Cyber Essentials Malware Explained

Cyber Essentials Malware Explained


Malware is software or web content that has been designed to cause harm. For example, the 2017 WannaCry attack used ransomware, a form of malware that makes data or systems unusable until the victim makes a payment. Viruses are the most well-known form of malware. These programs infect legitimate software, make copies of themselves, and send these duplicates to any computers that connect to their victim.

How malware works

There are various ways in which malware can find its way onto a computer. A user may open an infected email, browse a compromised website, or open an unknown file from removable storage media (such as a USB memory stick).

Three ways to defend against malware

  1. Antivirus software is often included for free within popular operating systems, and should be used on all computers and laptops. Smartphones and tablets might require a different approach and, if configured in accordance with the NCSC’s guidance, separate antivirus software might not be necessary.
  2. You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware. You should prevent staff from downloading apps from unknown vendors/sources, as these will not have been checked.
  3. For those unable to install antivirus or limit users to approved stores, there is another, more technical, solution. Apps and programs can be run in a ‘sandbox’. This prevents them from interacting with, and harming, other parts of your devices or network.

If you would like more information, have a look at the NCSC's guidance on mitigating malware and ransomware attacks.

Malware Protection—What Cyber Essentials Requires

Cyber Essentials Certification requires that you implement one of the three approaches listed above, to protect your devices against malware.

Malware protection

This applies to: Desktop computers, laptop computers, tablets, mobile phones


Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.


The execution of software downloaded from the internet can expose a device to malware infection.

Malware—such as computer viruses, worms, and spyware—is software that has been written and distributed deliberately to perform malicious actions. Potential sources of malware infection include malicious email attachments, downloads (including those from application stores), and direct installation of unauthorised software.

If a system is infected with malware, your organisation is likely to suffer from problems like malfunctioning systems, data loss, or onward infection that goes unseen until it causes harm elsewhere.

You can largely avoid the potential for harm from malware by:

  • Detecting and disabling malware before it causes harm (anti-malware)
  • Executing only software that you know to be worthy of trust (whitelisting).

Acme Corporation implements code signing alongside a rule that allows only vetted applications from the device application store to execute on devices. Unsigned and unapproved applications will not run on devices.

The fact that users can only install trusted (whitelisted) applications leads to a reduced risk of malware infection.

Requirements under this technical control theme

The applicant must implement a malware protection mechanism on all devices that are in scope. For each such device, the applicant must use at least one of the three mechanisms listed below.

Anti-malware software

  • The software (and all associated malware signature files) must be kept up to date, with signature files updated at least daily. This may be achieved through automated updates, or with a centrally managed deployment.
  • The software must be configured to scan files automatically upon access. This includes when files are downloaded and opened, and when they are accessed from a network folder.
  • The software must scan web pages automatically when they are accessed through a web browser (whether by other software or by the browser itself).
  • The software must prevent connections to malicious websites on the internet (by means of blacklisting, for example) unless there is a clear, documented business need and the applicant understands and accepts the associated risk.

Application whitelisting

  • Only approved applications, restricted by code signing, are allowed to execute on devices.  The applicant must:
    • Actively approve such applications before deploying them to devices
    • Maintain a current list of approved applications.
  • Users must not be able to install any application that is unsigned or has an invalid signature.

Application sandboxing

  • All code of unknown origin must be run within a 'sandbox' that prevents access to other resources unless permission is explicitly granted by the user. These resources include:
    • Other sandboxed applications
    • Data stores, such as those holding documents and photos
    • Sensitive peripherals, such as the camera, microphone, and GPS
    • Local network access.