GRCWatch
Sign inStart free trial

CIS Control 10.4: Configure Automatic Anti-Malware Scanning of Removable Media

Removable media like USB drives and external hard drives are common infection vectors that bypass perimeter defenses. CIS Control 10.4 requires you to automatically scan all removable media for malware when connected to your systems. This control prevents malware from infiltrating your network through portable devices that employees routinely use.

What this means

This control mandates deploying anti-malware software configured to automatically and immediately scan any removable media upon connection to company devices. The scanning must occur before users can access the media's contents, ensuring no malicious code executes. This applies across all endpoints including desktops, laptops, and servers that accept removable media.

How to comply

  1. 1.Select enterprise-grade anti-malware software that supports automatic removable media scanning
  2. 2.Configure the software to scan all removable media upon insertion with real-time protection enabled
  3. 3.Set scanning policies to block access until the scan completes and returns clean results
  4. 4.Enable quarantine features to isolate suspicious files automatically
  5. 5.Deploy the configuration across all endpoints via mobile device management or group policy
  6. 6.Test scanning functionality monthly to confirm media is being scanned on connection
  7. 7.Maintain updated malware definitions by configuring automatic signature updates
  8. 8.Document scanning policies and audit logs as evidence of compliance

Evidence auditors look for

  • Anti-malware software configuration screenshots showing removable media scanning enabled
  • Group Policy or MDM policy documents specifying automatic media scanning requirements
  • Scan logs showing successful scans of connected USB drives and external storage devices
  • Testing documentation confirming malware detection on test media
  • User acknowledgment records confirming training on removable media policies
  • Audit reports showing 100% of endpoints have scanning configured and active

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates removable media scanning policy deployment and tracks scan logs across your entire endpoint fleet, eliminating manual configuration and generating CIS 10.4 compliance evidence automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 10.1 — Deploy and manage endpoint protection softwareCIS Control 10.3 — Deploy and manage endpoint detection and response softwareCIS Control 10.5 — Enable PowerShell logging and collect audit logsCIS Control 13.7 — Monitor removable media usage