M0949: Antivirus/Antimalware
Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. [1]
Analyst context for executives and security teams
Antivirus/antimalware remains useful in ICS environments, but its business value depends on where and how it is deployed. MITRE specifically cautions that these tools should be limited to assets not involved in critical or real-time operations and validated in a representative test environment before production use. For leaders, the key decision is not simply “do we have AV,” but whether malware prevention is applied in a way that reduces phishing, user-execution, and transient-asset risk without creating availability risk in operational systems.
Executive priority
Prioritize this as a resilience and assurance control for industrial environments: it supports malware risk reduction and maps to recognized control expectations including IEC 62443 SR/CR 3.2 and NIST SP 800-53 SI-3. Executives should ask whether AV/antimalware deployment is risk-tiered across ICS assets, tested before production rollout, and governed so signature or heuristic updates do not disrupt critical or real-time operations. This is especially relevant where users handle attachments, where portable or transient cyber assets enter ICS networks, or where compliance evidence is needed for malicious code protection.
Technical view
For SOC, IR, and OT security teams, validate antivirus/antimalware coverage against the related ATT&CK ICS techniques: User Execution, Spearphishing Attachment, and Transient Cyber Asset. Coverage should focus on detecting malicious files, scripts, documents, installers, removable/transient media, and malware introduced through user interaction. Because ATT&CK provides no detection section and no platforms for this mitigation, local architecture must decide where agents, scanning, or update processes are appropriate. In ICS, confirm that any deployment and update workflow has been tested in a representative environment before production use, especially around assets supporting critical or real-time operations.
Likely telemetry
- Antivirus/antimalware detection and quarantine events
- Signature, heuristic, and engine update status
- Endpoint asset inventory showing where AV/antimalware is and is not deployed
- Email attachment and document malware scan results where available
- Removable media or transient cyber asset scan records
Detection direction
- Validate whether AV/antimalware alerts are ingested into SOC monitoring with enough asset context to distinguish business IT, ICS support systems, transient assets, and critical/real-time operational assets.
- Tune alert triage around the related behaviors: user-opened documents or installers, spearphishing attachments, and files introduced through transient cyber assets.
- Review exclusions and disabled agents as potential blind spots, especially on engineering workstations, support laptops, removable-media workflows, or other assets that bridge external and ICS environments.
- Account for false positives and availability impact in ICS: aggressive scanning or untested updates may disrupt operations even when security intent is valid.
- Because ATT&CK does not provide an official detection section for this mitigation, measure effectiveness through local alert quality, test results, incident history, and control validation rather than assuming coverage from product presence.
Mitigation priorities
- Classify ICS assets by operational criticality and real-time sensitivity before deploying antivirus/antimalware broadly.
- Deploy or maintain AV/antimalware first where it is appropriate for non-critical or non-real-time assets and where user execution, email attachments, or transient assets create malware exposure.
- Validate products, signatures, heuristics, scans, and update processes in a representative test environment before production deployment.
- Establish controlled update and change-management procedures to minimize availability risk.
- Maintain evidence for IEC 62443 SR/CR 3.2 and NIST SP 800-53 SI-3 alignment, including deployment scope, update status, testing records, exceptions, and monitoring outputs.
Analyst notes and limits
This object is an ICS ATT&CK mitigation, not a technique. Its decision value is strongest when used to govern safe malware protection in industrial environments rather than as a blanket endpoint-security recommendation. The relationship context indicates relevance to User Execution, Spearphishing Attachment, and Transient Cyber Asset risk. The official source emphasizes validating AV changes in representative ICS test environments before production deployment.
ATT&CK provides no official detection text, no platforms, and no tactics for this mitigation. The supplied data does not support claims about specific products, active exploitation, adversary attribution, guaranteed detection, or universal deployment suitability. Local asset criticality, operational constraints, telemetry availability, and testing evidence are required to determine appropriate coverage.
Antivirus/Antimalware
Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0864 | Transient Cyber Asset | Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares. |
| ICS | T0865 | Spearphishing Attachment | Deploy anti-virus on all systems that support external email. |
| ICS | T0863 | User Execution | Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers). |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6679a310b0ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NCCIC August 2018
NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17
Open source URL -
[2]
mitre-attack M0949Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.