MA.L2-3.7.4 requires organizations to automate malicious-code checks on managed devices and removable media; this post shows how small and mid-sized organizations can configure endpoint protection, removable-media scanning, logging, and automation so that those checks are effective, auditable, and aligned with the Compliance Framework.
What the control requires in practice
At its core, MA.L2-3.7.4 expects continuous and automated capabilities that detect and respond to malicious code on endpoints and on removable media (USB, external HDDs, SD cards, etc.). That includes real-time scanning, scans on device mount or file-write, scheduled full scans, timely signature and rule updates, quarantine/remediation actions, and robust logging to provide evidence for audits. For Compliance Framework alignment, combine technical controls with policies for device usage, exceptions, and proof of monitoring.
Implementation components and recommended configurations
Implement these components: (1) centrally managed Endpoint Protection/EDR agents with real-time protection and on-access scans, (2) removable-media scan-on-mount and scan-on-execute rules, (3) automated signature and rule updates (anti-malware, heuristics, YARA/IOCs), (4) quarantine and automated remediation actions, and (5) centralized logging and alerting (SIEM / EDR console). Technical recommendations: enable real-time protection, enable scanning of archives and nested files, require scan-on-write or on-execute for directories used for downloads and removable mounts, and configure automatic signature updates at least every 4–8 hours. Use allowlists (hash-based) only when necessary and keep exclusions tightly scoped and documented.
Example vendor-specific settings (illustrative)
Microsoft Defender for Endpoint: enable real-time protection and removable drive scanning (Set-MpPreference -DisableRemovableDriveScanning $false), set cloud-delivery & automatic remediation, and monitor the "Microsoft-Windows-Windows Defender/Operational" event channel and the Defender console for detections. For Linux hosts, run clamd/freshclam with a file-system watcher (inotify/fanotify) that triggers clamscan on newly mounted volumes; schedule daily full scans with cron and ensure freshclam runs every hour. For macOS, deploy an EDR/AV via Jamf and configure "scan on mount" checks and quarantine via the EDR policy. In all cases, deploy agents through a central console and roll out configuration via policy to prevent configuration drift.
Removable media-specific controls and practical steps
Removable media is a high-risk vector—implement device control and scanning together. Steps: disable autorun/autoplay at the OS level; enforce bitlocker/filevault (or equivalent) encryption for permitted removable devices; implement a device control policy that restricts which USB classes or serials can mount; on allowed devices, enforce automatic scan-on-mount and deny execution of unscanned binaries by default. Maintain an inventory of approved removable devices (vendor/serial hash). For small businesses with limited staff, use built-in OS controls (GPO for Windows: disable autoplay and deploy Defender settings) combined with a low-cost EDR/AV with device control features to centralize enforcement.
Small-business scenarios and real-world examples
Scenario A: 40-seat engineering firm with occasional contractor USB drops. Deploy a cloud-managed EDR (e.g., Defender, CrowdStrike, SentinelOne) to all endpoints, enforce device-control policies that allow only company-issued USBs (identified by serial number or vendor ID), and configure auto-scan on mount with quarantine and automatic removal of network shares on detection. Scenario B: Manufacturing shop using USB drives for offline PLC updates. Create a vetted process: a staging PC with an EDR that performs a full scan and hash-whitelist the update file, record the hash in change management, and log the device and user in a change ticket. These practical processes reduce false positives and produce audit evidence required by Compliance Framework.
Logging, evidence, and automation for compliance
Ensure every detection produces auditable artifacts: event logs, EDR alerts with timestamps, files quarantined (or hashes taken), user and host context, and remediation actions taken. Forward these to your SIEM or centralized logging (e.g., Elastic, Splunk, Azure Sentinel) and create retention policies appropriate to your compliance needs (typically 1–3 years depending on organizational policy). Automate playbooks for common detection types: isolate host, collect forensic snapshot, quarantine file, notify incident response, and open a ticket. SOAR tools or built-in EDR automation can perform these steps and generate an evidence trail for an auditor.
Risks of not implementing automated scanning
Without automated endpoint and removable media scanning, organizations face increased risk of ransomware and data exfiltration, loss of Controlled Unclassified Information (CUI), and supply-chain compromise. For contractors and small businesses holding or processing CUI, failing MA.L2-3.7.4 can result in contract loss, remediation costs, and reputational damage. Practically, missing automated checks means delays in detection, greater lateral movement by attackers, and fewer forensic artifacts—making incident response slower and less effective.
Summary — implement centrally managed EDR/AV with scan-on-mount for removable media, enforce device control and encryption, automate signature updates and remediation, collect and retain detection logs, and document your policies and exceptions. Start with a pilot, harden policies (minimal exclusions), and iterate with routine testing; doing so will satisfy MA.L2-3.7.4 in a practical, auditable way that fits small-business constraints while reducing real operational risk.
