Malware, Anti-Malware and Patching

Malware is the umbrella term for software designed to do something the user did not want and did not authorise. Ransomware, spyware, trojans, worms, banking trojans, cryptocurrency miners, remote access tools - they are all malware in different forms. The defences against them have a few moving parts: stopping the malware reaching the device, detecting it if it does, removing it when found, and recovering when it gets through.

Patching sits alongside anti-malware as the other half of the technical defence. Most successful attacks exploit vulnerabilities that have already been patched by the vendor - the attacker is relying on the target not having installed the patch yet. A patching programme that runs on a defined schedule, with a way to handle the exceptions, closes the largest single category of opportunistic risk.

How Malware Reaches Devices

The most common entry points are email attachments, malicious links, drive-by downloads from compromised websites, and infected software updates from the supply chain. Removable media - USB sticks - used to be a major source and still occasionally are, although the prevalence has dropped as cloud sharing has replaced thumb drives. Direct exploitation of unpatched software remains a steady source for systems exposed to the internet.

The defining feature of opportunistic malware is that it is not aimed at the organisation specifically. It is sent to millions of addresses, scans every internet-facing system it can find, and infects whoever happens to have the door open. Targeted attacks are different - the attacker has chosen the organisation and is willing to put effort into getting in. The technical controls overlap considerably, but targeted attacks need an additional layer of detection and response that opportunistic threats do not.

Anti-Malware Software and Endpoint Protection

Anti-malware software has come a long way from signature-only virus scanning. Modern endpoint protection products combine signatures (for known threats), heuristic detection (for unknown threats that behave like known ones), behavioural analysis (catching things that act maliciously regardless of whether they look familiar) and cloud-based threat intelligence. The good products catch the overwhelming majority of opportunistic malware before it executes.

Anti-malware should be running on every device that holds business information or accesses business systems - not only on Windows but also on Macs, on servers, and on mobile devices where supported. The product chosen matters less than the fact that something competent is in place, configured to update its definitions automatically, and reporting back to a central console where alerts are actually reviewed.

Endpoint detection and response (EDR) is the next tier above traditional anti-malware. EDR products record what happens on each device in detail and look for patterns of suspicious behaviour - a process opening unusual network connections, files being encrypted in bulk, credentials being dumped from memory. EDR is appropriate for organisations that have meaningful information to protect or that handle data on behalf of others under a contractual security obligation.

Patching and Vulnerability Management

Patching is the discipline of installing the security updates that vendors release for their software. The schedule depends on the system and the severity of the vulnerability - critical patches for internet-facing systems often need to be applied within days, while routine updates for less exposed systems can usually wait for a monthly cycle. The point is that there is a schedule, that exceptions are tracked, and that the gap between patch release and patch installation does not stretch indefinitely.

The scope is wider than people initially expect. Operating systems and applications are obvious. Less obvious are the firmware on routers and switches, the software running on printers and security cameras, the code in connected devices and the libraries used by web applications. Each of these is a potential entry point if it is not kept current.

A vulnerability register tracks the known weaknesses that are not yet patched, the reasons (compatibility issues, vendor delays, decommissioning planned), and the compensating controls in place until the patch can be applied. The register is the evidence that the organisation knows what is exposed and is managing it deliberately rather than accidentally.

SSL, TLS and Cryptographic Hygiene

The protocols that protect web traffic - SSL/TLS - have a habit of being broken and replaced as cryptanalysis advances. SSL 2 and SSL 3 are obsolete; TLS 1.0 and 1.1 are deprecated and should not be in use; TLS 1.2 and 1.3 are current. Where older protocols remain enabled on servers, attackers can sometimes force a client to negotiate down to a weaker version and exploit known weaknesses.

The practical control is making sure that web servers and other services accept only current protocols, that certificates are valid and renewed before they expire, and that the cipher suites in use match current guidance. Free tools from the major standards bodies and browser vendors will scan a server and report the configuration; running this check periodically is a useful part of the vulnerability management programme.

