Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

McAfee MOVE AV Agentless 4.5 Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2017-12-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The admin password for the McAfee MOVE AV Agentless Security Virtual Machine (SVM) must be changed from the default.
SC-8 - High - CCI-002418 - V-78461 - SV-93167r1_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
MV45-GEN-200002
Vuln IDs
  • V-78461
Rule IDs
  • SV-93167r1_rule
The preconfigured Security Virtual Appliance (SVA) comes with a default password for the "SVAadmin" account. This account has root privileges to the Linux operating system of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.
Checks: C-78023r1_chk

If the McAfee SVM was deployed manually, physically log into the McAfee SVM and confirm password has been changed from default. If the password has not been changed from the default, this is a finding. If the McAfee SVM was deployed with VMware vCNS or VMWare NSX, access the McAfee ePO console. From the Menu, select Automation >> MOVE AntiVirus Deployment. Under General >> General Configuration >> SVM Configuration (Agentless Only), verify the "Password" shows as configured. It will be masked. Verify with the System Administrator that the password has been changed from the default password. If "Password" does not show as configured and has not been changed from the default password, this is a finding.

Fix: F-85195r1_fix

If the McAfee SVM was deployed manually, physically log into the McAfee SVM and change the password from the default. If the McAfee SVM was deployed with VMware vCNS or VMWare NSX, access the McAfee ePO console. From the Menu, select Automation >> MOVE AntiVirus Deployment. Under General >> General Configuration >> SVM Configuration (Agentless Only), populate the "Password" with a unique password. Confirm the password. Click "Save".

c
The McAfee MOVE AV On Access Scan policy must be configured to enable protection.
SI-3 - High - CCI-001242 - V-78463 - SV-93169r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
MV45-OAS-200001
Vuln IDs
  • V-78463
Rule IDs
  • SV-93169r1_rule
Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). The anti-virus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.
Checks: C-78025r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "On-access scan", verify the "Enable on-access scan" check box is selected. If the "Enable on-access scan" check box is not selected, this is a finding.

Fix: F-85197r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "On-access scan", select the "Enable on-access scan" check box. Click "Save".

b
The McAfee MOVE AV On Access Scan policy must be configured to enforce a maximum On-Access Scan timeout of no less than 45 seconds.
SI-3 - Medium - CCI-001242 - V-78465 - SV-93171r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-OAS-200002
Vuln IDs
  • V-78465
Rule IDs
  • SV-93171r1_rule
This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.
Checks: C-78027r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Show Advanced". Under "On-access Scan", verify the "Specify maximum time for each file scan" is configured for "45" seconds or more. If "Specify maximum time for each file scan" is not configured for "45" seconds or more, this is a finding.

Fix: F-85199r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Show Advanced". Under "On-access Scan", set the "Specify maximum time for each file scan" for "45" seconds or more. Click "Save".

b
The McAfee MOVE AV On Access Scan policy must be configured to scan files when writing to disk.
SI-3 - Medium - CCI-001242 - V-78467 - SV-93173r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-OAS-200004
Vuln IDs
  • V-78467
Rule IDs
  • SV-93173r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.
Checks: C-78029r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", verify the "When writing to disk" check box is selected. If the "When writing to disk" check box is not selected, this is a finding.

Fix: F-85201r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", select the "When writing to disk" check box. Click "Save".

b
The McAfee MOVE AV On Access Scan policy must be configured to scan files when reading from disk.
SI-3 - Medium - CCI-001242 - V-78469 - SV-93175r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-OAS-200005
Vuln IDs
  • V-78469
Rule IDs
  • SV-93175r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Checks: C-78031r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under On-access Scan >> Scan, verify the "When reading from disk" check box is selected. If the "When reading from disk" check box is not selected, this is a finding.

