Because the threat landscape is constantly evolving, you must keep your organization’s malware protection abreast. PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7.”
Your organization’s anti-virus solution must be kept current. Every day, new types of malware are created and new definitions are released, so your organization needs to stay up-to-date. Your definitions for malware and the scanning engine itself should be current. The PCI DSS’ reason for this is, “Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections.”
The anti-virus solution that you have in place should perform scans periodically. It is not the assessor’s job to define what “periodically” is for your environment, but generally, we’re looking to see that you have business justification for when you’re running scans. Ideally, you should be running them every day or in real time. We understand that there are some situations when you can’t always run them every day; but, it’s not acceptable to shut off the anti-virus solution just because it’s inconvenient.
According to PCI Requirement 5.2, your anti-virus solution should generate audit logs in accordance with PCI Requirement 10.7, which states, “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.” The PCI DSS further explains, “Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.” If there is malware in your environment, your staff should see it because it should show up in a log that is periodically reviewed.
PCI DSS Requirement 5.2 says that the solution you have or have implemented needs to be capable of logging, and we’ll talk about that in some of the next requirements. You need to make sure that the solution is kept current. Every day, there’s new malware that comes out. There’s new definitions that are released, so we need to make sure that we keep the definitions for the malware up-to-date. We need to make sure we keep the scanning engine current and up-to-date as well. We need to make sure that the solutions that you have in place are performing scans periodically.
It’s not our job to define what “periodically” is for your environment. I can tell you, as an assessor, if the scans that you’re performing run more than a week, I get really nervous and I’m looking for some real business justification for why you’re not running it sooner. Ideally if you can run it every day or run it in real time, that’s perfect. However, there are situations, we understand, where you can’t always run it every day. If you tell me that you do not run anti-virus scans on your database because it brings the database to its knees, I would suggest you don’t run anti-virus scanning on the actual database itself. However, you would still need to run the anti-malwares scan against the server itself. It’s not acceptable to shut off an anti-virus solution because it’s inconvenient.
Continuing on with the requirements in 5.2, one of the areas that most organizations really struggle with is the requirement to retain the logs generated by your anti-virus solution. Understand that there’s a couple of places where the logging needs to occur. We have our anti-virus console or management – we absolutely need to be logging the anti-virus activities that are associated with that. However, we also need to be logging the events that occur on the workstations themselves. Specific to the requirement, it says that we need to be retaining those logs in accordance with Requirement 10.7. If you need some assistance with understanding what that requirement is, please look at the requirements around log retention for 10.7. We find a lot of organizations struggle with meeting this requirement, especially when they’re in a very distributed environment. We come into a retail environment or a hospitality environment where they might have 100 restaurants or 500 restaurants, and the log retention and log review becomes very difficult around this anti-virus solution. In many situations, the anti-virus solution has the capability of generating logs. The problem that exists is we’re not retaining those logs as required.
So, my recommendation to you is make sure that part of your log management solution for anti-virus captures the logs from the PCs, the workstations out in the field where the anti-virus solution is running. If there is malware in your environment, your staff should know about that. Really, the only way to know about that is if it shows up somewhere in a log that’s reviewed periodically.