Safeguard 10.4: Configure Automatic Anti-Malware Scanning of Removable Media

Safeguard 10.4 requires you to configure your anti-malware tooling so that removable media (for example, USB storage) is scanned automatically when inserted or accessed, and to prove that this setting is enforced across in-scope endpoints. Operationalize it by standardizing endpoint security policy, blocking or tightly controlling exceptions, and retaining recurring evidence that scanning is enabled and working. (CIS Controls v8)

Key takeaways:

• Enable automatic scanning for all removable media events, not “manual scan on demand.” (CIS Controls v8)
• Enforce the setting centrally (MDM/endpoint management), and control exceptions through tickets and approvals. (CIS Controls Navigator v8)
• Keep machine-level evidence (policy settings + endpoint status + detection logs) that an assessor can trace end to end. (CIS Controls v8)

Removable media remains a practical malware delivery path because it bypasses many network controls and lands directly on endpoints where users have workflow pressure to “just open the file.” Safeguard 10.4 focuses on a narrow but high-yield defensive move: make anti-malware scanning automatic for removable media so the control runs without relying on user judgment or help desk intervention. (CIS Controls v8)

For a CCO or GRC lead, the challenge is rarely deciding whether scanning is a good idea; it is turning the requirement into a setting that is consistently enforced across heterogeneous fleets (Windows/macOS/Linux), mixed management planes (MDM, endpoint management, VDI), and real operational constraints (field technicians, third parties, air-gapped labs, OT/medical devices). This page gives requirement-level implementation guidance you can hand to endpoint engineering, security operations, and internal audit: what “automatic scanning” should mean in practice, how to scope it, how to handle exceptions safely, and what evidence to collect so you can pass an assessment without scrambling. (CIS Controls Navigator v8)

Regulatory text

Framework requirement: “CIS Controls v8 safeguard 10.4 implementation expectation (Configure Automatic Anti-Malware Scanning of Removable Media).” (CIS Controls v8)

Operator interpretation: You must configure endpoint anti-malware so removable media is scanned automatically (triggered by insertion or access) and the configuration is enforced across in-scope systems, with evidence that the control operates as designed. (CIS Controls v8)

What an assessor is trying to confirm:

• The setting exists and is centrally managed, not left to individual users. (CIS Controls Navigator v8)
• Removable media events trigger scanning without user action. (CIS Controls v8)
• Exceptions are controlled and documented, not handled informally. (CIS Controls v8)
• You can produce repeatable evidence, not one-time screenshots. (CIS Controls Navigator v8)

Plain-English interpretation (what this requirement really demands)

“Configure automatic anti-malware scanning of removable media” means: when a USB drive (or other removable storage) is connected or used, your endpoint security stack inspects it for malware automatically, according to a defined policy. Users should not have to remember to right-click and scan, and security should not be dependent on a technician’s habits. (CIS Controls v8)

This requirement is also an evidence requirement. If you cannot show how the configuration is deployed, monitored, and kept in effect over time, you will get a finding even if “most machines probably scan USB.” The easiest way to fail Safeguard 10.4 is to implement it but not be able to prove it during an audit. (CIS Controls Navigator v8)

Who it applies to

Entity scope

• Any enterprise or technology organization using CIS Controls v8 as a security baseline or as an assessment target. (CIS Controls v8)

Operational scope (systems and scenarios)

Apply Safeguard 10.4 wherever removable media can touch data or execute code:

• Corporate endpoints (laptops/desktops) used by employees and contractors.
• Privileged/admin workstations that may receive tools via removable media.
• Kiosks and shared workstations (often forgotten in endpoint policy).
• VDI/non-persistent desktops if removable device passthrough is permitted.
• Third-party managed endpoints when they connect to your environment or handle your data; address this through third-party requirements and technical controls where feasible.

Systems that commonly require exception handling:

• OT/ICS endpoints, medical devices, lab systems, or other “safety/availability first” assets where scanning may affect performance or certification posture.
• Air-gapped environments that intentionally use removable media for transfer.

