This technical support article outlines the core requirements needed to successfully pass the Malware Protection section of a Cyber Essentials Plus (CE+) audit using native Microsoft Defender configurations. It covers specific endpoint behavior expectations regarding download intercepts, archive processing, and Potentially Unwanted Application (PUA) handling and centralized security automation.
1. Understanding the CE+ Malware Protection Audit Criteria
2. Out-of-the-Box Windows Defender Suitability
3. Mandatory Baseline Configurations
4. Behavior Analysis: Archives and the Review State
5. Enterprise Automation via Defender for Endpoint (MDE)
Understanding the CE+ Malware Protection Audit Criteria
During a Cyber Essentials Plus technical assessment, the auditor will simulate real-world delivery methods to evaluate your endpoint's defenses. This involves deploying known malware test signatures (such as EICAR) and Potentially Unwanted Application (PUA) payloads across two distinct phases: Web Downloads (via browsers like Google Chrome) and Email Attachments.
A common point of confusion is whether an endpoint must block a malicious payload completely at the initial download step to satisfy compliance. According to the NCSC guidelines, the evaluation criteria focus entirely on Execution Prevention. The framework explicitly recognises two successful paths to pass an audit verification:
- Path A (Blocked at Download): The network perimeter, secure web gateway, or browser web protection engines (such as Chrome Safe Browsing) intercept and block the download completely, meaning the payload container never reaches local storage.
-
Path B (Blocked at Execution/Access): The file container is successfully downloaded to disk. However, the exact millisecond a user attempts to open, extract, or execute the underlying payload, the real-time anti-malware engine intercepts, locks, and remediates the threat.
[Archive Successfully Downloaded] → [User Triggers Decompression] → [Payload Extracted to Disk] → [Real-Time Engine Intercepts & Blocks Execution] — RESULT: PASS
The assessment is only marked as a Fail if a malicious signature bypasses the transport layers, writes to local storage, and successfully runs without being intercepted by local security software.
Out-of-the-Box Windows Defender Suitability
Standard, out-of-the-box Microsoft Defender Antivirus is fully capable of passing a Cyber Essentials Plus evaluation on its own. It satisfies the strict tenant rules of the compliance framework natively, provided that its core automated features are kept intact:
- On-Access Scanning: Automatically scans files during access, creation, or unpacking streams.
- Signature Currency: Natively checks and applies definition intelligence updates multiple times throughout the day.
- Automated Isolation: Neutralizes threats without requiring continuous manual end-user action.
Mandatory Baseline Configurations
To prepare an endpoint for an audit checklist, administrators must ensure the following internal protection primitives are configured securely across the fleet:
A. Real-Time and Cloud-Delivered Protection
Real-time telemetry and immediate lookup features must be active. Without cloud lookups enabled, modified signatures or polymorphic audit scripts used by modern assessors may slip by local signature trees. Verify or enforce this configuration using administrative PowerShell:
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -MAPSReporting AdvancedB. Enabling Potentially Unwanted Application (PUA) Protection
Enabling basic malware protection alone is not sufficient to pass. The CE+ specification includes specialized test packages designed to target software with low reputation or unwanted administrative bundles. On fresh Windows corporate installations, PUA blocking can sometimes default to an unconfigured state or log-only mode (Audit Mode). To pass, PUA protection must be strictly set to Block Mode (Value 1 ). Run the following validation command in an elevated terminal:
Set-MpPreference -PUAProtection EnabledBehavior Analysis: Archives and the "Review" State
Understanding the internal mechanisms of Windows Defender during testing prevents false alarms when reviewing local endpoint logs on audit day.
Archive Boundary Handling
When an archive containing a testing sample is downloaded, the real-time engine deliberately allows the .zip, .7z, or .rar container to reside on disk without instantly vaporizing the archive itself. Decompressing every single downloaded file block mid-stream would result in severe CPU overhead. Instead, it strikes at the extraction boundary. The millisecond the data stream writes an uncompressed binary to disk, Defender blocks execution. The inert container remains, but the danger is eliminated. This is fully compliant behavior.
The PUA "Review" State vs. Traditional Malware Quarantine
Because PUAs occupy a gray area (e.g., administrative script packages, network bundle utilities), the out-of-the-box local engine halts execution but prompts an administrative review to confirm if the tool was intentional. Since execution is completely prevented, this state satisfies the CE+ pass requirements. To permanently clear the interface notification, an administrator simply needs to navigate to Protection History, expand the detection alert, and manually select Quarantine or Remove.
Enterprise Automation via Defender for Endpoint (MDE)
In mid-to-large business environments, handling local "Review" alerts manually on individual endpoints is inefficient. If your fleet is onboarded to Microsoft Defender for Endpoint (MDE Plan 2 / Defender for Business), this lifecycle is managed automatically from the cloud platform. When an MDE environment detects a PUA or test signature, it initiates an Automated Investigation and Response (AIR) playbook. To ensure that endpoints bypass local prompt holds and automatically process quarantine sequences across testing scopes, administrators should verify that their target machine group is configured for full autonomy:
1. Navigate to the centralized Microsoft Defender Portal (security.microsoft.com).
2. Go to Settings -> Endpoints -> Permissions -> Device Groups.
3. Locate the device group mapping to your assessment deployment.
4. Ensure the Automation Level dropdown is set to: Full - remediate threats automatically
With Full Automation active, the cloud console evaluates the threat detection, automatically updates the local
endpoint state, and forces containment and quarantine routines silently behind the scenes, leaving your compliance dashboard green and ready for auditor inspection