# 4. Malware Protection

The goal of this control is to protect devices from malware by employing at least one of the following controls.

#### Anti-malware software

Devices are protected from malware with installed anti-malware software with the following configurations:

* Installed anti-malware software and its signature files must be kept up-to-date through either automatic updates or centrally managed deployment.
* The software must be configured to scan files automatically upon opening. This includes downloaded files and files accessed from network folders.
* The software must automatically scan web pages when accessed through a browser.
* The software must prevent access to malicious websites unless there is a clear, documented business case for doing so and the user understands any associated risks.

#### Application allow listing

Only applications that are approved and featured on an application whitelist may be installed on devices. The following conditions must be followed:

* Applications must be actively approved before they are allowed to be installed by users.
* An allow list of applications must be actively maintained.
* Users must not be allowed to install applications that are unsigned or with an invalid signature on devices.

#### Application sandboxing

All applications must be run in a sandbox without access to other device resources, unless explicitly granted by the user, including:

* Other sandboxed applications
* Data stores, such as those holding documents and photos
* Sensitive peripherals, such as the camera, microphone and GPS
* Local network access