Fix: F-85203r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", select the "When reading from disk" check box. Click "Save".

b
The McAfee MOVE AV On Access Scan policy must be configured to scan all file types.
SI-3 - Medium - CCI-001242 - V-78471 - SV-93177r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-OAS-200006
Vuln IDs
  • V-78471
Rule IDs
  • SV-93177r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-78033r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "File Types to Scan", verify the "All files" radio button is selected. If the File Types to Scan "All files" radio button is not selected, this is a finding.

Fix: F-85205r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "File Types to Scan", select the "All files" radio button. Click "Save".

b
Path or file exclusions configured in the McAfee MOVE AV On Access Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.
CM-6 - Medium - CCI-000366 - V-78473 - SV-93179r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MV45-OAS-200007
Vuln IDs
  • V-78473
Rule IDs
  • SV-93179r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because protection is afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.
Checks: C-78035r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", verify no Path Exclusions have been configured other than the following: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log If any Path Exclusions are configured and those Path Exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

Fix: F-85207r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", remove any Path Exclusions that have been configured other than the following and that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log Click "Save".

b
The McAfee MOVE AV On Access Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.
SI-3 - Medium - CCI-001241 - V-78475 - SV-93181r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-OAS-200008
Vuln IDs
  • V-78475
Rule IDs
  • SV-93181r1_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.
Checks: C-78037r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Actions". Under "Threat detection first response", verify "Delete files automatically and quarantine" is selected. If "Threat detection first response" is not set to "Delete files automatically and quarantine", this is a finding.

Fix: F-85209r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Actions". Under "Threat detection first response", select "Delete files automatically and quarantine" from the drop-down list. Click "Save".

b
The McAfee MOVE AV policy must be configured to enable On-Demand scanning.
SI-3 - Medium - CCI-001241 - V-78477 - SV-93183r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200001
Vuln IDs
  • V-78477
Rule IDs
  • SV-93183r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Checks: C-78039r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Enable on-demand scan" check box is selected. If the "Enable on-demand scan" check box is not selected, this is a finding.

Fix: F-85211r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", select the "Enable on-demand scan" check box. Click "Save".

b
The McAfee MOVE AV On Demand Scan policy must be configured to enforce a maximum time for each file scan of no less than 45 seconds.
SI-3 - Medium - CCI-001241 - V-78479 - SV-93185r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200002
Vuln IDs
  • V-78479
Rule IDs
  • SV-93185r1_rule
This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.
Checks: C-78041r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Specify maximum time for each file scan" is configured for 45 seconds or more. If the "Specify maximum time for each file scan" is not configured for 45 seconds or more, this is a finding.

Fix: F-85213r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure the "Specify maximum time for each file scan" for 45 seconds or more. Click "Save".

b
The McAfee MOVE AntiVirus On Demand Scan policy must be configured to stop an on-demand scan after 150 minutes.
SI-3 - Medium - CCI-001241 - V-78481 - SV-93187r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200003
Vuln IDs
  • V-78481
Rule IDs
  • SV-93187r1_rule
This setting configures the maximum time (in minutes) for on-demand scanning. The default setting is 150 minutes. Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the Security Virtual Machine (SVM). For cases where an on-demand scan will take longer, the organization should determine the maximum amount of time for its on-demand scanning and explicitly configure this setting.
Checks: C-78043r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify "On-demand scan will stop after" is configured for 150 minutes or less. If "On-demand scan will stop after" is not configured for 150 minutes or less, this is a finding.

Fix: F-85215r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure "On-demand scan will stop after" for 150 minutes or less. Click "Save".

b
The McAfee MOVE AV On Demand Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.
SI-3 - Medium - CCI-001241 - V-78483 - SV-93189r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200005
Vuln IDs
  • V-78483
Rule IDs
  • SV-93189r1_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. Deleting files found to contain malware while also moving them to quarantine will allow the files to be rendered useless but recoverable in the event of a false positive.
Checks: C-78045r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Actions", verify "Threat detection first response" is configured for "Delete files automatically and quarantine". If "Threat detection first response" is not configured for "Delete files automatically and quarantine", this is a finding.

