Anti-malware Software Guidelines

All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices (MSSND)The recommendations below are provided as optional guidance to assist with achieving the Anti-malware Software requirement.

MSSND Anti-malware Software Requirement

When built-in anti-malware features are available in operating systems, such as with current versions of Windows and macOS, they must be enabled. Otherwise, separate anti-malware software that supports real-time scanning is recommended, including for network storage appliances. This requirement does not apply to mobile devices. Please refer to the Guidelines for specific use cases, including Linux.

Background and Description of Risk

Malware is short for “malicious software” and broadly describes all software that is designed to provide unauthorized access or perform unauthorized actions on a system. The impact of malware can range from minor system performance issues to complete hard drive deletion or even full, remote control of a system by an attacker. It is important to detect malware before it infects or has the potential to do anything malicious on a system. 

While anti-malware software provides significant protection against malware of all types, it is not 100% effective. Requirement #9, “Privileged Accounts" provides additional protection against malware which may not be detected by anti-malware software. 

Recommendations

1. Institutionally-owned Endpoints (workstations/desktops/laptops) managed by BigFix

If your device is managed by BigFix through IT Client Services (ITCS), or your departmental IT, it meets the MSSND anti-malware requirement. However, it is important that you:

  • Restart your computer when BigFix tells you to in order to keep the anti-malware features up to date;

  • Do not disable your anti-malware software.

2. Berkeley IT-Managed Servers: 

If your server is centrally managed by Berkeley IT, confirm with the Berkeley IT Service Provider whether anti-malware protections are managed for you or are your responsibility.

3. Personal Devices; Institutionally-owned Endpoints (workstations/desktops/laptops) not managed by BigFix; Other Servers

Windows, MacOS, and iOS:

Current, manufacturer-supported versions of Windows 8 and higher, macOS, and iOS operating systems contain built-in anti-malware protections that meet MSSND requirements. Personal devices and unmanaged institutionally-owned devices should be maintained at these operating system release levels.

  • For Windows computers, be sure to confirm that Windows Defender is turned on.
  • The Information Security Office does not generally recommend downloading and installing free, third party anti-virus/anti-malware tools on top of the built-in protections for either Windows or macOS. Also see the “Licensing Note” below.

For institutionally-owned endpoints that are not supported by ITCS or your departmental IT, contact the EOS team to get started with managed client services:https://technology.berkeley.edu/services/device-support/berkeley-desktop

Linux:

Useful tools in the anti-malware software space for Linux are limited. To mitigate the damage that malware can do:

  • Desktops: Enable SELinux or AppArmor. Alternatively, install and enable ClamAV or Sophos AV for Linux.
  • Servers: Enable SELinux or AppArmor, or run a host-based intrusion detection system (HIDS), e.g. OSSec. Combining SELinux/AppArmor and a HIDS is recommended. 
  • P4 systems: Work with ISO to install the Trellix (formerly known as FireEye) Endpoint Detection and Remediation (EDR) agent for P4 systems, or a suitable alternative.

Also critical for Linux is to keep your system patched and up to date (see MSSND requirement #1).

ISO also recommends locking down your system according to the CIS level 2 benchmarks.

Licensing Note:

Certain free anti-malware software is only free for personal use. Always check the licensing agreement for software not included in your operating system. Software for personal use only may not be installed on a university device or registered under your @berkeley.edu account.

4. Enable Real-time Scanning Where Available

In order to detect malware before it is able to infect a system, enable real-time scanning where available. Real-time scanning will analyze files and programs as they are copied to a system in order to prevent the user from unknowingly becoming infected.

Edge Cases: Servers where real-time scanning creates unacceptable performance issues.

Some servers may be operating in an environment where real-time scanning negatively impacts the performance of the services. In these cases, ensure that all clients connecting to the server are running anti-malware software with real-time scanning enabled and schedule anti-malware scans for the server on a weekly basis.