Endpoint Protection (EDR/Antivirus)

Why it matters

Unmanaged or unprotected endpoints are the primary attack vector for malware, ransomware, and data exfiltration—especially devices accessing production systems or customer data. Without EDR/antivirus, a compromised device can move laterally across your infrastructure and bypass perimeter defenses. A missing or disabled protection agent leaves your organization exposed to the most common breach scenarios auditors and regulators investigate.

Evidence to collect

• MDM inventory report showing all corporate devices with EDR/antivirus agent version and last check-in timestamp
• Alert rule configuration from EDR console showing malware detection alert threshold and routing to SIEM or ticketing system
• Weekly endpoint compliance report listing non-compliant, unprotected, or overdue devices (last 4 weeks)
• Quarantine/detection log from EDR showing sample malware alerts with response actions taken in past 30 days

Testing procedure

Request the MDM endpoint inventory filtered for devices accessing production or customer data; verify 100% have an active EDR/antivirus agent deployed. Check EDR console alert settings to confirm malware detections trigger notifications within 1 hour. Sample recent malware detection events and verify each was logged with containment action (quarantine, block, alert to SOC). Interview the compliance lead on their weekly unprotected device review process and inspect the last 4 weekly reports for completeness.

Common gotchas