Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

McAfee MOVE Agentless 3.0 VSEL 1.9 for SVA STIG

  • Version/Release: V1R3
  • Published: 2014-05-08
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The McAfee MOVE 3.0 Agentless VSEL for SVA STIG The McAfee MOVE 2.6 Multi-Platform Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The McAfee VirusScan Enterprise for Linux 1.9.0 Web UI must be disabled.
SI-3 - Medium - CCI-001242 - V-43936 - SV-56764r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-109
Vuln IDs
  • V-43936
Rule IDs
  • SV-56764r1_rule
If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.System Administrator
Checks: C-49429r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, verify the check box for "Disable client Web UI:" is selected. If the check box for "Disable client Web UI:" is not selected, this is a finding.

Fix: F-49521r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, select the check box for "Disable client Web UI:". Click Save.

c
The antivirus signature file age must not exceed 7 days.
SI-3 - High - CCI-001240 - V-48995 - SV-61873r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001240
Version
DTAVSEL-001
Vuln IDs
  • V-48995
Rule IDs
  • SV-61873r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an antivirus update on a daily basis, the system is ensured of maintaining an antivirus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.System Administrator
Checks: C-49428r6_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. On the System Information page, select the "Products" tab. Under the Product section, select "VirusScan Enterprise for Linux". Scroll down locate the DAT Date and DAT Version. Verify the "DAT Date:" is within the last 7 days. If the "DAT Date:" is not within the last 7 days, this is a finding.

Fix: F-49520r3_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. On the Client Tasks page, click on Actions | New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click Save. Or, select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click Save. On the Client Task Assignment Builder page, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click Next to view Summary. Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to receive automatic signature updates.
SI-3 - Medium - CCI-001242 - V-48997 - SV-61875r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-002
Vuln IDs
  • V-48997
Rule IDs
  • SV-61875r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.System Administrator
Checks: C-49430r5_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the VirusScan DAT update task. Verify the "Task Type" is listed as "Product Update". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. Next to the "Package selection:", verify the "All packages" radio button is selected. If the "Selected packages" radio button is selected, verify the check box for "DAT" and the check box for "Linux Engine" have been selected for "Signatures and engines:" under the "Package types:" section. If there is not a task designated as the regularly scheduled DAT Update task, this is a finding. If there exists a task designated as the regularly scheduled DAT Update task, but neither the "All packages" nor the "DAT" selection under the "Package types: Signatures and engines:" section is selected, this is a finding.

Fix: F-49541r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. On the Client Tasks page, click on Actions | New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click Save. Or, select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click Save. On the Client Task Assignment Builder, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click Next to view Summary. Click Save.

c
The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to enable On-Access scanning.
SI-3 - High - CCI-001240 - V-48999 - SV-61877r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001240
Version
DTAVSEL-003
Vuln IDs
  • V-48999
Rule IDs
  • SV-61877r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.System Administrator
Checks: C-49431r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", verify the check box for "Enable on-access scanning (takes effect when policies are enforced)" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the checkbox for "Enable on-access scanning (takes effect when policies are enforced)" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

Fix: F-49542r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", select the check box for "Enable on-access scanning (takes effect when policies are enforced)". In the "Quarantine Directory:" field, enter "/quarantine" (or another valid location as determined by the organization). Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to decompress archives when scanning.
SI-3 - Medium - CCI-001242 - V-49003 - SV-61881r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-004
Vuln IDs
  • V-49003
Rule IDs
  • SV-61881r1_rule
Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System Administrator
Checks: C-49432r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" is selected. If the check box for "Compressed files: Scan inside multiple-file archives (e.g. .ZIP)" is not selected, this is a finding.

Fix: F-49543r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", select the check box for "Scan inside multiple-file archives (e.g. .ZIP)". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find unknown program viruses.
SI-3 - Medium - CCI-001242 - V-49015 - SV-61893r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-005
Vuln IDs
  • V-49015
Rule IDs
  • SV-61893r1_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator
Checks: C-49433r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown program viruses" is selected. If the check box for "Heuristics: Find unknown program viruses" is not selected, this is a finding.

Fix: F-49544r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown program viruses". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find unknown macro viruses.
SI-3 - Medium - CCI-001242 - V-49027 - SV-61913r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-006
Vuln IDs
  • V-49027
Rule IDs
  • SV-61913r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.System Administrator
Checks: C-49434r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro viruses" is not selected, this is a finding.

