Update malicious code protection

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

• ✓Defender update history showing recent signature updates (Security center → Virus & threat protection → Protection updates).
• ✓macOS XProtect data set version current (Apple ships these via the OS).
• ✓EDR / AV management console showing every endpoint reporting in within the last 24–48 hours.
• ✓Auto-update turned on at the AV / EDR product.
• ✓A monthly check noted in your one-pager that signatures are current.

Common ways small shops fail this

• ✗Defender showing "Protection updates are out of date" and never investigated.
• ✗Auto-update disabled on the AV / EDR because someone thought it was using too much bandwidth.
• ✗Endpoint not reporting in for weeks (laptop in a drawer, but it still has FCI).
• ✗Old machine running a vendor whose product is end-of-life.
• ✗macOS users on an old OS major version that no longer receives XProtect updates.

How to fix it in a weekend

1. 1Open the AV / EDR console (Defender Security center, your vendor's portal) and confirm every endpoint reported in within 48 hours.
2. 2Re-enable auto-update on any device where it's been disabled.
3. 3Decommission devices on EOL operating systems or get them on a supported version.
4. 4Add a once-a-month "are signatures current?" check to your boundary one-pager.
5. 5Replace AV products whose vendor has gone dark or stopped shipping updates.

FAQ

Related references