PCI Requirement 5.3 – Ensure Anti-Virus Mechanisms are Active and Can’t be Altered
Now that there is an anti-virus solution installed and running in your environment, we need to keep it that way. PCI Requirement 5.3 states, “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”
There may be situations when you need to disable the anti-virus mechanism for a very short period of time and for a very specific reason; this must be approved by management and management must understand the vulnerability associated with disabling your solution. The PCI DSS notes, “Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.”
We’ve seen attacks occur when anti-virus mechanisms are shut off. The reason could be that the mechanism is inconvenient for them or it might slow down their system; whatever the reason is, understand that it could be the gateway for a hacker to launch their attack within the rest of your environment. Your anti-virus solution should be running, it should not be disabled, and if it is disabled, there should be additional security measures in place. For example, this measure could be disconnecting the system from the Internet during the period of time when the anti-virus protection is shut off, then running a scan once it’s re-enabled.
Your assessor will take inventory of your systems, examine anti-virus configurations to verify that the anti-virus solution is actively running and cannot be altered by users, question situations where/if an anti-virus solution is not running, and observe processes to ensure that the anti-virus solution cannot be shut off without management’s approval.
Now that you have an anti-virus solution installed and running in your environment, we need to ensure that the anti-virus solution is actually kept running. We need to make sure that end-users cannot disable your anti-malware solution. However, we understand that there might be production issues where anti-virus might need to be disabled for a break/fix. In those situations, it’s okay that you disable it. When we look specifically at 5.3, it says that in those situations, we would only disable it for a very short period of time, for a very specific reason, and that management approves that. Management needs to be aware that they have a system that would be vulnerable to vulnerabilities.
We’ve seen attacks happen in the industry when people have gone in and shut it off for whatever reason; it might be inconvenient for them or it might just slow down their system, so they shut off anti-virus. Lo and behold, those become a footprint for where attackers would get a hold of that information and then launch their attack within the rest of the environment. So, your anti-virus solution should be running, it should not be disabled, and if it is disabled, it should only be for a very short period of time.
One of the things that the assessor is going to be doing is they’re going to be taking an inventory of all of your systems. They’re going to be looking at the running services and making sure that anti-virus is actually running on all of the devices. If there is a situation where they discover anti-virus isn’t running, they’re going to possibly ask for the change control or management’s approval that’s authorized those system to have their anti-virus solution shut off.
In short, your anti-virus needs to be running and it needs to be protecting those systems that are vulnerable to malware.