Fix: F-49545r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find potentially unwanted programs.
SI-3 - Medium - CCI-001242 - V-49029 - SV-61915r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-007
Vuln IDs
  • V-49029
Rule IDs
  • SV-61915r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System Administrator
Checks: C-49435r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Verify the check box for "Find joke programs" is selected. If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

Fix: F-49546r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan files when being written to disk.
SI-3 - Medium - CCI-001242 - V-49031 - SV-61917r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-008
Vuln IDs
  • V-49031
Rule IDs
  • SV-61917r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.System Administrator
Checks: C-49436r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When writing to disk" is selected. If the check box for "Scan files: When writing to disk" is not selected, this is a finding.

Fix: F-49547r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When writing to disk". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan files when being read from disk.
SI-3 - Medium - CCI-001242 - V-49033 - SV-61919r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-009
Vuln IDs
  • V-49033
Rule IDs
  • SV-61919r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.System Administrator
Checks: C-49437r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When reading from disk" is selected. If the check box for "Scan files: When reading from disk" is not selected, this is a finding.

Fix: F-49548r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When reading from disk". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan all file types.
SI-3 - Medium - CCI-001242 - V-49035 - SV-61921r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-010
Vuln IDs
  • V-49035
Rule IDs
  • SV-61921r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.System Administrator
Checks: C-49438r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

Fix: F-49549r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", select the radio button for "All files". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner maximum scan time must not be less than 45 seconds.
SI-3 - Medium - CCI-001242 - V-49037 - SV-61923r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-011
Vuln IDs
  • V-49037
Rule IDs
  • SV-61923r1_rule
When antivirus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the antivirus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the antivirus software uses when scanning a file, the scan will be able to complete in a timely manner. System Administrator
Checks: C-49439r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", verify the check box for "Enforce maximum scanning time for all files" has been selected. Verify the "Maximum scan time (seconds):" is configured to 45 or more. If the check box for "Maximum Scan Time: Enforce maximum scanning time for all files" is not selected, this is a finding. If the "Maximum Scan Time (seconds):" is not configured to 45 or more, this is a finding. If both the "Maximum Scan Time:" setting for "Enforce maximum scanning time for all files" has a check in the check box and the "Maximum Scan Time:" setting for "Maximum scan time (seconds):" is configured to 45 or more, this is not a finding.

Fix: F-49550r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", select the check box for "Enforce maximum scanning time for all files". Configure the "Maximum scan time (seconds):" to 45 or more. Click Save.

b
Any paths and files excluded by the McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be formally documented with, and approved by, the IAO/IAM.
SI-3 - Medium - CCI-001242 - V-49039 - SV-61925r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-012
Vuln IDs
  • V-49039
Rule IDs
  • SV-61925r1_rule
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.System Administrator
Checks: C-49440r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", verify the only entry for the "Select files and directories to be excluded from virus scanning" field is the default "/var/log". If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, verify the exclusion of those files and directories has been formally documented by the System Administrator and has been approved by the IAO/IAM. If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been formally documented by the System Administrator and approved by the IAO/IAM, this is a finding. If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been formally documented by the System Administrator and approved by the IAO/IAM, this is not a finding.

Fix: F-49551r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", remove all entries in the "Select files and directories to be excluded from virus scanning" field other than the default "/var/log". Document justification for any required exclusions and obtain approval from the IAO/IAM. Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.
SI-3 - Medium - CCI-001242 - V-49041 - SV-61927r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-013
Vuln IDs
  • V-49041
Rule IDs
  • SV-61927r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.System Administrator
Checks: C-49441r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Viruses and Trojans are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

Fix: F-49552r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.
SI-3 - Medium - CCI-001242 - V-49043 - SV-61929r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-014
Vuln IDs
  • V-49043
Rule IDs
  • SV-61929r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network. System Administrator
Checks: C-49442r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

Fix: F-49553r3_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.
SI-3 - Medium - CCI-001242 - V-49047 - SV-61933r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-015
Vuln IDs
  • V-49047
Rule IDs
  • SV-61933r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System Administrator
Checks: C-50127r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Programs & Jokes are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

Fix: F-52383r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.
SI-3 - Medium - CCI-001242 - V-49049 - SV-61935r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-016
Vuln IDs
  • V-49049
Rule IDs
  • SV-61935r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System Administrator
Checks: C-50129r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, next to "When Programs & Jokes are found: If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

Fix: F-52385r3_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to deny access to the file if scanning fails.
SI-3 - Medium - CCI-001242 - V-49051 - SV-61939r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-017
Vuln IDs
  • V-49051
Rule IDs
  • SV-61939r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.System Administrator
Checks: C-50131r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning fails:" "Deny access to the file" radio button is selected. If the "If scanning fails: Deny access to the file" radio button is not selected, this is a finding.

