This post explains how to configure endpoint antivirus (AV) and endpoint detection and response (EDR) products to perform real-time scans of files when they are downloaded, opened, or executed — a specific implementation to meet FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV for small and medium organizations.
What the control requires and why it matters
At Level 1, SI.L1-B.1.XV requires that endpoints be protected by controls that detect and prevent malicious content as files enter or run on systems. Practically this means enabling on-access (real-time) scanning and behavioral monitoring in your AV/EDR so that files coming from the web, email, removable media, or other sources are scanned when downloaded, opened, or executed. This reduces the risk of malware execution, data exfiltration, and compromise of controlled unclassified information (CUI) or contract data.
Practical implementation steps (high-level)
Follow these steps as a practical checklist when configuring AV/EDR for compliance:
1) Policy design and mapping
Create a written configuration baseline that maps product settings to SI.L1-B.1.XV. Define: enable on-access scanning, scan on open and execute, scan archives and compressed files, enable cloud-assisted/heuristic detection, and enable behavioral EDR sensors. Document expected values and acceptable exceptions (justified in a signed exemption request).
2) Configure the endpoint product
Using your AV/EDR management console, enable the following features for all managed endpoints: - On-access/real-time scanning (sometimes called "OnExecute", "OnOpen" or "File system scanning"). - Scan of downloaded files and browser-download interception (if available). - Scan of archives and nested containers (zip, rar, iso) and optionally enable heuristics/behavior analysis for scripts and macros. - Cloud-delivered protection and sample submission (to improve detection). - Behavioral EDR sensors (process monitoring, creation, injection, script activity). Examples: in Microsoft Defender enumerate that Real-time Protection is enabled and that you are capturing Microsoft-Windows-Windows Defender/Operational events; in other vendors (CrowdStrike, SentinelOne, Sophos) enable "On-access scanning" policies in the central console and ensure they are applied to all endpoint groups.
3) Harden exceptions and exclusions
Keep exclusions narrow and documented. Avoid blanket folder or extension exclusions. If you must exclude a directory (for performance or compatibility), document hostname(s), process owners, risk compensating controls, and implement hash-based allowlisting for binaries instead of path-based exclusions where possible. Use code-signing checks: allow only signed executables in critical locations when feasible.
4) Logging, telemetry, and evidence collection
Turn on detailed logging for on-access events and integrate endpoint telemetry into your SIEM. Collect: - EDR/AV event logs showing OnAccessScan/OnOpen/OnExecute events. - ProcessCreate and FileCreate events (via Sysmon or native OS logs). - Policy export screenshots from your EDR console proving the real-time scan feature is enabled. For Windows, verify with tools like Get-MpComputerStatus (or equivalent vendor reporting) and collect logs from Microsoft-Windows-Windows Defender/Operational or vendor-specific channels.
Real-world examples and scenarios for a small business
Example 1 — 25-person engineering firm: deploy Microsoft Defender configured via Group Policy / Intune. Steps: enable real-time protection, configure cloud-delivered protection and sample submission, enable archive scanning, push configuration via Intune device configuration profile, and verify with Get-MpComputerStatus across a sample of endpoints. Collect screenshots of Intune policy assignments and Defender event logs for the audit pack.
Example 2 — Small MSP-managed environment using CrowdStrike: create a single "Prevent" policy with On-Access scanning and script control enabled. Use the console to exclude only a signed installer used by a legacy application and record the exclusion request and approval. Schedule a quarterly scan and validate that the EDR is observing FileWrite/FileOpen events for downloaded installers.
Testing, detection tuning, and handling false positives
Test with benign test files (EICAR) in controlled scenarios to confirm OnDownload/Open/Execute triggers detections. Conduct table-top exercises to validate alert triage and remediation: quarantine, rollback (if supported), or manual removal. Tune heuristics carefully — high sensitivity increases false positives; low sensitivity increases risk. Maintain a documented suppression workflow where analysts can submit false-positive artifacts and a process to update allowlists only after safe verification.
Risk of not implementing the requirement
If real-time scanning and behavioral EDR are not properly enabled, incoming malicious files can execute before detection, leading to ransomware, credential theft, lateral movement, and loss of CUI — all of which can result in contract noncompliance, regulatory penalties, and reputational damage. For FAR 52.204-21 and CMMC Level 1, missing demonstrable controls during an assessment can result in corrective actions or loss of contract eligibility.
Compliance tips and best practices
- Keep AV/EDR signatures and engines up to date via automated update policies. - Centralize policy management and enforce via MDM/EPP console so endpoints cannot disable protection. - Collect and retain 90 days of event data (or longer if required by your contracting requirements) to support audits. - Document every exception and the compensating controls used. - Combine endpoint scans with gateway protections (email and web filters) to reduce exposure before files reach endpoints.
In summary, meeting FAR 52.204-21 / CMMC 2.0 Level 1 SI.L1-B.1.XV is achieved by enabling and documenting on-access scanning and EDR behavioral monitoring for downloaded, opened, and executed files, applying those settings consistently across your estate, logging relevant events, and maintaining a documented exception and validation process; doing so materially reduces your risk of malware execution and produces the artifacts auditors expect to see.
