This post explains how to configure endpoint security so that files are scanned in real time when downloaded, opened, or executed — a practical how-to to help small businesses meet FAR 52.204-21 basic safeguarding requirements and the CMMC 2.0 Level 1 control SI.L1-B.1.XV.
\n\nFAR 52.204-21 mandates basic safeguarding of contractor information systems; CMMC 2.0 Level 1 SI.L1-B.1.XV specifically calls for real-time scanning on download, open, and execute to prevent malicious code from reaching Controlled Unclassified Information (CUI) or other sensitive data. The key objectives are (1) detect malicious files at the earliest entry point, (2) block or quarantine malicious artifacts before execution, and (3) retain logs and evidence to demonstrate the controls are configured and operating.
\n\nStart with a baseline policy: enable on-access (real-time) scanning, cloud-assisted protection (where available), and file-type-specific scanning for downloads and archives. Use a cloud-managed endpoint product (Microsoft Defender for Business, CrowdStrike Falcon Prevent, SentinelOne, Sophos Intercept X, Bitdefender GravityZone, etc.) so policies are centrally enforced and you can export evidence. Document the baseline as a compliance policy (policy name, baseline version, date, scope) and map it to the FAR/CMMC requirement in your Compliance Framework artifact repository.
\n\nWindows (typical small-business environment): use Microsoft Defender (or your chosen AV/EDR) and enforce these settings via Group Policy or Intune:\n- Enable Real-time protection / On-access scanning.\n- Enable \"Scan downloaded files and attachments\" (Intune policy: Endpoint security > Antivirus > Microsoft Defender > Real-time protection).\n- Enable Cloud-delivered protection and automatic sample submission for faster detection.\n- Configure archive and compressed file scanning and set a reasonable max unpack depth.\nExample PowerShell checks and commands:\nGet-MpComputerStatus | Select AMRunning,AMServiceEnabled,RealTimeProtectionEnabled\nSet-MpPreference -DisableRealtimeMonitoring $false\nSet-MpPreference -DisableIOAVProtection $false\nFor macOS and Linux, install and enforce your vendor client (CrowdStrike/SentinelOne) and ensure on-access scanning hooks are enabled (kernel extensions or native file system observers). For Linux servers, where native on-access scanning is limited, enforce EDR policies that block execution of untrusted binaries and use inotify-based scanning where supported.
\n\nReal-time scanning can impact performance if not tuned. Identify trusted high-I/O directories to exclude (backup repositories, virtual machine images, database data files) but keep exclusions as narrow as possible (specific paths and file patterns). Avoid excluding entire user profile directories. Use SHA256 hash whitelisting for approved build artifacts and sign internal executables and allow signed-only execution where practical. Configure archive scanning depth (e.g., unpack archives up to 3 levels deep) and block scanning for extremely large single files by size threshold. Maintain definition and engine update cadence (automatic within 24 hours) and monitor missed-update alerts.
\n\nBuild a test plan and capture evidence: deploy the policy to a pilot group, use the EICAR test file to validate detection on download and execution, download a zipped EICAR and open it to confirm archive scanning, and test macro-enabled Office files to verify on-open scanning blocks malicious macros. Collect evidence: exported policy from the console, screenshots of endpoint settings, logs showing detection events, and SIEM queries. Example SIEM query (conceptual): search your Windows/EDR feed for \"threat detected\" or inspect Microsoft-Windows-Windows Defender/Operational logs for detection events; for Splunk/Elastic adapt to your schema and include time-range, hostname, user, file hash, and action taken. Retain these artifacts per your contract’s evidence retention requirements.
\n\nExample: Acme Engineering (12 employees) uses Microsoft 365 and Windows 10/11 endpoints. They enable Defender for Business via Intune, set \"Scan downloaded files and attachments\" to Enabled, configure cloud-delivered protection, and block unsigned PowerShell scripts. During rollout, users reported slow file operations in their CAD folder; Acme created a scoped exclusion for the CAD temp folder (only .svgl and .tmp files) and enabled hash whitelisting for the CAD application installer. They validated protections using EICAR and a macro test file, stored policy exports and detection logs in the compliance folder, and documented the process for FAR/CMMC review.
\n\nFailure to implement real-time scans increases risks of ransomware, credential theft, and lateral movement because malicious files may execute before detection. Non-compliance risks include contract penalties, inability to bid on future DoD work, and reputational damage. Mitigate by integrating detection with an incident response playbook: automatic quarantine, alerting to SOC or MSP, immediate endpoint isolation for high-risk detections, and a triage checklist (collect memory image, process list, network connections, file hash) so you can produce evidence of containment and remediation.
\n\nKeep these practical tips: (1) Use centrally managed policies and version them; (2) schedule frequent validation tests (monthly EICAR and macro tests); (3) forward endpoint detections to a SIEM and create a dashboard for \"on-access detections\" and policy drift; (4) limit exclusions and document each with a business justification and expiration date; (5) require signed code and use application control where possible; (6) train users to report blocked downloads and provide a quick support path to avoid shadow workarounds that bypass protections.
\n\nSummary: Implementing SI.L1-B.1.XV is straightforward for small businesses when you use a centrally managed endpoint security product, enable on-access scanning for downloads/opens/executions, tune exclusions carefully, test with EICAR and macro samples, and collect policy and log evidence. Proper configuration, testing, and documentation will satisfy FAR 52.204-21 / CMMC 2.0 Level 1 expectations and significantly reduce the likelihood of malware-related incidents.
", "plain_text": "This post explains how to configure endpoint security so that files are scanned in real time when downloaded, opened, or executed — a practical how-to to help small businesses meet FAR 52.204-21 basic safeguarding requirements and the CMMC 2.0 Level 1 control SI.L1-B.1.XV.\n\nUnderstanding the requirement and key objectives\nFAR 52.204-21 mandates basic safeguarding of contractor information systems; CMMC 2.0 Level 1 SI.L1-B.1.XV specifically calls for real-time scanning on download, open, and execute to prevent malicious code from reaching Controlled Unclassified Information (CUI) or other sensitive data. The key objectives are (1) detect malicious files at the earliest entry point, (2) block or quarantine malicious artifacts before execution, and (3) retain logs and evidence to demonstrate the controls are configured and operating.\n\nHigh-level implementation approach (Compliance Framework practical steps)\nStart with a baseline policy: enable on-access (real-time) scanning, cloud-assisted protection (where available), and file-type-specific scanning for downloads and archives. Use a cloud-managed endpoint product (Microsoft Defender for Business, CrowdStrike Falcon Prevent, SentinelOne, Sophos Intercept X, Bitdefender GravityZone, etc.) so policies are centrally enforced and you can export evidence. Document the baseline as a compliance policy (policy name, baseline version, date, scope) and map it to the FAR/CMMC requirement in your Compliance Framework artifact repository.\n\nPlatform-specific configuration details\nWindows (typical small-business environment): use Microsoft Defender (or your chosen AV/EDR) and enforce these settings via Group Policy or Intune:\n- Enable Real-time protection / On-access scanning.\n- Enable \"Scan downloaded files and attachments\" (Intune policy: Endpoint security > Antivirus > Microsoft Defender > Real-time protection).\n- Enable Cloud-delivered protection and automatic sample submission for faster detection.\n- Configure archive and compressed file scanning and set a reasonable max unpack depth.\nExample PowerShell checks and commands:\nGet-MpComputerStatus | Select AMRunning,AMServiceEnabled,RealTimeProtectionEnabled\nSet-MpPreference -DisableRealtimeMonitoring $false\nSet-MpPreference -DisableIOAVProtection $false\nFor macOS and Linux, install and enforce your vendor client (CrowdStrike/SentinelOne) and ensure on-access scanning hooks are enabled (kernel extensions or native file system observers). For Linux servers, where native on-access scanning is limited, enforce EDR policies that block execution of untrusted binaries and use inotify-based scanning where supported.\n\nEDR/AV tuning, exclusions, and performance considerations\nReal-time scanning can impact performance if not tuned. Identify trusted high-I/O directories to exclude (backup repositories, virtual machine images, database data files) but keep exclusions as narrow as possible (specific paths and file patterns). Avoid excluding entire user profile directories. Use SHA256 hash whitelisting for approved build artifacts and sign internal executables and allow signed-only execution where practical. Configure archive scanning depth (e.g., unpack archives up to 3 levels deep) and block scanning for extremely large single files by size threshold. Maintain definition and engine update cadence (automatic within 24 hours) and monitor missed-update alerts.\n\nTesting, logging, and evidence collection for audits\nBuild a test plan and capture evidence: deploy the policy to a pilot group, use the EICAR test file to validate detection on download and execution, download a zipped EICAR and open it to confirm archive scanning, and test macro-enabled Office files to verify on-open scanning blocks malicious macros. Collect evidence: exported policy from the console, screenshots of endpoint settings, logs showing detection events, and SIEM queries. Example SIEM query (conceptual): search your Windows/EDR feed for \"threat detected\" or inspect Microsoft-Windows-Windows Defender/Operational logs for detection events; for Splunk/Elastic adapt to your schema and include time-range, hostname, user, file hash, and action taken. Retain these artifacts per your contract’s evidence retention requirements.\n\nReal-world small-business scenario\nExample: Acme Engineering (12 employees) uses Microsoft 365 and Windows 10/11 endpoints. They enable Defender for Business via Intune, set \"Scan downloaded files and attachments\" to Enabled, configure cloud-delivered protection, and block unsigned PowerShell scripts. During rollout, users reported slow file operations in their CAD folder; Acme created a scoped exclusion for the CAD temp folder (only .svgl and .tmp files) and enabled hash whitelisting for the CAD application installer. They validated protections using EICAR and a macro test file, stored policy exports and detection logs in the compliance folder, and documented the process for FAR/CMMC review.\n\nRisks of not implementing the control and response planning\nFailure to implement real-time scans increases risks of ransomware, credential theft, and lateral movement because malicious files may execute before detection. Non-compliance risks include contract penalties, inability to bid on future DoD work, and reputational damage. Mitigate by integrating detection with an incident response playbook: automatic quarantine, alerting to SOC or MSP, immediate endpoint isolation for high-risk detections, and a triage checklist (collect memory image, process list, network connections, file hash) so you can produce evidence of containment and remediation.\n\nCompliance tips and best practices\nKeep these practical tips: (1) Use centrally managed policies and version them; (2) schedule frequent validation tests (monthly EICAR and macro tests); (3) forward endpoint detections to a SIEM and create a dashboard for \"on-access detections\" and policy drift; (4) limit exclusions and document each with a business justification and expiration date; (5) require signed code and use application control where possible; (6) train users to report blocked downloads and provide a quick support path to avoid shadow workarounds that bypass protections.\n\nSummary: Implementing SI.L1-B.1.XV is straightforward for small businesses when you use a centrally managed endpoint security product, enable on-access scanning for downloads/opens/executions, tune exclusions carefully, test with EICAR and macro samples, and collect policy and log evidence. Proper configuration, testing, and documentation will satisfy FAR 52.204-21 / CMMC 2.0 Level 1 expectations and significantly reduce the likelihood of malware-related incidents." }, "metadata": { "description": "Step-by-step guidance to configure endpoint security for real-time scanning on download, open, and execute to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 requirements for small businesses.", "permalink": "/how-to-configure-endpoint-security-to-meet-far-52204-21-cmmc-20-level-1-control-sil1-b1xv-real-time-scans-on-download-open-execute.json", "categories": [], "tags": [] } }