# 4. Malware Protection The goal of this control is to protect devices from malware by employing at least one of the following controls. #### Anti-malware software Devices are protected from malware with installed anti-malware software with the following configurations: * Installed anti-malware software and its signature files must be kept up-to-date through either automatic updates or centrally managed deployment. * The software must be configured to scan files automatically upon opening. This includes downloaded files and files accessed from network folders. * The software must automatically scan web pages when accessed through a browser. * The software must prevent access to malicious websites unless there is a clear, documented business case for doing so and the user understands any associated risks. #### Application allow listing Only applications that are approved and featured on an application whitelist may be installed on devices. The following conditions must be followed: * Applications must be actively approved before they are allowed to be installed by users. * An allow list of applications must be actively maintained. * Users must not be allowed to install applications that are unsigned or with an invalid signature on devices. #### Application sandboxing All applications must be run in a sandbox without access to other device resources, unless explicitly granted by the user, including: * Other sandboxed applications * Data stores, such as those holding documents and photos * Sensitive peripherals, such as the camera, microphone and GPS * Local network access --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manual.harpe.io/start/cyber-essentials-wiki/controls/4.-malware-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.