Endpoint Protection Auditor
Confirms the EDR is not just installed but actively scanning, current, and unable to be disabled by malware mid-execution.
The problem
3.14.2 has no waiver path. Malicious code protection at appropriate locations is required. Yet contractors routinely have endpoints with the AV agent installed but real-time protection disabled, definitions a week out of date, or tamper protection off, meaning malware can disable the agent during execution and the contractor never knows.
Exclusions are the contractor-side failure mode that matters most. Malware family operators routinely instruct victims to add exclusions before payload deployment, and an exclusion of C:\Users\, %TEMP%, or .ps1 effectively turns off the AV product for the locations attackers actually use. These are configuration findings, not detection failures, and the assessor will read the exclusion list line by line.
EDR products differ from traditional AV in checkable ways: cloud-delivered content updates instead of signature files, agent versions to track against vendor minimums, last-heartbeat timestamps showing whether the agent is still talking to its console. The audit needs to cover both classes correctly without false positives on Linux for Windows-only concepts and without missing tamper-protection regressions on EDR.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Audits AV/EDR presence, real-time protection state, tamper protection, and exclusion list,the substantive verification of 3.14.2 implementation.
Read in NIST 800-171 r2↗Verifies the EDR agent is connected to its management console for advisory correlation. Disconnected agents do not receive alerts.
Read in NIST 800-171 r2↗Checks definition currency and agent version against vendor minimums. Out-of-date definitions are a 3.14.4 failure regardless of agent presence.
Read in NIST 800-171 r2↗Confirms scheduled scans are configured and on-access scanning is enabled,not just that scanning is theoretically possible.
Read in NIST 800-171 r2↗Behavioral detection (rkhunter recency, hidden process detection, LD_PRELOAD anomalies) covers detection of unauthorized system use.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Detects ClamAV (clamscan, freshclam, clamonacc daemon), CrowdStrike Falcon (/opt/CrowdStrike/falconctl), SentinelOne (/opt/sentinelone/bin/sentinelctl), Carbon Black (/opt/carbonblack), and AIDE / rkhunter for file integrity. Parses /var/log/clamav/freshclam.log for last successful definition update. Checks /etc/ld.so.preload for non-empty content as an LD_PRELOAD-based rootkit indicator, and compares /proc enumeration against ps aux output to surface hidden processes.
Queries WMI root\SecurityCenter2 AntiVirusProduct for registered products. Reads HKLM\SOFTWARE\Microsoft\Windows Defender registry keys directly (DisableRealtimeMonitoring, DisableBehaviorMonitoring, DisableOnAccessProtection, DisableIOAVProtection) because WMI can be manipulated by an attacker who already owns the host. Reads SignaturesLastUpdated for definition age, parses Exclusions\Paths/Extensions/Processes for exclusion sprawl, and verifies tamper protection (Features\TamperProtection = 5).
Reads XProtect.meta.plist for version and last-update date. Runs spctl --status for Gatekeeper and falconctl stats or sentinelctl version when third-party EDR is installed. Each detected product reports product name, version, last definition update, and tamper protection state in one structured artifact.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALNo AV/EDR detectedNo malicious code protection of any kind is running. 3.14.2 has no waiver,this is a direct compliance failure.
- CRITICALReal-time protection disabledDefender DisableRealtimeMonitoring=1 or ClamAV clamonacc not running. The product is installed but not actively scanning.
- CRITICALDefender exclusion includes C:\ or C:\Users\Root-path exclusion effectively disables AV across the entire system. Common malware-instructed configuration change.
- HIGHDefinitions older than 7 daysLast signature update is more than 7 days ago. Recent threats are not detected. 3.14.4 update-mechanism failure.
- HIGHTamper protection disabledDefender Features\TamperProtection ≠ 5 or EDR equivalent off. Malware can disable the agent at runtime,defeats the agent's own enforcement.
- HIGHScript extension excluded (.ps1, .vbs, .js)Exclusion list includes script extensions commonly used as malware delivery. Living-off-the-land attacks bypass scanning entirely.
- HIGH/etc/ld.so.preload non-emptyLD_PRELOAD-based rootkit indicator. Investigate immediately,preloaded shared libraries on Linux are a primary persistence mechanism.
3.14.2 is a 5-point control. A missing AV/EDR is a direct 5-point loss with no compensating control accepted. Definition currency under 3.14.4 is 1 point but the assessor still records it on the report. A broad exclusion or disabled tamper protection produces a 5-point finding under 3.14.2 because the agent is effectively bypassed even though installed. Endpoint findings cluster, and a single misconfigured Defender install commonly produces three concurrent SPRS deductions across 3.14.2, 3.14.4, and 3.14.5.
How it hooks into the platform
The platform identifies the AV/EDR on each host during auto-discovery and runs the audit on its own schedule. You configure whether the product inventory and exclusion list stay on-prem or sync up. Detected products draft the SSP's 3.14.2 narrative as an inventory table covering product, version, real-time state, last update, and tamper protection. The exclusion list always exports for manual review even when no findings open, because the assessor will ask. POA&M items reference specific exclusions or definition versions; new exclusions or agent disconnection alert between scans.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Detects Defender, Falcon, SentinelOne, Carbon Black, and ClamAV per host
- Reads Defender real-time state from registry directly, not from manipulable WMI
- Computes definition age for both signature and cloud-delivered products
- Always returns the full exclusion list in structured output for review
- Parses rkhunter logs in both compressed and plaintext form
- Inspects /etc/ld.so.preload unprivileged for rootkit indicators
- Suppresses Windows-only checks on Linux and macOS, no false positives
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.