It’s crucial that your organization can protect itself from all types and forms of malicious software, including viruses, Trojans, worms, spyware, adware, and rootkits. PCI Requirement 5.1.1 requires that your organization’s anti-virus program is capable of three things:
- Detecting all known types of malware
- Removing all known types of malware
- Protecting against all known types of malware
Some solutions perform whitelisting, which prevents malware from ever running in the first place, but often times that type of solution does not remove or detect malicious software. Whitelisting is a good element in a security program, but remember that your program must be capable of doing all three – detecting, removing, and protecting. During the assessment, your assessor should examine documentation and anti-virus configurations to verify that your anti-virus program can detect, remove, and protect against all known types of malware.
The anti-malware solution that you choose needs to be capable of detecting, removing, and preventing attacks. There are solutions out there today that do whitelisting that prevent malware from ever running in the first place. I think that type of solution is a good means as part of your overall program. When we look at tools like Solidcore, they’re really great tools, but it has been my experience that a lot of those whitelisting solutions do not necessarily remove or detect. In order to meet this particular requirement, the PCI DSS 5.1.1, we need to make sure that whatever solution you have implemented is capable of detecting, preventing, and removing malware.