Malware protection is the fourth of the five technical controls in the Cyber Essentials scheme, and it is arguably the most actively tested during a Cyber Essentials Plus assessment. Unlike other controls where the assessor inspects configurations and reviews settings, the malware protection control involves live testing — the assessor will actually attempt to deliver malware to your systems and verify that it is blocked.
This guide covers the malware protection requirements for Cyber Essentials Plus in detail, including the three approved approaches to malware defence, what the assessor will test, common failure points, and how to ensure your protection passes the independent technical audit.
The Three Approved Approaches
The Cyber Essentials standard recognises three approaches to malware protection. You must implement at least one on every device in scope:
Anti-Malware Software
Traditional and next-gen AV that detects and blocks malicious files, URLs, and behaviours in real time.
Application Allowlisting
Only pre-approved applications can run. Everything else is blocked by default, including malware.
Sandboxing
Applications run in isolated environments so malware cannot affect the wider system.
Approach 1: Anti-Malware Software (Most Common)
The vast majority of organisations meet this control using anti-malware software. The standard requires that anti-malware is:
Installed on every device in scope: Every workstation, laptop, server, and mobile device must have anti-malware software. This includes macOS devices and mobile devices — not just Windows PCs.
Configured for automatic updates: Malware definitions must be updated automatically and frequently (at least daily). Running outdated definitions is almost as bad as running no protection at all.
Set for real-time scanning: The anti-malware must scan files in real time as they are accessed, created, or downloaded. Scheduled-only scanning is not sufficient.
Configured to scan web pages: The software should block connections to known malicious websites and scan web content as it is accessed through browsers.
Set to scan email: If email is downloaded to the device (rather than accessed via a web browser only), the anti-malware should scan email attachments.
Approach 2: Application Allowlisting
Application allowlisting (also known as application whitelisting) takes a different approach to malware prevention. Instead of trying to identify and block malicious software, it only permits approved applications to run. Everything else — including any malware — is automatically blocked.
This approach is extremely effective but can be more complex to manage, as every legitimate application needs to be explicitly approved. It is most commonly used in environments with a fixed set of applications (such as kiosks, point-of-sale systems, or specialised workstations).
Tools that can implement application allowlisting include Windows AppLocker, Windows Defender Application Control (WDAC), and third-party solutions.
Approach 3: Sandboxing
Sandboxing isolates applications in a contained environment so that even if malware is present, it cannot affect the underlying operating system or other applications. This approach is less commonly used as a primary malware defence but can complement anti-malware software in specific scenarios.
How Malware Protection Is Tested in CE+
This is where the Cyber Essentials Plus assessment becomes truly hands-on. The assessor actively tests your malware protection using industry-standard techniques:
EICAR Test File Downloads
The assessor will attempt to download EICAR test files using web browsers on sampled devices. EICAR files are industry-standard test files that are detected by all reputable anti-malware products as malicious, but are completely harmless. They allow malware protection to be tested safely without using real malware.
The EICAR test comes in several forms:
| Test File Type | Description | Expected Result |
|---|---|---|
| eicar.com | Standard EICAR test string as a .com file | Blocked or quarantined |
| eicar.com.txt | EICAR test string as a text file | Blocked or quarantined |
| eicar_com.zip | EICAR file within a ZIP archive | Blocked or quarantined |
| eicarcom2.zip | EICAR file within a nested ZIP archive | Blocked or quarantined |
The assessor will attempt to download these files via HTTP and HTTPS. If any EICAR test file successfully reaches a device without being blocked, it constitutes a failure.
Email Malware Testing
The assessor will send test emails containing EICAR files (or similar harmless test patterns) as attachments to verify that your email filtering blocks them before they reach users' inboxes. This tests both your email security gateway and any endpoint protection.
Browser and Download Protection
The assessor verifies that your anti-malware prevents connections to known malicious websites and blocks malicious downloads. They may test this by attempting to access known malware distribution URLs (using safe test URLs provided by the testing framework).
Common Malware Protection Failures
Malware protection is one of the most common areas where organisations fail their CE+ assessment. Here are the typical causes:
Most Common Malware Protection Failures
Malware Protection for Different Operating Systems
Windows
Windows is the primary target for malware, and the options for protection are extensive. Microsoft Defender Antivirus is included with Windows 10 and 11 and is a fully acceptable solution for CE+. However, it must be properly configured:
Real-time protection: Must be enabled.
Cloud-delivered protection: Should be enabled for enhanced detection capabilities.
Automatic sample submission: Recommended for improved threat intelligence.
Tamper protection: Should be enabled to prevent malware from disabling Defender.
