Anti-Malware Protection for Canadian Businesses — Baseline Control BC.3

What Anti-Malware Protection Means

Anti-malware protection refers to the use of software tools designed to prevent, detect, and remove malicious software (malware) from your organization's devices and networks. Malware encompasses viruses, ransomware, spyware, trojans, worms, and other hostile programs. The Canadian Centre for Cyber Security (CCCS) designates anti-malware as BC.3 in its 13 Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), recognizing it as one of the essential technical defenses every organization should have in place.

This page summarizes what the CCCS recommends for anti-malware protection. It is educational content based on publicly available government guidance and is not professional cybersecurity advice. For your specific situation, consult a qualified professional. You can also take our free assessment to evaluate your organization across all 13 controls.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations install and maintain anti-malware software on all devices, keep definitions up to date, and configure regular scanning. The guidance covers several key areas:

Endpoint Protection on All Devices

The CCCS recommends installing anti-malware software on every endpoint in your organization — this includes desktops, laptops, servers, and mobile devices. The protection should be active (running continuously in real-time) rather than relying solely on manual or scheduled scans. Real-time protection monitors files as they are opened, downloaded, or executed, catching threats before they can cause damage.

Key requirements include:

• Anti-malware software installed on all workstations and servers
• Real-time (on-access) scanning enabled
• Scheduled full-system scans configured to run regularly
• Protection active on all operating systems in use (Windows, macOS, Linux)

Automatic Signature and Software Updates

Anti-malware software is only as effective as its most recent definitions. New malware variants emerge daily, and anti-malware vendors release updated signatures to detect them. The CCCS recommends configuring anti-malware software to update its signature database automatically, ideally multiple times per day. The anti-malware application itself should also be kept up to date to ensure you have the latest detection capabilities and engine improvements.

Email Filtering and Protection

Email remains one of the most common delivery mechanisms for malware. The CCCS guidance recommends implementing email security measures to filter malicious attachments and links before they reach end users. This includes:

• Attachment scanning — Automatically scanning email attachments for known malware before delivery to the recipient.
• Link scanning — Checking URLs in emails against known malicious domains.
• Blocking high-risk attachment types — Preventing delivery of executable files (.exe, .bat, .scr, .js) and other file types commonly used to distribute malware.
• Spam filtering — Reducing the volume of unsolicited email, which is frequently used to distribute malware and phishing attempts.

Most major email platforms (Microsoft 365, Google Workspace) include built-in email filtering capabilities that address these recommendations.

Browser Protection

Web browsers are another common attack vector. The CCCS recommends keeping browsers up to date (aligned with patch management practices under BC.2) and using browser-based security features such as:

• Safe browsing or SmartScreen features that warn users about known malicious websites
• Blocking or restricting browser plugins and extensions to only those that are necessary and trusted
• Configuring browsers to block automatic downloads and pop-ups

Why This Matters for Canadian Businesses

Malware is one of the most prevalent threats facing Canadian organizations. The CCCS regularly reports on malware campaigns targeting Canadian businesses, including ransomware operations that encrypt business data and demand payment, and information-stealing malware that harvests credentials and financial data.

For Canadian SMBs, malware infections can result in:

• Ransomware attacks — Malware that encrypts your files and demands payment for the decryption key. Without proper backups (BC.7), organizations may face a choice between paying a ransom or losing their data permanently.
• Data theft — Malware can exfiltrate sensitive business data, customer information, and employee records, potentially triggering breach notification obligations under PIPEDA.
• Financial fraud — Banking trojans and credential-stealing malware can lead to unauthorized financial transactions.
• Operational disruption — Malware infections often require affected systems to be taken offline, rebuilt, or restored from backups, causing significant downtime.
• Reputational harm — Customers and partners lose confidence when an organization suffers a malware-related incident, particularly if it involves the exposure of personal information.

Anti-malware protection works best as part of a layered defense strategy. Combined with timely patching (BC.2), secure configuration (BC.4), and security awareness training (BC.6), anti-malware software provides an important technical safety net against threats that make it past other defenses.

How to Get Started

Implementing anti-malware protection is one of the more straightforward baseline controls. Here are practical steps for Canadian SMBs:

• Verify protection on every device. Check that every computer, laptop, and server in your organization has anti-malware software installed and actively running. For Windows devices, ensure Microsoft Defender Antivirus is enabled at minimum, or that a third-party solution is installed and active.
• Enable automatic updates. Confirm that your anti-malware software is configured to download signature updates automatically. Check that updates are being applied successfully — some systems may fail to update due to network issues or configuration problems without alerting the user.
• Configure real-time scanning. Ensure that on-access (real-time) scanning is enabled, not just scheduled scans. Real-time scanning checks files as they are accessed, providing immediate protection.
• Set up scheduled full scans. In addition to real-time scanning, configure a weekly full-system scan. Schedule it for a time when the device is likely to be on but not heavily used, such as during lunch hours or overnight for servers.
• Review email security settings. If you use Microsoft 365 or Google Workspace, review your email security configuration. Enable attachment scanning, link protection, and spam filtering. Block delivery of high-risk file types such as .exe and .js attachments.
• Enable browser safe browsing features. Ensure that Chrome's Safe Browsing, Edge's SmartScreen, or equivalent features are enabled on all workstations. These provide a warning layer when users attempt to visit known malicious websites.
• Include mobile devices. If employees use smartphones or tablets for work, ensure those devices have appropriate protection as well, particularly Android devices where the malware landscape is more active.
• Centralize management where possible. For organizations with more than a handful of devices, consider an endpoint protection solution that provides centralized management and reporting, allowing you to verify that all devices are protected and up to date from a single console.

To evaluate your anti-malware practices alongside the other 12 baseline controls, take the free assessment.

Common Mistakes to Avoid

Based on the CCCS guidance and common patterns in Canadian organizations, here are frequent anti-malware mistakes:

• Assuming one device does not matter. A single unprotected device on your network can serve as an entry point for malware that spreads to other systems. Every device needs protection, including those used infrequently.
• Disabling protection for convenience. Users sometimes disable anti-malware software because it slows down a specific task or blocks a program they want to install. This creates a window of vulnerability. If legitimate software is being blocked, create a specific exception rather than disabling protection entirely.
• Running multiple anti-malware products simultaneously. Installing two or more real-time anti-malware products on the same device can cause conflicts, performance problems, and reduced protection. Use one primary endpoint protection solution per device.
• Neglecting to verify that updates are working. Anti-malware software configured for automatic updates may silently fail to update due to network issues, expired subscriptions, or configuration changes. Periodically check that definitions are current on your devices.
• Relying solely on anti-malware. No anti-malware product catches every threat. Anti-malware is one layer of defense and should be combined with patching, secure configuration, user training, and other controls for effective protection.
• Ignoring email security. Since email is the primary delivery vector for malware, neglecting email filtering and attachment scanning leaves a major gap in your defenses even if endpoint protection is in place.

Frequently Asked Questions

See below for answers to common questions about anti-malware protection for Canadian businesses. For a comprehensive evaluation, take our free cybersecurity assessment.