GRCWatch
Sign inStart free trial

PCI DSS 5.3.5: Prevent Users from Disabling Anti-Malware

Anti-malware software is only effective if users cannot circumvent it. PCI DSS 5.3.5 requires that anti-malware mechanisms remain active and unmodifiable unless explicitly authorized by management. This control prevents attackers from leveraging user access to disable critical security protections.

What this means

Your organization must implement technical and administrative controls that prevent users from disabling, uninstalling, or altering anti-malware software on any system. Only authorized management personnel, following documented approval processes, should be able to modify or temporarily disable anti-malware protections. This applies to all devices processing, storing, or transmitting cardholder data.

How to comply

  1. 1.Configure anti-malware software with admin-level permissions that standard users cannot override
  2. 2.Disable user access to anti-malware settings, uninstall functions, and update configurations
  3. 3.Establish a formal change management process requiring documented management approval before any anti-malware modifications
  4. 4.Deploy anti-malware through centralized management tools that prevent endpoint tampering
  5. 5.Implement logging and alerting for any attempted disabling or alteration of anti-malware protection
  6. 6.Regularly audit systems to confirm anti-malware remains active and unchanged on all covered devices
  7. 7.Document all authorized exceptions with business justification and approval records

Evidence auditors look for

  • Screenshots showing anti-malware settings locked with admin-only access
  • Group Policy Objects (GPO) or Mobile Device Management (MDM) configurations enforcing anti-malware protection
  • Change management records showing approval for any authorized anti-malware modifications
  • Audit logs demonstrating failed user attempts to disable or alter anti-malware
  • Centralized anti-malware management console reports confirming protection status across all endpoints
  • Policy documentation defining roles and approval requirements for anti-malware changes
  • Test results from penetration testing confirming users cannot disable protections

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers and monitors anti-malware configurations across your environment, flags systems where protections are disabled, and generates audit evidence for PCI DSS 5.3.5 compliance—eliminating manual endpoint checks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 5.1 - Deploy anti-malware softwarePCI DSS 5.3.1 - Scan for malicious code regularlyPCI DSS 5.3.2 - Update anti-malware definitionsPCI DSS 6.2 - Implement change management for security patchesPCI DSS 7.1 - Limit access to cardholder data by business need