SI-3(8)—Malicious Code Protection

Operational

>Control Description

MALICIOUS CODE PROTECTION | DETECT UNAUTHORIZED COMMANDS The information system detects ⚙organization-defined unauthorized operating system commands through the kernel application programming interface at ⚙organization-defined information system hardware components and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].

>Supplemental Guidance

This control enhancement can also be applied to critical interfaces other than kernel-based interfaces, including for example, interfaces with virtual machines and privileged applications. Unauthorized operating system commands include, for example, commands for kernel functions from information system processes that are not trusted to initiate such commands, or commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands.

Organizations can define hardware components by specific component, component type, location in the network, or combination therein. Organizations may select different actions for different types/classes/specific instances of potentially malicious commands. Related control: AU-6.

>Tailoring Guidance

This security control/enhancement specifies the use of an automated mechanism. While there are obvious benefits to the use of such mechanisms, in most cases the use of manual mechanisms will suffice.

Ask AI

Configure your API key to use AI features.