News Releases2 min read

Carbon Black’s CB Defense is the First Next-Generation Antivirus (NGAV) to Prove Complete Antivirus (AV) Efficacy to Meet PCI DSS Requirement 5

Results from Coalfire Systems’ attestation report provide evidence that CB Defense has stronger AV efficacy than previously published reports from CrowdStrike and Cylance

WALTHAM, MA — November 1, 2016 — Carbon Black, the leader in next-generation endpoint security, today announced that CB Defense, the company’s next-generation antivirus (NGAV) solution, is the first NGAV to prove complete antivirus (AV) efficacy to directly meet Payment Card Industry Data Security Standard (PCI DSS) Requirement 5, providing organizations with the ability to replace traditional antivirus.

Coalfire Systems measured CB Defense against the most current and comprehensive PCI DSS AV testing done in the market today.

According to Coalfire, CB Defense was independently validated as an AV security control that directly meets PCI DSS Requirement 5. Coalfire is a leading assessor for global PCI, compliance and IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government and utilities.

Results from Coalfire’s testing provide evidence that CB Defense has stronger AV efficacy than previously published reports from competing vendors, including CrowdStrike and Cylance. These reports only included a general mapping against the requirements, listing indirect coverage of each of the sections in Requirement 5. Coalfire tested CB Defense against all sections of Requirement 5 and provided proof of AV-efficacy for each one.

“Many organizations are very unhappy with their traditional antivirus products,” said Christopher Strand, Carbon Black’s security, risk and compliance officer. “At the same time, these organizations are concerned that if they replace AV, they will fail to meet compliance requirements. The Coalfire report offers technical proof that CB Defense serves as a next-generation antivirus solution that meets compliance guidelines and is situated to lead the way in the endpoint-security market. Carbon Black’s key customers in retail, hospitality, finance and healthcare are thrilled to have this additional component to defense in their arsenals.”

According to Coalfire’s PCI DSS requirement-coverage matrix, CB Defense directly met the technical requirements of all anti-malware security controls listed in Requirement 5 of the standard and provided additional support for sections requiring merchant or manual action. Coalfire’s assessment found that CB Defense can be used as a direct control to meet the following technical requirements listed in PCI DSS Requirement 5:

Requirement 5.1:  

CB Defense detects all known types of malicious software.
CB Defense removes all known types of malicious software.
CB Defense Protects against all known types of malicious software.

Requirement 5.2:

CB Defense ensures all AV mechanisms are maintained by keeping current, offering proof of endpoint analysis and security control and generating audit logs.

Requirement 5.3:

CB Defense has tamper protection and can enforce policy and procedures.

CB Defense Meets NGAV Requirements

CB Defense is a cloud-based NGAV solution for desktops, laptops, and servers that combines advanced protection with detection and response capabilities. CB Defense is designed to protect organizations from the full spectrum of modern cyber attacks and deliver the best endpoint protection with the least amount of work.

Other point solutions, such as Cylance, simply rely on all-or-nothing artificial-intelligence prevention methods. CB Defense’s deep-analytic approach inspects files and identifies malicious behavior to block both malware and increasingly common malware-less attacks that exploit memory and scripting languages, such as PowerShell. These capabilities are consistent with the requirements laid out in the upcoming SANS webinar, “Ready to Replace AV? Criteria to Evaluate NGAV Solutions.”


PCI DSS provides the framework to address the growing threats to customer payment information. According to the PCI Security Standards Council, companies that accept, process or receive payments should adopt the framework as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches. PCI DSS Requirement 5 is used by many organizations as a de-facto measure of AV-solution compliance.