@gaysteve @donaldball @calamari this sounds like the most accurate description to me. I’ve been through the SOC process a few times, I can see how companies want to take some mostly reasonable norms on what they’re supposed to audit and try to abstract it to a software package.

I have always found the anti-malware norms both reasonable in principle and vexing in implementation myself. This is where invasive endpoint software shows up.