Skip to content

M0949 Antivirus/Antimalware

Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. 1

Item Value
ID M0949
Version 1.0
Created 11 June 2019
Last Modified 30 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
ics T0865 Spearphishing Attachment Deploy anti-virus on all systems that support external email.
ics T0864 Transient Cyber Asset Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.
ics T0863 User Execution Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).