What Does Compliant Scanning Look Like in Microsoft Defender? (SI.L2-3.14.5)

What Does Compliant Scanning Look Like in Microsoft Defender? (SI.L2-3.14.5)

See how cmmc microsoft defender compliant file scanning meets SI.L2-3.14.5 with defined periodic scans and real-time external-file protection.

LakeRidge Team
July 17, 2026
9 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

Compliant scanning means the organization has defined how often Microsoft Defender scans systems for malicious code, performs those scans at that frequency, and keeps real-time protection active so files from external sources are scanned when downloaded, opened, or executed. For cmmc microsoft defender compliant file scanning, an assessor should be able to see both the configured Defender settings and evidence that the settings apply to every in-scope endpoint and server handling CUI.

What does cmmc microsoft defender compliant file scanning require?

NIST SP 800-171 Rev. 2 and CMMC 2.0 Level 2 practice SI.L2-3.14.5 require an organization to:

“Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”

For an internal auditor, the requirement is easiest to evaluate as three connected obligations rather than one general “antivirus is installed” statement.

  1. “Perform periodic scans” means the organization must establish a recurring scan schedule. It is not sufficient to say that users can manually start a scan or that Defender scans files only when accessed. The organization must define a frequency, such as a daily quick scan and a weekly full scan, based on its risk, system use, and endpoint availability.
  2. “Of the information system” means the scan requirement applies to the in-scope environment, including workstations, laptops, and servers that store, process, or provide security protection for CUI. Asset scope matters: a well-configured pilot group does not demonstrate compliance if unmanaged CUI endpoints are excluded.
  3. “Real-time scans of files from external sources” means Microsoft Defender Antivirus must inspect files as they enter or are used on the device. Downloaded files, email attachments saved locally, files copied from removable media, cloud-synchronized content, and files opened from external locations are common examples. Real-time protection must be enabled rather than relying solely on scheduled scans.

The implementation note behind SI.L2-3.14.5 makes an important distinction. Periodic scans reevaluate files already saved on a device using updated malware intelligence. Real-time scans inspect new or accessed files at the point of download, opening, saving, or execution. A compliant Microsoft Defender implementation needs both capabilities.

Who does SI.L2-3.14.5 apply to and when is scanning triggered?

This practice applies to the information system within the CMMC assessment scope. In practical terms, that normally includes Windows endpoints used by personnel who handle CUI, shared workstations, servers that store CUI, and administrative systems that provide security functions for those assets. If a device is out of scope because it cannot access or process CUI and does not provide a security service to the CUI environment, document that boundary rather than assuming the device is covered.

Microsoft Defender Antivirus is the relevant endpoint control for Windows systems when it is the active anti-malware engine. Microsoft Defender for Endpoint can provide centralized inventory, policy reporting, alerts, and investigation evidence, but onboarding to Defender for Endpoint alone does not prove SI.L2-3.14.5 compliance. The underlying Microsoft Defender Antivirus settings must still enable real-time and scheduled scanning.

Real-time scanning should be triggered when a user or process interacts with an externally sourced file. The control is not limited to web downloads. An assessor may reasonably ask how the organization addresses these events:

  • A user downloads an installer, document, archive, or script through a web browser.
  • A user saves an email attachment to a local folder and later opens it.
  • A spreadsheet is copied from a USB drive or other removable media.
  • A file synchronized from SharePoint, OneDrive, Dropbox, or another cloud service is opened or executed.
  • A user runs a program, macro-enabled document, PowerShell script, or executable obtained from an external party.

Defender’s real-time protection scans files as they are accessed. Organizations should also enable the policy commonly shown as Scan all downloaded files and attachments, sometimes referred to in policy reporting as IOAV protection. That setting helps demonstrate that downloaded content and attachments receive inspection before users rely on them.

What does compliant scanning look like in Microsoft Defender in practice?

For CMMC Microsoft Defender compliant file scanning, the strongest evidence combines a written scanning standard, centrally deployed configuration, endpoint coverage data, and records showing the controls operate. The following examples are concrete implementations an assessor would generally recognize as aligned with the three SI.L2-3.14.5 objectives.

Control area Example Microsoft Defender configuration Evidence an auditor can retain
Defined periodic scan frequency Intune Endpoint Security Antivirus policy sets a daily quick scan at 12:00 and a weekly full scan every Sunday at 02:00 for managed Windows endpoints. Approved malware-protection standard, Intune policy export or screenshots, and the assigned device group.
Real-time file scanning Microsoft Defender Antivirus Real-time protection is enabled, with tamper protection enabled to prevent local users from disabling it. Intune compliance or antivirus policy report showing the setting applied, plus endpoint status in Microsoft Defender for Endpoint.
Downloaded files and attachments Scan all downloaded files and attachments is enabled, and cloud-delivered protection is enabled for current malware intelligence. Policy configuration, Defender device timeline events, and a sampled endpoint configuration report.
Detection response Defender is configured to quarantine detected malware, while the incident-response process defines triage, restoration, escalation, and evidence retention. Detection alert, quarantine history, ticket or incident record, and documented resolution.