What you actually need to do (step-by-step)

Step 1: Define “removable media” and the trigger in your standard

Write a short control statement your technical teams can implement and auditors can test:

• Media types in scope: USB mass storage, external HDD/SSD, SD cards, and any removable storage exposed to the OS as a drive.
• Trigger definition: scan on insertion and/or scan on first access/open; document which your tool supports and what you enforce.
• Minimum scanning behavior: real-time protection enabled and removable media scanning enabled via central policy.

Keep the definition tight. If you broaden it to every peripheral type (phones, cameras), you may create an untestable obligation.

Step 2: Map enforcement points (where the setting lives)

Decide the authoritative control plane(s):

• Endpoint protection console policy (primary).
• MDM configuration profiles (secondary, where they can enforce OS-level antivirus settings).
• Endpoint configuration management (for registry/config baselines).
• For VDI: golden image policy plus session controls.

Your goal is one “source of truth” per platform that produces a report showing which endpoints comply. (CIS Controls v8)

Step 3: Implement platform policies with “no user choice” defaults

Work with endpoint engineering to set policies so users cannot disable scanning:

• Require anti-malware agent running and tamper protection enabled (where supported).
• Enable removable media scanning and ensure it is not “user configurable.”
• Configure actions on detection (quarantine/block) consistent with your incident response process.

If business insists on allowing removable media, pair this safeguard with device control rules (allow-list corporate encrypted USB only) so scanning is not your only line of defense.

Step 4: Handle exceptions as a controlled risk decision

Create an exception process with security sign-off:

• Document the business justification (e.g., vendor tool requires removable media, system cannot run agent).
• Define compensating controls (e.g., dedicated transfer workstation that scans media before it enters restricted zones).
• Time-box exceptions and require periodic re-approval.
• Track exceptions in a register that internal audit can sample.

A common operational compromise is a “scanning station” model: removable media must be scanned on a hardened workstation before files are moved to sensitive systems. Document the workflow and keep logs.

Step 5: Validate operation with testing that looks like real use

Do not rely on policy settings alone. Perform a practical validation:

• Insert known-good test media and confirm the scan triggers (or that access triggers scanning) and produces logs.
• Confirm endpoints without the agent are detected by your management console (coverage reporting).
• Confirm alerts/tickets route correctly to SOC/IT.

Record a short test procedure and retain results as evidence.

Step 6: Put recurring evidence capture on a calendar

Safeguard 10.4 is easy to implement once and forget. Make it durable:

• Schedule recurring exports from the endpoint protection console showing removable media scanning enabled and policy applied.
• Schedule periodic sampling of endpoints for local verification (where allowed) and log presence.
• Review exception register for expired approvals.

This aligns with the CIS expectation to map the safeguard to documented operation and recurring evidence capture. (CIS Controls v8)

Required evidence and artifacts to retain

Keep artifacts that let an assessor trace: policy → deployment → endpoint compliance → operational logs.

Policy and standards

• Endpoint security standard stating removable media scanning is automatic, with scope and trigger definition. (CIS Controls v8)
• Exception management procedure and approval criteria.

Configuration evidence

• Screenshots/PDF exports of endpoint protection policy showing removable media scanning enabled ¹.
• MDM/configuration baseline artifacts that enforce the setting (profiles, scripts, configuration items).
• Change records for policy rollout (ticket IDs, CAB approvals where applicable).

Operational evidence

• Compliance reports from the endpoint security console listing endpoints and applied policy.
• Example endpoint telemetry/logs showing removable media scan events and results.
• Incident records tied to removable media detections (if any), showing handling.

Governance evidence

• Exception register with approvals and compensating controls.
• Recurring control check evidence (scheduled report exports, review sign-offs). (CIS Controls Navigator v8)

Common exam/audit questions and hangups

What auditors ask	What they mean	What to show
“Is scanning automatic or user-initiated?”	They’re checking it’s not optional	Policy config + test logs showing auto trigger (CIS Controls v8)
“How do you know every endpoint has it?”	Coverage and enforcement	Console compliance report + device inventory reconciliation
“What about developers/admins who use USB?”	High-risk population	Separate stricter policy group; exception controls
“How do you handle unmanaged/third-party devices?”	Control boundary	Technical blocks, NAC/conditional access, third-party requirements
“What’s your exception process?”	Governance maturity	Exception register + approvals + compensating controls

Frequent implementation mistakes (and how to avoid them)

1. Relying on “real-time protection” alone without confirming removable media behavior.
   Fix: explicitly enable removable media scanning (or the closest supported setting) and validate with an insertion/access test.

