Home Compliance & Certification Antivirus Agent Logs Guide

Antivirus Agent Logs Guide

Last updated on Sep 22, 2025

1. Purpose of this Guide

This artefact proves that all your company’s devices are actively protected by anti-virus or endpoint detection and response (EDR) software. Cyber Essentials demands proof that:

  • Anti-malware tools are installed on every endpoint.

  • Agents are deployed and reporting in.

  • Connection status and updates are monitored.

Think of it as your “shield wall” — showing no device is left exposed.

2. What You Will Submit

You will need:

  • screenshot from your anti-virus / EDR system showing:

    • A list of protected devices (endpoint inventory).

    • Their status (active, installed, connected, last check-in).

    • Agent version or update status.

  • Examples of suitable systems: Palo Alto Cortex XDR, Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, Sophos Central, Kaspersky, Avast Business.

3. How to Collect / Obtain / Generate This Evidence

Palo Alto Cortex XDR (bundled with StrongKeep):

  1. Navigate to PROTECTION > ENDPOINTS in your StrongKeep dashboard

  2. Capture a screenshot showing:

    • Endpoint names, timestamps, and policy actions.

    • Status (Success, Informational, High severity alerts).

    • Agent version.

Microsoft Defender for Endpoint (included with Microsoft 365 Business Premium):

  1. Go to the Microsoft 365 Security & Compliance Center → Endpoints → Device inventory.

  2. Filter the view to show all registered devices.

  3. Capture a screenshot that includes:

    • Device names (showing multiple endpoints)

    • Antivirus/EDR status (Active, Healthy, Not reporting)

    • Last seen or last update time

    • Agent version (if visible)

Sophos Central:

  1. Log in to the Sophos Central Admin Console.

  2. Navigate to Devices.

  3. Take a screenshot showing:

    • Device list with user/hostname

    • Protection status (green ticks for healthy devices)

    • Last check-in time

    • Policy compliance status (enabled, disabled, out of date)

CrowdStrike Falcon:

  1. Log in to the CrowdStrike Falcon Console.

  2. Go to Host Management → Host setup.

  3. Screenshot the table that shows:

    • Hostname / user

    • Sensor version

    • Last seen timestamp

    • Connection status (Online, Offline)

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_AntivirusAgentLogs_YYYY-MM-DD.png

5. What “Good” Looks Like

  • Visible endpoint names (shows coverage across multiple devices).

  • Agent status (installed, active, last logon, last update).

  • Version number or timestamp (to prove agents are current).

  • Clear evidence of monitoring/alerts (audit logs or dashboards).

Why this matters: auditors want to see that you’re not just relying on “we think it’s installed” — but that there’s proof in the logs.

6. Tips

  • Redact sensitive details (e.g. usernames, hostnames) if needed.

  • Make sure the screenshot is recent — ideally within the last 3 months.

  • Capture enough rows/devices to show broad coverage, not just one machine.