Alternatively, third-party solutions such as Sophos, Bitdefender, CrowdStrike, SentinelOne, or ESET are all suitable options.
macOS
A common misconception is that macOS devices do not need anti-malware protection. This is incorrect for Cyber Essentials Plus. While macOS has some built-in protections (XProtect, Gatekeeper), the standard requires additional anti-malware software on macOS devices in scope.
Suitable options include Sophos Home/Business, CrowdStrike Falcon, SentinelOne, Bitdefender, and Malwarebytes for Mac.
Mobile Devices (iOS and Android)
Mobile device malware protection requirements depend on the platform:
Android: Anti-malware software should be installed on Android devices, as Android's open nature makes it more susceptible to malware. Google Play Protect provides some baseline protection, but additional anti-malware is recommended.
iOS: Due to iOS's sandboxed architecture, traditional anti-malware is not typically required. However, the device must be kept up to date, only install apps from the App Store, and be managed through an MDM solution where possible.
Linux
If Linux servers or workstations are in scope, anti-malware should be deployed. ClamAV is a free option, while commercial solutions from Sophos, CrowdStrike, and others provide enterprise-grade protection.
Email Security: A Critical Layer
Because the CE+ assessment includes email malware testing, your email security infrastructure is directly in scope. Effective email security for CE+ typically includes:
Email gateway filtering: A cloud-based or on-premises email security gateway that scans all inbound email for malware, phishing links, and suspicious attachments before they reach user inboxes. Microsoft Defender for Office 365, Mimecast, Proofpoint, and Barracuda are popular options.
Attachment filtering: Block or quarantine high-risk attachment types (.exe, .bat, .cmd, .js, .vbs, .scr, and similar executable file types). The assessor's test email will include attachments that should be blocked.
Link scanning: Scan URLs in emails for known malicious destinations. This catches phishing emails that rely on links rather than attachments.
Sandboxing: Advanced email security solutions can sandbox attachments — opening them in an isolated environment to check for malicious behaviour before delivering them to the user.
Pre-Assessment Testing: Do It Yourself First
Before the official CE+ assessment, you should run your own malware protection tests to verify everything is working correctly. Here is how:
Step 1: Download the EICAR test files from eicar.org on every sampled device. Test all four variants (eicar.com, eicar.com.txt, eicar_com.zip, eicarcom2.zip) via both HTTP and HTTPS.
Step 2: Send test emails with EICAR attachments to representative mailboxes. Verify they are blocked by your email security gateway.
Step 3: Check the anti-malware console on each device to confirm: real-time protection is active, definitions are up to date (within the last 24 hours), and all protection features are enabled.
Step 4: Verify that your anti-malware blocks access to known malicious URLs. Many anti-malware products include web protection; test it by attempting to visit a known-safe test URL that should be blocked.
Step 5: Document the results. If any test fails, remediate and retest before the official assessment.
Beyond the Minimum: Best Practices
While the Cyber Essentials standard sets the minimum requirements, these additional measures will significantly strengthen your malware defences:
Endpoint Detection and Response (EDR): Modern EDR solutions go beyond traditional anti-malware by detecting suspicious behaviours, providing forensic capabilities, and enabling automated response to threats.
DNS filtering: Block access to known malicious domains at the DNS level, preventing devices from connecting to command-and-control servers or downloading additional malware payloads.
Email authentication: Implement SPF, DKIM, and DMARC for your email domain to prevent spoofing and reduce the chance of phishing emails reaching your users from attackers impersonating your organisation.
User awareness training: While not a technical control, educating users about phishing, suspicious attachments, and social engineering significantly reduces the likelihood of malware infection.
How Cloudswitched Helps
Malware protection is one of the areas where our pre-assessment testing delivers the most value. We replicate the exact tests the assessor will perform, identifying any gaps in your protection before the official assessment. We deploy, configure, and verify anti-malware across your entire device estate, including those commonly-forgotten macOS devices and mobile endpoints.
Our managed CE+ service ensures that every device in scope has properly configured, up-to-date malware protection that will pass the hands-on testing with confidence.
Ready to Get Certified?
Cloudswitched handles your entire Cyber Essentials Plus certification end-to-end — including deploying and verifying malware protection across every device in your environment.
View CE+ ServicesMalware protection is your last line of defence against malicious software that has evaded your firewalls, bypassed your access controls, and exploited vulnerable configurations. When it works — and when it is tested to prove it works — it prevents the attacks that could otherwise cause devastating damage to your organisation. Getting it right for Cyber Essentials Plus means getting it right for real-world protection.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.