Provide protection from malicious code

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

• ✓Microsoft Defender enabled and reporting on every Windows endpoint (screenshot from Security center).
• ✓macOS XProtect / Gatekeeper enabled (default on modern macOS) plus optional third-party AV.
• ✓Email scanning at the tenant level (Exchange Online Protection, Google's spam / malware scanning).
• ✓Web filtering / safe browsing on browsers.
• ✓An asset list showing AV is installed on every endpoint that touches FCI.

Common ways small shops fail this

• ✗Defender disabled because someone installed a free "PC optimizer."
• ✗Old standalone AV from 2018 still installed and conflicting with Defender (so neither works).
• ✗macOS users assuming "Macs don't get viruses" and disabling Gatekeeper.
• ✗Servers in the office with no AV at all ("it's a server, it doesn't need one").
• ✗Email going to personal Gmail that doesn't run the tenant's malware scanning.

How to fix it in a weekend

1. 1Walk every endpoint. Defender / equivalent must be on and current. Remove conflicting AV products.
2. 2Confirm tenant-level email scanning is on (default in M365 and Workspace).
3. 3On macOS, leave Gatekeeper and XProtect on. Add a paid product only if you have a specific reason.
4. 4Add AV / EDR to your server endpoints if you run any.
5. 5Document which product covers which device in your scoping artifact.

FAQ

Related references