2. Local endpoint configuration with no central enforcement.
   Fix: enforce through endpoint security policy or MDM, and keep compliance reporting. (CIS Controls v8)

3. Allowing “temporary” exceptions that never expire.
   Fix: require re-approval and track owners; escalate overdue exceptions to risk acceptance.

4. No evidence trail beyond a screenshot.
   Fix: keep recurring exports, a dated test record, and a sample of endpoint logs. (CIS Controls Navigator v8)

5. Ignoring non-standard fleets (kiosks, VDI, labs).
   Fix: document scope decisions and compensating controls for restricted systems.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this safeguard. The risk is still concrete: removable media can introduce malware directly to endpoints, including privileged workstations and isolated networks. From a governance perspective, the most common assessment failure mode is “implemented but not provable,” which creates audit findings and forces costly after-the-fact evidence collection. (CIS Controls v8)

Practical execution plan (30/60/90)

A staged plan helps you move fast without creating uncontrolled exceptions. Use these phases as an execution checklist; adapt the sequencing to your change windows and endpoint tooling.

First 30 days (Immediate)

• Confirm endpoint security tool capabilities per OS and define what “automatic” means in your environment (insertion vs access).
• Draft/update the endpoint standard for removable media scanning and the exception workflow. (CIS Controls v8)
• Identify in-scope endpoint groups and outliers (kiosks, labs, OT, VDI).
• Build the reporting view you will use as evidence (compliance/export format). (CIS Controls Navigator v8)

Days 31–60 (Near-term)

• Deploy policy to a pilot ring, then expand to general population.
• Implement tamper protection and restrict user ability to disable protections where supported.
• Stand up the exception register and require approvals for any endpoints that cannot comply.
• Run an operational test and retain test records plus sample logs.

Days 61–90 (Operationalize)

• Expand coverage to remaining edge cases (VDI images, shared devices, specialized fleets) or document compensating controls.
• Automate recurring evidence collection (scheduled exports + review sign-off).
• Add control checks to endpoint health monitoring and internal audit sampling.
• If you use Daydream for GRC operations, map Safeguard 10.4 to your documented control, attach recurring evidence, and track exceptions in one place to avoid audit-time scrambling. (CIS Controls v8)

Frequently Asked Questions

Does “automatic scanning” mean scan on USB insertion or scan on file access?

CIS Safeguard 10.4 expects scanning occurs automatically without user initiation. Enforce the strongest trigger your endpoint tool supports, then document the trigger definition and validate it with a test record. (CIS Controls v8)

What if certain endpoints cannot run anti-malware (OT, medical, lab systems)?

Treat them as formal exceptions with compensating controls, such as controlled transfer workstations that scan media before it reaches restricted assets. Keep the exception approval and the compensating-control evidence together for assessment. (CIS Controls v8)

Is a one-time screenshot of policy settings enough evidence?

Usually not. Keep recurring compliance exports from the endpoint security console plus sample endpoint logs showing scans occur in practice. (CIS Controls Navigator v8)

How do we handle third-party personnel who bring removable media onsite?

Set a rule that only organization-approved media can connect to corporate endpoints, and route any required transfers through a scanning station. Add the requirement to third-party access procedures and onboarding. (CIS Controls v8)

Should we just block all USB storage instead of scanning it?

Blocking reduces exposure, but Safeguard 10.4 specifically calls for automatic scanning when removable media is used. If business allows USB, implement scanning plus device control and encryption requirements for approved media. (CIS Controls v8)

What’s the fastest way to get audit-ready for 10.4?

Centralize enforcement, run a short validation test, and set up a recurring evidence packet (policy export, compliance report, sample logs, exception register). Daydream can store the mapped control and recurring evidence so you can answer audits with a single evidence set. (CIS Controls Navigator v8)

Footnotes

1. CIS Controls v8