Most malware infections in UK businesses come from two things: an attachment somebody opened, or a system that had not been patched. Both have well-known answers. Anti-malware on every device, central reporting, current definitions. Patches applied on a schedule with the exceptions tracked. Neither is glamorous, neither is expensive, and together they do most of the heavy lifting against the opportunistic threats that account for the bulk of incidents.

When I audit anti-malware controls I look for three things. First, is anti-malware actually installed and running on every device. The list of devices and the list of installations should match - if there are five laptops without an active product, those are the five most exposed devices in the organisation. Second, is the software being kept current and reporting back somewhere a human looks at the alerts. Third, is there a patching schedule with a vulnerability register tracking what has not yet been done.

The most common finding is that anti-malware is everywhere on the desktop fleet but missing or out of date on servers and the older laptops in the cupboard, which are exactly the devices most likely to be exploited.

We changed our patching arrangements about eighteen months ago. Before that, patches went on when somebody had time. Now we have a defined cycle - critical patches within seven days, routine ones within thirty - and any exception requires a compensating control.

Practical Compliance Guidance

The IMS1 manual covers anti-malware and patching as part of the wider information security management section. The same vulnerability register that tracks unpatched systems also tracks the wider technical risks that need ongoing attention.

The following alphaZ documents support a practical approach to malware, anti-malware and patching.

alphaZ document	How to use it
ISO 27001 Toolkit	Full document set for setting up an information security management system, including the anti-malware and vulnerability management procedures.
PP-8-02 Anti Malware Policy Procedure	Procedure covering anti-malware software, configuration, central reporting, and the response when something is detected.
PP-8-07 Technical Vulnerability Management Policy Procedure	Procedure covering vulnerability identification, prioritisation, patching schedules and exception handling.
P-38 Software Installation Policy	Policy covering what software workers are permitted to install, the approval process for new software, and how unauthorised software is detected.
F-IMS58 Vulnerability Risks Register	Register of known unpatched vulnerabilities, the reasons they are not yet patched, the compensating controls and the planned remediation.
P-114 Cyber Security Policy	Cybersecurity policy covering the wider technical defences including anti-malware and patching as part of the overall control set.
PP-8-100 Information Security Policy Procedure	The master policy that sets out the anti-malware, software installation and vulnerability management sections referenced from the standalone policies above.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do Macs need anti-malware software?

Yes. Macs have built-in protections that catch some threats, but the volume of macOS-targeted malware has grown considerably as Mac usage in business has increased. Modern endpoint protection products cover Macs as well as Windows, with central reporting that puts the whole estate on one console. The argument that Macs do not get viruses has not been accurate for a long time and is not a defensible audit position.

How quickly should patches be installed?

It depends on the severity of the vulnerability and the exposure of the system. The widely-cited benchmark is that critical security patches for internet-facing systems should be applied within fourteen days, ideally within seven for actively exploited vulnerabilities. Routine patches for less exposed systems can usually be applied within a month. The Cyber Essentials scheme requires high-severity patches to be applied within fourteen days. The patching policy should set the standard and the vulnerability register should track exceptions.

What about end-of-life software that no longer receives patches?

End-of-life software is one of the highest-risk categories because vulnerabilities continue to be discovered but no patches are released. The right answer is replacement, not management. Where replacement is not immediately possible, the system should be isolated as far as practicable - off the main network, accessible only from defined devices, with extra monitoring - and an explicit decision recorded with a planned replacement date. Indefinite use of unsupported software is hard to defend at audit and harder to defend after a breach.

What should we do if anti-malware detects something?

Treat it as an incident. Most detections are routine - the anti-malware caught the threat and quarantined it - but the volume and pattern of detections needs to be reviewed periodically. A spike in detections might indicate a phishing campaign in progress. A specific user with repeated detections might need targeted training. Detections that bypassed the protection (where the malware ran before being caught) need full incident response including investigation of what was accessed, and reporting if personal data was involved. The detection log feeds into management review as one of the indicators of how the controls are performing.

UK Legislation

The following UK legislation is directly relevant to malware, anti-malware and patching. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

Further Resources