M0949 Antivirus/Antimalware
Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems.
Techniques Addressed by Mitigation
| Domain |
ID |
Name |
Use |
| ics |
T0865 |
Spearphishing Attachment |
Deploy anti-virus on all systems that support external email. |
|
|
|
|
| ics |
T0864 |
Transient Cyber Asset |
Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares. |
|
|
|
|
| ics |
T0863 |
User Execution |
Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers). |
|
|
|
|
References