HomeGuidesMonitoring & Detection › MD-03
MD-03 Monitoring & Detection 6% of OML score

Are antivirus or security software alerts checked regularly?

This question asks whether someone in your company is actually reading and responding to warning messages from your antivirus or security software. Having security software installed is useless if alerts pop up and nobody acts on them—like having a smoke detector that goes off but nobody checks if there's a fire.

Why This Matters to Your Business

If security alerts are ignored, malware can spread silently through your network, steal customer data, or encrypt your files for ransom. A Delhi-based textile exporter ignored antivirus warnings for weeks; by the time the IT person checked, ransomware had locked 80% of their financial records and they lost ₹45 lakhs in ransom demands plus reputation damage with overseas buyers. Regulators and customers now expect Indian businesses to prove they monitor security tools actively—ignoring alerts can fail compliance audits and cost you government contracts or GST registration issues.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no antivirus software installed on most computers, or it's installed but disabled. Nobody knows when or if alerts occur, and there's no process to handle them even if they did.

Level 1
Initial

You have antivirus on some machines and it's running, but alerts pile up in popup windows or notification trays that everyone ignores. There's no written rule about who should check them or what to do when one appears.

Level 2
Developing

Your antivirus is installed and running on all business computers. Someone (usually the IT person) occasionally checks alerts, but there's no fixed schedule and findings aren't documented or reported to management.

Level 3
Defined

Antivirus alerts are checked daily by a named person, and critical alerts trigger an immediate response. You keep a basic log of what was found and what was done, and the owner is notified of serious threats.

Level 4
Managed

Antivirus alerts are monitored on a dashboard or centrally managed tool, checked at least once per shift. All alerts are logged with timestamp, machine name, threat type, and action taken; trends are reviewed monthly in a management report.

Level 5
Optimised

Antivirus and broader security tools feed into an automated alert system that flags high-risk threats immediately to the IT lead and management. All alerts are logged, categorized, investigated within a defined SLA, and quarterly reports show detection trends, false positive rates, and improvements made based on findings.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Install a reputable free or paid antivirus (e.g., Windows Defender for all machines) and ensure it is enabled and set to notify on detections IT Person or Designated Tech Lead 1-2 days
1 → 2 Create a simple written procedure: who checks antivirus alerts daily, what they do when they see one (isolate machine, report to IT lead), and a basic log sheet (date, machine name, threat found, action taken) IT Person with Owner approval 3-5 days
2 → 3 Switch to a centrally managed antivirus tool (e.g., Kaspersky, Quick Heal) or free option (Windows Defender with Group Policy) so all alerts flow to one console; assign one person daily responsibility; escalate critical threats (ransomware, trojans) to owner same day IT Person 2-4 weeks
3 → 4 Set up a simple dashboard or spreadsheet that auto-logs all alerts from your antivirus console; define response times (critical = 1 hour, medium = same day, low = weekly review); run a monthly trend report for management IT Person or Junior Admin (if available) 4-6 weeks
4 → 5 Implement or upgrade to an integrated Security Information and Event Management (SIEM) or endpoint detection platform that correlates antivirus alerts with firewall and system logs; establish SLAs for investigation; conduct quarterly security reviews with board/owner IT Manager or external cybersecurity consultant Ongoing (quarterly reviews minimum)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written procedure document naming the person responsible for checking antivirus alerts and the escalation process (e.g., owner signature and date on the document)
  • Daily or weekly antivirus alert log showing date, machine name, threat type, action taken, and who checked it (can be a spreadsheet or antivirus console export)
  • Screenshots or export from antivirus management console showing alerts in the past 30 days with status (resolved, quarantined, deleted)
  • Email or incident report showing at least one alert was escalated to management or owner in the past month, with response recorded
  • Antivirus configuration report or policy document confirming alerts are set to 'notify' and not silent, and that auto-quarantine is enabled
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me the log of antivirus alerts checked in the last 30 days? Who is responsible for reviewing them daily?"
  • "When was the last time a critical security alert was found? Walk me through what happened next—who was notified, how fast, and what was the outcome?"
  • "Is your antivirus console centralized so you can see alerts from all computers in one place, or do you check each machine individually?"
  • "How do you ensure alerts aren't missed—for example, if the IT person is on leave or the office closes for a holiday?"
  • "Do you have a documented response time for different types of threats (e.g., ransomware vs. adware), and can you prove you met it in recent cases?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Basic real-time antivirus and malware detection for all machines Windows Defender (built into Windows 10/11, adequate for small business); ClamAV (open-source, requires more setup) Quick Heal Total Security (₹3,000–6,000/year per device); Kaspersky Small Office Security (₹4,000–8,000/year per device); Bitdefender Business Security (₹2,500–5,000/year per device)
Centralized antivirus management and alert console for multiple machines Windows Defender for Business (Group Policy based, included in Windows Pro/Enterprise); OpenEDR (open-source, technical setup) Quick Heal Total Security Admin Console (₹15,000–30,000/year for 10–25 devices); Kaspersky Small Office Security Management (₹20,000–40,000/year); SentinelOne Endpoint Protection (₹50,000–100,000+/year, enterprise-grade)
Alert log and trend reporting to track detections over time Google Sheets or LibreOffice Calc (manual log); antivirus native reporting (exported quarterly); Open-source SIEM trial (Wazuh, limited features) Microsoft Defender for Business (₹1,500–3,000/year per device, includes alerting); Splunk (enterprise, ₹200,000+/year); Graylog (mid-market, ₹100,000–150,000/year)
🛡
How This Makes You More Resilient
When you actively monitor and respond to antivirus alerts, you catch and stop malware infections before they spread across your network or steal sensitive data—meaning fewer ransomware incidents, data breaches, and business downtime. This control directly reduces the time between when a threat enters your system and when you neutralize it, turning your security software from a decorative tool into an actual defense. Your business stays operational, customer data stays safe, and you avoid the ₹10 lakh to ₹1 crore+ costs of a real breach or ransomware attack.
⚠️
Common Pitfalls in India
  • Installing antivirus but disabling it to 'speed up' the computer—this leaves machines unprotected. Instead, use a lighter antivirus (Windows Defender is built-in and fast) or upgrade the machine's RAM.
  • Assigning alert monitoring to someone with no clear time set aside for it, so they never actually check—alerts pile up unread in the background. Fix this by naming one person, giving them 30 minutes daily as a formal task, and tracking it in a log.
  • Silencing or suppressing antivirus alerts because they trigger too often on false positives—then missing a real attack. Instead, tune the antivirus rules (exclude legitimate files) or accept the noise and log/review it weekly rather than ignore it.
  • Not escalating critical alerts (ransomware, trojans) to management or the owner because the IT person thinks they can 'handle it'—then the problem grows. Establish a rule: critical threats go to the owner same day, always.
  • Assuming paid antivirus is always better than free—many Indian MSMEs overpay for licenses they don't use. Evaluate Windows Defender or Quick Heal community edition first; upgrade only if you need centralized management.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8(2)(d) – reasonable security practices to prevent unauthorized processing of personal data
CERT-In Guidelines 2022 Direction 4 – implement endpoint protection and maintain logs of security incidents
ISO 27001:2022 A.8.7 – protection against malware; A.12.4.1 – event logging and monitoring
NIST CSF 2.0 Detect (DE.AE-1, DE.AE-2) – anomalies and events are detected and analyzed; Respond (RS.RP-1) – response plan is executed

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →