Home Compliance & Certification Antivirus Screenshot Guide

Antivirus Screenshot Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact shows that endpoints are actively protected by anti-virus (also known as anti-malware or Endpoint Detection & Response). Most compliance standards requires evidence that:

  • Anti-malware tools are installed and running,

  • Agents are deployed across company devices, and

  • Status is visible and monitored.

It’s your digital health check — proving your systems are protected, connected, and up to date.

2. What You Will Submit

You will need:

  • screenshot from your anti-virus or endpoint protection system showing:

    • Device/endpoint coverage (inventory list).

    • Protection status (Protected, Active, Connected).

    • Agent version installed.

    • Last check-in time (to prove recency).

3. How to Collect / Obtain / Generate This Evidence

Using StrongKeep:

  1. Navigate to PROTECTION > ENDPOINTS > MANAGEMENT on StrongKeep dashboard

  2. Generate a report or take a screenshot of the page.

Palo Alto Cortex XDR:

  1. Open the Cortex XDR agent on the endpoint.

  2. Ensure the status shows “Protected”, version number, and last check-in.

  3. Capture a screenshot of this view.

Microsoft Defender for Endpoint:

  1. Go to the Microsoft 365 Security Portal → Endpoints → Device inventory.

  2. Show the list of devices with status “Active/Healthy.”

  3. Take a screenshot including device names, status, and last seen.

Sophos Central:

  1. Log in to the Sophos Central Admin Console.

  2. Go to Devices and view the device list.

  3. Screenshot showing user/device name, protection status (green tick), and last check-in.

CrowdStrike Falcon:

  1. Log into the CrowdStrike Falcon Console.

  2. Go to Hosts → Host Management.

  3. Screenshot showing hostnames, sensor version, last seen, and protection state.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_AntivirusScreenshot_YYYY-MM-DD.png

5. What “Good” Looks Like

  • Screenshot clearly shows “Protected/Active” status.

  • Version number and last check-in time visible.

  • Covers multiple endpoints (not just one, if possible).

  • Demonstrates the tool is running and current.

Why it matters: auditors want more than “we installed AV once” — they need proof it’s live, monitored, and protecting your company right now.

6. Tips

  • Make sure the screenshot is recent (within 3 months).

  • Redact sensitive hostnames or emails before uploading.

  • If you use multiple tools (e.g. Defender + Cortex XDR), pick one as your primary screenshot for clarity.