Fix: F-85217r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Actions", configure "Threat detection first response" for "Delete files automatically and quarantine". Click "Save".

b
The McAfee MOVE AV On Demand Scan policy must be configured to scan all file types.
SI-3 - Medium - CCI-001241 - V-78485 - SV-93191r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200006
Vuln IDs
  • V-78485
Rule IDs
  • SV-93191r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-78047r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "File Type to Scan", verify "All files" is selected. If "All files" is not selected, this is a finding.

Fix: F-85219r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "File Type to Scan", select the "All files" radio button. Click "Save".

b
Path Exclusions configured in the McAfee MOVE AV On Demand Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.
SI-3 - Medium - CCI-001241 - V-78487 - SV-93193r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200007
Vuln IDs
  • V-78487
Rule IDs
  • SV-93193r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because protection is afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.
Checks: C-78049r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", verify the Path Exclusions include only the following paths: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log If any Path Exclusions are included other than those specified above, and the exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

Fix: F-85221r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", remove any Path Exclusions, other than the following paths, that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log Click "Save".

b
The McAfee MOVE AV On-Demand Scan interval must be set to no more than every seven days.
SI-3 - Medium - CCI-001241 - V-78489 - SV-93195r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-ODS-200008
Vuln IDs
  • V-78489
Rule IDs
  • SV-93195r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Checks: C-78051r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Run on-demand scan for every _ days" is configured to "7" days or less. If the "Run on-demand scan for every _ days" is not configured to "7" days or less, this is a finding.

Fix: F-85223r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure the "Run on-demand scan for every _ days" to "7" days or less. Click "Save".

b
The McAfee MOVE AV Options policy must specify the location of the quarantine network share.
SI-3 - Medium - CCI-001242 - V-78491 - SV-93197r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-OPT-200001
Vuln IDs
  • V-78491
Rule IDs
  • SV-93197r1_rule
The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. To centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.
Checks: C-78053r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), verify the "Quarantine network share" is populated. If the "Quarantine network share" is not populated, this is a finding.

Fix: F-85225r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), populate the "Quarantine network share" field with a valid location for storing the quarantine. Click "Save".

b
The McAfee MOVE AV Options policy must specify the username and password for the quarantine network share.
SI-3 - Medium - CCI-001242 - V-78493 - SV-93199r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-OPT-200002
Vuln IDs
  • V-78493
Rule IDs
  • SV-93199r1_rule
The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. To centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.
Checks: C-78055r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), verify the "Network domain and username", "Network password", and "Confirm password" fields are populated. The "Network password" and "Confirm password" will be masked if populated. If the "Network domain and username", "Network password", and "Confirm password" fields are not populated, this is a finding.

Fix: F-85227r2_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), configure the quarantine with “Network domain and username" and "Network password" for accessing the quarantine network share. Click "Save".

b
The McAfee MOVE AV SVM Settings policy ODS scheduler must be set to no more than every seven days.
SI-3 - Medium - CCI-001241 - V-78495 - SV-93201r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
MV45-SVM-200001
Vuln IDs
  • V-78495
Rule IDs
  • SV-93201r1_rule
Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Checks: C-78057r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "ODS Scheduler", verify the "Scan" option is selected. Review the schedule and verify a schedule of at least weekly is configured. If the ODS Scheduler "Scan" option is not selected or the schedule is not configured for at least weekly, this is a finding.

Fix: F-85229r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "ODS Scheduler", select the "Scan" option. In the schedule, configure scan dates to accomplish at least weekly scanning. Click "Save".

b
The McAfee MOVE AV SVM must be managed by the HBSS ePO server.
CM-6 - Medium - CCI-000366 - V-78497 - SV-93203r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MV45-SVM-200003
Vuln IDs
  • V-78497
Rule IDs
  • SV-93203r1_rule
Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.
Checks: C-78059r1_chk

Access the ePO server. From the system tree, select the "Systems" tab and then find and click on the asset representing the McAfee MOVE SVM to open its properties. If the SVM is not listed as an asset in the ePO system tree, this is a finding.

