works — it prevents the attacks that could otherwise cause devastating damage to your organisation. Getting it right for Cyber Essentials Plus means getting it right for real-world protection.

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.