Standard and Process
University IT resources must have a current version of an anti-virus/malware software (or virus filtering software). Configure the software to meet the requirements described below. Immediately take action to alerts from the software.
To protect against the spread of viruses on University computers and reduce institutional risk, the University recommends a "two-tier" virus/malware protection standard. Two-tier protection means that software is used on both the desktop and server.
Anti-virus/malware software should provide the following capabilities:
- scan critical host components such as startup files and boot records
- perform real time activities on hosts to check for suspicious activity (e.g., scanning all email attachments for known malware as emails are sent and received, or files downloaded, opened or executed)
- monitor the behavior of common applications that are most likely to infect devices or spread malware to other devices. Examples include email clients, web browsers, and instant messaging software.
- scan files for known malware
- identify common types of malware as well as attacker tools
- disinfect files. This can be done by removing malware from within a file or quarantining/isolating files containing malware.
- receive regular updates for malicious code detection and repair features
- provide audit logs. See Log Management Standard for the requirements for audit logs from virus/malware protection software.
The unit or individual directly responsible for the data or system must ensure that the system has the appropriate anti-virus/malware software, configuration and audit logs.
Configure the software or application for:
- live or real time updates (at least daily)
- file system real time protection
- full scan (at least weekly)
- on-demand scans by user (on device disk, individual files or removable media)
- retention of audit logs
Educate users that:
- anti-virus/malware software needs to be run on devices capable of running the software
- viruses/malware can infect systems through various day to day activities including but not limited to:
- email and email attachments
- disk, CD, or other portable media
- software downloaded from the internet
- web browsing
- once infected, virus/malware software may or may not be able to quarantine or remove the infection and re-installation may be required and files stored on the device may not be recoverable
- suspicious virus/malware activity should be reported to Help Desk/Service Desk (firstname.lastname@example.org)
- This standard is based on the principles of ISO/IEC 27002:2005.
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Patton Fast, University Enterprise Architect
Effective Date: August 2010
Last Reviewed Date: November 2014