Fix: F-85231r1_fix

In the McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0 Installation Guide, follow the Agentless installation and configuration sections for Deploying the McAfee MOVE AntiVirus service (NSX), Register vCenter Server with NXS Manager and Register a VMware vCenter account with McAfee ePO.

b
The McAfee MOVE AV SVM Settings policy must be configured to scan for potentially unwanted programs.
SI-3 - Medium - CCI-001242 - V-78499 - SV-93205r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-SVM-200005
Vuln IDs
  • V-78499
Rule IDs
  • SV-93205r1_rule
Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is heuristic detection.
Checks: C-78061r2_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", verify the check box for "Enable scanning for potentially unwanted programs" is selected. If the check box for "Enable scanning for potentially unwanted programs" is not selected, this is a finding.

Fix: F-85233r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", select the check box for "Enable scanning for potentially unwanted programs". Click "Save".

b
The McAfee MOVE AV SVM Settings policy must be configured to scan for Multipurpose Internet Mail Extensions (MIME)-encoded files.
SI-3 - Medium - CCI-001242 - V-78501 - SV-93207r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-SVM-200006
Vuln IDs
  • V-78501
Rule IDs
  • SV-93207r1_rule
MIME-encoded files can be crafted to hide a malicious payload. When the MIME-encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.
Checks: C-78063r3_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", verify "Enabled scanning for MIME-encoded files" check box is selected. If "Enabled scanning for MIME-encoded files" is not selected, this is a finding.

Fix: F-85235r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", select the "Enabled scanning for MIME-encoded files" check box. Click "Save".

b
The McAfee MOVE AV SVM Settings policy must be configured to use McAfee Global Threat Intelligence File Reputation with a sensitivity level of medium or higher.
SI-3 - Medium - CCI-001242 - V-78503 - SV-93209r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
MV45-SVM-200007
Vuln IDs
  • V-78503
Rule IDs
  • SV-93209r1_rule
Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by USCYBERCOM on DoD systems.
Checks: C-78065r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "McAfee GTI", verify the "Enable McAfee GTI" check box is selected with a sensitivity level of "Medium" or higher. If the "Enable McAfee GTI" check box is not selected or the sensitivity level is lower than "Medium", this is a finding.

Fix: F-85237r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "McAfee GTI", select the "Enable McAfee GTI" check box. Select "Medium" or higher for sensitivity level. Click "Save".

b
The McAfee MOVE AV SVM settings policy must be configured to communicate with the hypervisor/vCenter server via HTTPS protocol.
SC-8 - Medium - CCI-002418 - V-78505 - SV-93211r1_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
MV45-SVM-200008
Vuln IDs
  • V-78505
Rule IDs
  • SV-93211r1_rule
Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.
Checks: C-78067r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), verify the "Protocol" option is set for "HTTPS". If the "Protocol" option is not set to "HTTPS", this is a finding.

Fix: F-85239r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), select "HTTPS" for the "Protocol" option. Click "Save".

b
The McAfee MOVE AV SVM settings policy must be configured to authenticate to the hypervisor/vCenter server with user name and password.
SC-8 - Medium - CCI-002418 - V-78507 - SV-93213r1_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
MV45-SVM-200009
Vuln IDs
  • V-78507
Rule IDs
  • SV-93213r1_rule
Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.
Checks: C-78069r1_chk

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), verify the "Username:" field is populated. Note: The "Password:" field will appear to be blank. Since the "Username:" field cannot be populated and saved without a password, the "Password:" field requirement can be considered compliant provided the "Username:" field is validated as populated. If the "Username:" field is not populated, this is a finding.

Fix: F-85241r1_fix

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), populate the "Username:" and "Password:" fields with a user/password combination that has authentication access to the hypervisor. Click "Test connection settings". Click "Save".