Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In the documentary Zero Days (2016), investigators explain how Stuxnet, one of the most sophisticated malware campaigns ever discovered, initially spread through infected USB drives. The systems it targeted weren’t connected to the internet. They were air-gapped. And yet, malware still got in—because removable media was trusted by default.
That lesson is exactly why CIS Safeguard 10.4: Configure Automatic Anti-Malware Scanning of Removable Media exists.
What Is CIS Safeguard 10.4?
CIS Safeguard 10.4: Configure Automatic Anti-Malware Scanning of Removable Media is part of CIS Critical Security Control 10 – Malware Defenses.
The safeguard requires organizations to:
- Automatically scan removable media (USB drives, external hard drives, SD cards) for malware
- Perform scanning upon insertion and/or access
- Prevent execution of malicious content before users can interact with it
The intent is straightforward:
Any file entering the environment from removable media should be treated as untrusted until proven safe.
Why Removable Media Is Still a Serious Risk
Despite cloud adoption and SaaS dominance, removable media remains common:
- File transfers between environments
- Field operations and industrial systems
- Vendor support and maintenance
- Incident response and recovery
- Air-gapped or restricted networks
Attackers know this—and they exploit it.
Removable media bypasses many perimeter controls:
- No email gateway
- No URL filtering
- No web proxy
- Often limited network visibility
Like the USB drives discussed in Zero Days, malware doesn’t need a network connection if it can hitch a ride straight into the system.
Threats CIS Safeguard 10.4 Directly Mitigates
- Malware Introduction into Air-Gapped or Restricted Systems
Systems without internet access are often assumed to be safer. In reality, they are more dependent on removable media, which makes automatic scanning essential.
Without it, a single infected drive can compromise:
- Industrial control systems
- Secure labs
- Sensitive operational networks
- Accidental Infection by Well-Meaning Users
Most removable-media incidents are not malicious. They happen when users:
- Plug in a personal USB drive
- Use shared media between systems
- Accept files from vendors or partners
Automatic scanning removes the burden of judgment from the user and applies consistent security controls instead.
- Malware That Executes on Access
Some malware is designed to:
- Exploit autorun or file-preview behavior
- Trigger vulnerabilities during file indexing or rendering
Scanning on insertion and access ensures threats are detected before they execute.
Why “Automatic” Is the Key Word
Manual scanning is not enough.
CIS Safeguard 10.4 emphasizes automatic scanning because:
- Users forget
- Users bypass steps under pressure
- Users may not recognize risk
- Malware often executes faster than manual action
In Zero Days, Stuxnet succeeds not because users were careless, but because the process trusted removable media implicitly. Automation removes that trust assumption.
What Should Be Scanned?
Automatic scanning should apply to:
- USB flash drives
- External HDDs and SSDs
- SD cards and memory cards
- Other portable storage recognized by the OS
Scanning should include:
- Files on initial connection
- Files accessed or copied later
- Archives and compressed formats where possible
Blocking vs. Alerting
To align with the spirit of Safeguard 10.4, organizations should favor:
- Blocking or quarantining malicious files automatically
- Alerting security teams when malware is detected
- Preventing execution, not just logging detection
Allowing access after detection defeats the purpose of the control.
How Safeguard 10.4 Fits Into Control 10
CIS Control 10 focuses on preventing malware execution across the environment:
- 10.1–10.3: Establish and maintain anti-malware tooling
- 10.4: Ensure removable media is not a blind spot
- 10.5+: Strengthen protections through updates and tuning
Without removable-media scanning, Control 10 has a critical gap, one attackers have repeatedly exploited.
Practical Implementation Tips
To operationalize CIS Safeguard 10.4:
- Enable Scan-on-Insert and Scan-on-Access
Both matter—some threats appear only when accessed.
- Apply Policy Consistently
Don’t exempt “trusted” users or departments.
- Disable Autorun Where Possible
Scanning is strongest when paired with execution controls.
- Log and Review Detections
Malware on removable media is a high-value signal.
Common Mistakes This Safeguard Prevents
Organizations without automatic scanning often:
- Assume air-gapped means immune
- Rely on user behavior for safety
- Treat removable media as “temporary”
- Discover infections only after execution
CIS Safeguard 10.4 exists to prevent avoidable first contact.
Final Thoughts
CIS Safeguard 10.4 recognizes a simple reality: malware doesn’t care how it gets in, only that it does. Removable media remains one of the oldest, quietest, and most effective delivery mechanisms.
Trust in removable media is dangerous by default. Automatic anti-malware scanning ensures that when something is plugged in, it’s examined before it’s believed.
And in malware defense, that moment before execution is the only one that truly matters.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more details? here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
CIS Safeguard 10.4: Configure Automatic Anti-Malware Scanning of Removable Media
Configure anti-malware software to automatically scan removable media.
Shameless Marketing Information
Gotham Technology group offers professional and managed services implementing and managing Endpoint Protection Solutions. These solutions cover both Next Generation Anti-Virus, Endpoint Detection & Response and a host of other endpoint security tools