Fix: F-52387r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning fails:" "Deny access to the file" radio button is selected. Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to allow access to files if scanning times out.
SI-3 - Medium - CCI-001242 - V-49055 - SV-61949r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-018
Vuln IDs
  • V-49055
Rule IDs
  • SV-61949r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.System Administrator
Checks: C-50133r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning times out: Allow access to the file" radio button is selected. If the "If scanning times out: Allow access to the file" radio button is not selected, this is a finding.

Fix: F-52389r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning times out: Allow access to the file" radio button. Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to run a scheduled On Demand scan at least once a week.
SI-3 - Medium - CCI-001242 - V-49059 - SV-61961r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-100
Vuln IDs
  • V-49059
Rule IDs
  • SV-61961r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.System Administrator
Checks: C-50135r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. Verify the task is scheduled to run at least weekly. If the task is not scheduled to run at least weekly, this is a finding.

Fix: F-52391r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Create a New Client Task to run a regularly schedule On Demand scan at least weekly. Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find unknown program viruses.
SI-3 - Medium - CCI-001242 - V-49061 - SV-61963r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-102
Vuln IDs
  • V-49061
Rule IDs
  • SV-61963r1_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator
Checks: C-49444r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, verify the check box for "Find unknown program viruses" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Heuristics, the check box for "Find unknown program viruses" has not been selected, this is a finding.

Fix: F-49555r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find unknown macro viruses.
SI-3 - Medium - CCI-001242 - V-49063 - SV-61965r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-103
Vuln IDs
  • V-49063
Rule IDs
  • SV-61965r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.System Administrator
Checks: C-49445r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro program viruses" is not selected, this is a finding.

Fix: F-49556r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find potentially unwanted programs.
SI-3 - Medium - CCI-001242 - V-49065 - SV-61967r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-104
Vuln IDs
  • V-49065
Rule IDs
  • SV-61967r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System Administrator
Checks: C-49446r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Select the check box for "Find joke programs". If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

Fix: F-49557r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to scan all file types.
SI-3 - Medium - CCI-001242 - V-49067 - SV-61969r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-105
Vuln IDs
  • V-49067
Rule IDs
  • SV-61969r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.System Administrator
Checks: C-49447r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

Fix: F-49558r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", select the radio button for "All files". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Clean infected files automatically as first action for when Viruses and Trojans are found.
SI-3 - Medium - CCI-001242 - V-49075 - SV-61977r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-106
Vuln IDs
  • V-49075
Rule IDs
  • SV-61977r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.System Administrator
Checks: C-49448r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Viruses and Trojans are found: Clean infected files automatically" is not selected, this is a finding.

Fix: F-49559r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Move infected files to the quarantine directory if first action fails for when Viruses and Trojans are found.
SI-3 - Medium - CCI-001242 - V-49083 - SV-61985r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-107
Vuln IDs
  • V-49083
Rule IDs
  • SV-61985r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network. System Administrator
Checks: C-49449r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

Fix: F-49560r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click Save.

b
Any paths and files excluded by the McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be documented with, and approved by, the IAO/IAM.
SI-3 - Medium - CCI-001242 - V-49089 - SV-61991r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-108
Vuln IDs
  • V-49089
Rule IDs
  • SV-61991r1_rule
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. System Administrator
Checks: C-49450r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", verify no entries exist. If any entries exist, verify the exclusion of those files and directories has been documented by the System Administrator and approved by the IAO/IAM. If any entries are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been documented by the System Administrator and approved by the IAO/IAM, this is a finding. If any entries are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been documented by the System Administrator and approved by the IAO/IAM, this is not a finding.

Fix: F-49561r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", remove any entries from the "What not to scan:" section for which there has not been IAO/IAM approval. Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.
SI-3 - Medium - CCI-001242 - V-49099 - SV-62001r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-110
Vuln IDs
  • V-49099
Rule IDs
  • SV-62001r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System Administrator
Checks: C-50137r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Programs & