This post provides practical, step‑by‑step guidance to configure Windows and Linux systems for on‑access scanning of downloads and executables so small businesses can meet the intent of FAR 52.204‑21 and CMMC 2.0 Level 1 control SI.L1‑B.1.XV: detect and block malicious code at download or execution time.
Why on‑access scanning is required (risk and compliance context)
On‑access (real‑time) scanning intercepts files as they are created, downloaded, opened, or executed and is a foundational technical control for preventing malware from taking hold on contractor systems; failing to implement it increases risk of ransomware, data theft, supply‑chain compromise, and regulatory/contractual non‑compliance (which under FAR can lead to contract penalties or loss of eligibility for future work).
Implementation steps — Windows endpoints
Core configuration (GPO / Intune / local settings)
For Windows desktops and servers, use Microsoft Defender Antivirus (built into Windows 10/11 and Server) or a supported third‑party AV/EDR with equivalent real‑time scanning. Using Group Policy or Intune, ensure real‑time protection is enabled and configure the policy "Microsoft Defender Antivirus → Scan → Scan all downloaded files and attachments" to Enabled so browser and downloaded files are scanned. Also enable cloud‑delivered protection and automatic sample submission for better detection, and ensure "Turn off real‑time protection" is set to Disabled. For managed environments, push these settings via Active Directory GPO (Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus) or Intune Device Configuration profiles.
Operational steps and validation
Deploy Defender definition updates and cloud protection via Windows Update for Business or your patch management tool. Configure event forwarding (Windows Event Logs under Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational) or use Microsoft Defender for Endpoint telemetry for central logging. Validate the setup by downloading the EICAR test file from a safe internal host and confirm detection and quarantine in the Defender UI and logs. Document the GPO/Intune profiles and capture screenshots/exported policy files as compliance artifacts.
Implementation steps — Linux endpoints and servers
Selecting and installing an on‑access scanner
Linux does not have a universal built‑in antivirus, so choose an on‑access solution: commercial AV/EDR agents (Sophos, Trend Micro, CrowdStrike with file scanning capabilities) or open source + utilities such as ClamAV with fanotify (clamonacc) for on‑access scanning. For ClamAV on Debian/Ubuntu: apt update && apt install clamav clamav-daemon clamav-freshclam. Configure freshclam to update signatures regularly and enable clamd for scanning. For on‑access, run clamonacc (fanotify) or use the vendor agent which integrates with fanotify or kernel hooks to scan files at open/creation time.
Configuration details and examples
In clamd.conf, enable binary scanning flags such as ScanPE and ScanELF so executables (PE and ELF) are checked. Start clamonacc with safe options—for example: clamonacc --fdpass --log=/var/log/clamav/clamonacc.log --move=/var/quarantine --exclude-dir=/proc --include=/home --include=/tmp. Turn this into a systemd service so it starts on boot and runs as root with minimal privileges for scanning. For web servers, integrate an ICAP or milter-based scan (e.g., mod_clamav or squid + c-icap + clamd) to scan downloads at the gateway level before files reach users.
Network and gateway scanning (supplement downloads protection)
Complement endpoint on‑access scanning with network or gateway scanning: deploy a web proxy (Squid or a managed proxy) with ICAP/ClamAV or a commercial appliance that scans HTTP/HTTPS file transfers, and use an email gateway that scans attachments. This prevents malicious files from ever reaching endpoints and is especially important for BYOD and unmanaged devices. For small businesses, a low‑cost cloud email gateway with AV and a managed web filter can significantly reduce risk with modest operational overhead.
Small business real‑world scenarios
Example 1: A small engineering firm (25 users) uses Intune to push Defender settings and configures their firewall to route web traffic through a cloud proxy that performs ICAP scanning; when a malicious DLL in a CAD plugin was delivered by a vendor, Defender quarantined it at download and the incident was recorded in the central logs for review. Example 2: A hosting provider uses clamonacc on Linux web nodes to scan uploads and prevent PHP backdoors; flagged files are moved to a quarantine directory and a ticket is automatically created for the admin to triage.
Compliance tips, evidence collection and best practices
Keep a configuration baseline document and retain evidence: exported GPOs, Intune configuration profiles, AV policy screenshots, signature update logs, EICAR test results, and SIEM/Windows Event or syslog archives showing detections. Maintain a change control record for any exclusions; keep exclusions minimal and justified in writing. Schedule weekly definition updates, periodic EICAR or test‑file exercises, and quarterly reviews. If exceptions are required, document compensating controls such as increased monitoring, network segmentation, or temporary sandboxing.
Conclusion
On‑access scanning for downloads and executables is a practical, high‑value control to meet the intent of FAR 52.204‑21 and CMMC 2.0 Level 1 SI.L1‑B.1.XV: enable real‑time detection and prevention of malicious code. By combining endpoint real‑time protection (Defender or vendor agents), Linux on‑access tooling (clamav/clamonacc or commercial agents), gateway scanning, centralized logging, and documented evidence, a small business can implement an effective, auditable control set that significantly reduces malware risk and supports compliance requirements.
