NIST 800-53 r5 · Controls catalogue · Family SI
SI-3Malicious Code Protection
Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; Configure malicious code protection mechanisms to: Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (224)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1008 Fallback Channels Command And Control
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.005 VNC Lateral Movement
- T1025 Data from Removable Media Collection
- T1027 Obfuscated Files or Information Stealth
- T1027.002 Software Packing Stealth
- T1027.007 Dynamic API Resolution Stealth
- T1027.008 Stripped Payloads Stealth
- T1027.009 Embedded Payloads Stealth
- T1027.010 Command Obfuscation Stealth
- T1027.012 LNK Icon Smuggling Stealth
- T1027.013 Encrypted/Encoded File Stealth
- T1027.014 Polymorphic Code Stealth
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.008 Masquerade File Type Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-434 | Unrestricted Upload of File with Dangerous Type | 4,869 | Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types. |
CWE-502 | Deserialization of Untrusted Data | 3,125 | Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Detects and prevents inclusion of malicious functionality downloaded from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Performs real-time scans of downloaded code, mitigating risks from downloads lacking integrity checks. |
CWE-506 | Embedded Malicious Code | 80 | Directly detects and eradicates embedded malicious code at entry/exit points via periodic and real-time scans. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-27665 | 2.0 | 9.8 | 0.0025 | good |
CVE-2026-43003 | 1.6 | 8.0 | 0.0004 | good |
CVE-2025-2783 KEV | 6.5 | 8.3 | 0.4745 | good |
CVE-2025-8088 KEV | 4.3 | 8.8 | 0.0829 | good |
CVE-2026-21510 KEV | 4.0 | 8.8 | 0.0404 | good |
CVE-2025-1716 | 2.9 | 9.8 | 0.1625 | partial |
CVE-2024-54756 | 2.1 | 9.8 | 0.0211 | good |
CVE-2026-4809 | 2.0 | 9.8 | 0.0056 | good |
CVE-2025-66802 | 2.0 | 9.8 | 0.0052 | good |
CVE-2025-1945 | 2.0 | 9.8 | 0.0091 | good |
CVE-2025-22133 | 2.0 | 9.9 | 0.0042 | good |
CVE-2025-67164 | 2.0 | 9.9 | 0.0015 | good |
CVE-2025-11948 | 2.0 | 9.8 | 0.0037 | good |
CVE-2024-57169 | 2.0 | 9.8 | 0.0033 | good |
CVE-2026-3535 | 2.0 | 9.8 | 0.0034 | good |
CVE-2025-65099 | 2.0 | 9.8 | 0.0009 | good |
CVE-2026-6443 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-34195 | 2.0 | 9.8 | 0.0123 | partial |
CVE-2019-25647 | 1.8 | 8.8 | 0.0029 | good |
CVE-2026-28502 | 1.8 | 8.8 | 0.0028 | partial |
CVE-2026-29041 | 1.8 | 8.8 | 0.0022 | good |
CVE-2021-47904 | 1.8 | 8.8 | 0.0046 | good |
CVE-2022-50936 | 1.8 | 8.8 | 0.0089 | partial |
CVE-2021-47757 | 1.8 | 8.8 | 0.0064 | good |
CVE-2025-21176 | 1.8 | 8.8 | 0.0141 | partial |