Your anti-malware is only as good as its last update

Here's a scenario that plays out often enough to be a pattern, not a one-off: a business installs proper anti-malware software on every device, exactly as it should. Eighteen months later, nobody has thought about it since. The software is still running, the icon is still in the system tray, everything looks fine at a glance. What's actually happened is the virus definitions haven't updated in months, because updates were left on manual, and manual means nobody ever did it. The protection people assumed was current has been working from a list of threats that's a year and a half out of date.

Cyber Essentials asks a direct follow-up question under CE4 Malware Protection: is your anti-malware set to update automatically? It's a separate question from whether anti-malware is installed at all, and it catches a gap that's easy to miss precisely because the software still appears to be working.

Why installed isn't the same as effective

Anti-malware software identifies threats by comparing what's on a device against a constantly updated database of known malicious code, plus increasingly, behavioural patterns that flag suspicious activity even from threats not yet catalogued. That database needs refreshing constantly, because new malware variants appear daily. Software running on month-old definitions isn't protecting against month-old malware, it's protecting against malware that existed when those definitions were last pulled, and missing everything since.

This is exactly why Cyber Essentials separates "is it installed" from "is it set to update automatically." A business can answer yes to the first question entirely honestly while still being functionally unprotected against anything recent, because the gap isn't whether the software exists, it's whether it's actually current.

Why automatic updates get turned off, or never turned on

Sometimes it's a deliberate choice that made sense once and was never revisited: someone disabled automatic updates years ago because an update once caused a conflict with another piece of software, and the setting was never switched back. Sometimes it's simpler than that. Default settings vary between products, and not every anti-malware tool ships with automatic updates switched on out of the box, particularly on older installations that predate current defaults.

On a device managed centrally through a business IT platform, this is usually straightforward to enforce and monitor. On devices managed individually, especially personal devices used under a bring-your-own-device arrangement, automatic updates depend entirely on whether the individual using the device has left the setting alone, which is a much less reliable foundation for something this important.

How to actually verify this, not just assume it

Checking the setting once isn't the same as confirming it's working. Most business-grade anti-malware platforms offer centralised dashboards showing definition update status across every managed device, which is the most reliable way to confirm coverage rather than checking device by device. If your current setup doesn't offer that visibility, that's worth treating as a gap in itself, since you can't confirm compliance with something you can't actually see.

For devices outside centralised management, a manual spot check is better than nothing: open the anti-malware software directly and look at the last update timestamp. If it's more than a few days old, automatic updates aren't working as intended, regardless of what the setting claims.

Frequently asked questions

How often should anti-malware definitions actually update? Most modern anti-malware products update definitions multiple times a day automatically; if your last update was more than a day or two ago, something has likely gone wrong with the automatic process.

Can automatic updates cause problems, like slowing down a device or breaking other software? Occasionally an update can cause a temporary conflict, but the risk of running outdated protection is consistently higher than the risk of an update issue, and most conflicts are resolved quickly by the vendor.

Does this requirement apply to mobile devices too, not just laptops and desktops? Yes, any device covered by your anti-malware requirement under Cyber Essentials needs its protection kept current, including phones and tablets used for work.

What if our anti-malware doesn't have an automatic update option at all? That's a sign the product itself may not meet current standards; most reputable business anti-malware tools have supported automatic updates for years, so its absence is worth treating as a reason to review the product, not just the setting.

Will an assessor check update status on specific devices, or just ask if the policy exists? Assessors typically ask about your general approach and may request evidence, such as a dashboard screenshot or update logs, showing definitions are genuinely current rather than just configured to be.

Run a free scan of your domain and your CE Readiness checklist will walk through this and the rest of CE4 Malware Protection, ready before your assessor asks: olimpio.io/free-scan