Example 1: A documented scan schedule is deployed to all CUI laptops

The organization’s malware protection standard states that Windows CUI endpoints receive a quick scan daily and a full scan weekly. An Intune antivirus profile enforces the schedule across the device group containing CUI laptops. The auditor can compare the documented frequency to the actual Intune settings and verify that the target group includes the organization’s CUI-capable devices.

This example satisfies the first two CMMC objectives: the frequency is defined, and scans are performed according to that defined frequency. The organization should account for devices that are routinely powered off during the scheduled window by documenting how missed scans are handled or by reviewing completion status and remediation records.

Example 2: Real-time protection and download scanning cannot be casually disabled

Microsoft Defender Antivirus real-time protection, behavior monitoring, cloud-delivered protection, and downloaded-file-and-attachment scanning are enabled through Intune or Group Policy. Tamper protection is enabled, and standard users do not have administrative rights to change the settings. Policy conflicts and devices reporting inactive antivirus protection generate alerts for the security team.

This is stronger evidence than a screenshot from one endpoint because it demonstrates centrally managed enforcement. For an assessment, retain a configuration export and a representative sample of device-level status records.

Example 3: Email attachments are protected at both the mail and endpoint layers

The organization uses Microsoft Defender for Office 365 to inspect email attachments before delivery and uses Microsoft Defender Antivirus to scan attachments when they are downloaded, saved, opened, or executed on a Windows endpoint. The email security service is valuable defense in depth, but the endpoint real-time scanning setting remains necessary evidence for SI.L2-3.14.5.

An assessor should be able to see that the organization does not treat email filtering as a replacement for endpoint anti-malware scanning.

Example 4: USB and cloud-synchronized files are treated as external sources

A user copies a customer-provided file from a USB drive to a managed laptop or opens a file synchronized from SharePoint. Microsoft Defender real-time protection evaluates the file when it is accessed, and the organization has not created broad exclusions for removable media, user profile folders, download folders, or cloud-sync folders. Any necessary exclusion is documented, justified, approved, and periodically reviewed.

Large or poorly governed exclusions are a common assessment concern because they can undermine otherwise compliant real-time scanning. A statement that Defender is “enabled” is not enough if exclusions prevent relevant external files from being scanned.

What evidence should an external assessor expect for SI.L2-3.14.5?

An external assessor will usually look for evidence that connects policy, technical implementation, and operation. A concise evidence package can include the following:

  • The malware protection policy or standard defining the periodic scan frequency and assigning responsibility for monitoring failures.
  • Microsoft Intune, Group Policy, or Microsoft Defender policy evidence showing scheduled scans, real-time protection, and downloaded-file-and-attachment scanning are enabled.
  • An asset inventory or Defender for Endpoint device inventory demonstrating that in-scope systems are covered by the policy.
  • Representative endpoint evidence showing Microsoft Defender Antivirus is active and current.
  • Scheduled scan history, operational reports, or documented follow-up for devices that missed required scans.
  • Detection, quarantine, and incident records showing that the organization can identify and address malicious-code findings.
  • A documented review of Defender exclusions, especially exclusions affecting downloads, user-writable folders, removable media, or CUI repositories.

Do not rely only on an antivirus dashboard that displays a high-level “healthy” status. That status can help, but it may not show the specific scheduled frequency, download-scanning policy, exclusions, or population of in-scope devices. The assessment evidence should make each SI.L2-3.14.5 objective independently testable.

FAQ

How often should Microsoft Defender scan for CMMC?

CMMC does not prescribe one universal interval. The organization must define a reasonable periodic scan frequency, implement it, and show that scans occur at that frequency. A documented daily quick scan and weekly full scan is a common example, but the selected schedule should fit the organization’s risk and operational constraints.

Does Microsoft Defender real-time protection satisfy SI.L2-3.14.5 by itself?

No. Real-time protection addresses the external-file scanning portion of the practice, but SI.L2-3.14.5 also requires periodic scans at a defined frequency. Both real-time and scheduled scanning evidence are required.

Do email attachments count as files from external sources for CMMC?

Yes. Email attachments from outside the organization are common external-source files. Microsoft Defender Antivirus should scan them when they are downloaded, saved, opened, or executed, even if a separate email security service also scans them before delivery.

What Microsoft Defender settings prove compliant file scanning?

Evidence should show enabled real-time protection, enabled scanning of downloaded files and attachments, a defined scheduled-scan configuration, current security intelligence, appropriate exclusion management, and coverage of the CUI assessment scope.

Before the external assessment, reconcile your in-scope asset list against Defender policy assignments and retain evidence that every exception, missed scan, and exclusion has been reviewed.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.