PCI Compliance Every Day – Requirement 5

Protect all Systems Against Malware and Regularly Update Anti-Virus Software or Programs

In this latest post of my PCI compliance blog series, we will explore Requirement 5, which has four distinct requirements that imply they need to be addressed at least daily:

• 5.1: For a sample of system components, including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.
• 5.2.b: Examine anti-virus configurations, including the master installation of the software, to verify anti-virus mechanisms are: configured to perform automatic updates and configured to perform periodic scans.
• 5.2.d: Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that: anti-virus software log generation is enabled and logs are retained in accordance with PCI DSS Requirement 10.7.
• 5.3.b: Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users.

The first requirement (5.1) necessitates that an organization maintain an accurate inventory of their devices and the operating systems on those devices. However, configuration management data base (CMDB) solutions are notorious for not being completely implemented. As a result, it can be quite an exercise to determine if every system that needs anti-virus software has it installed. Regardless, in order to keep things manageable, someone within the organization is going to have to ensure that every system that needs anti-virus has it, which usually is a daily task.

The next hurdle with requirement 5.1 is that while almost everyone understands that any implementation of Microsoft Windows is covered by the statement, “commonly affected by malicious software,” we still run into tremendous push back from Apple Macintosh and Linux users/administrators over their need to run an anti-virus solution. Yet a review of the CVE database clearly debunks those claims. Yes, these systems have fewer vulnerabilities than Windows, but they still would be “commonly affected” given the number of vulnerabilities and the frequency with which those vulnerabilities get published. Many of the enterprise-level anti-virus solutions provide clients for Macintosh and various forms of Linux, so it is not like they cannot comply. In a lot of cases, their existing contract with the anti-virus vendor allows them to use the Macintosh and Linux clients just like the Windows client, so an argument over additional cost is likely moot.

Never mind the push back from server administrators who swear that any anti-virus solution takes too much CPU to run and adversely affects server performance. While getting better, we still regularly encounter people who make this claim but then have no documented proof of it. Not that we do not believe them as I do know that some anti-virus products can adversely affect performance. However, in most cases the person making the case is just parroting back claims made by current and former co-workers and what they have read on the internet regarding anti-virus solutions. The bottom line is that unless they can provide current documented proof of their claim, that claim is not believable.

The last three requirements can be monitored and alerted from whatever enterprise anti-virus solution’s master console your organization has implemented. In fact, it is highly unusual if an organization is not already monitoring these areas. Almost every person we have ever interviewed regarding anti-virus can quickly tell us through the console which systems are not running the current anti-virus signatures, which are not running the current version of the client, which have not run a scan in the last week and which systems are not properly configured.

However, where anti-virus does have a shortcoming is in its ability to detect viruses and malware. Testing of these products confirms time and again that anti-virus solutions are only around 30 to 40 percent effective in detecting viruses and malware. That means there is a high likelihood that an organization could get infected and not immediately recognize it. This is particularly true with today’s attacks where attackers use modified versions of malware to go undetected by anti-virus solutions. 

For organizations looking for a higher level of security, we recommend an additional product that uses white/black listing, critical file monitoring or some other method of flagging viruses and malware to enhance the ability of an organization to detect viruses and malware. While still not 100 percent effective, such an approach makes detection of viruses and malware more likely than relying on anti-virus solutions alone.

One place we do encounter an occasional problem is in complying with log data in 5.2.d. While the anti-virus solution usually provides more than adequate logging capabilities, the log data is not retained for at least 90 days with immediate access and for at least a year on back up media. The anti-virus main server(s) could retain this log data to meet the PCI requirement, but a lot of organizations do not configure it for that sort of retention. That means they are not in compliance with requirement 10.7 to retain log data for 90+ days online and at least a year offline. The easiest fix for this is to route the anti-virus solution’s master server(s) log data to your security information and event monitoring (SIEM) solution. This also will allow you to monitor and alert on the anti-virus solution in your operations area as well as with your anti-virus team as a double-check and back-up.

Ultimately, the good news in this section is that almost every enterprise implementation of anti-virus solution we have ever encountered can meet the PCI requirements through their master console and master server(s). All it takes is to properly configure the solution.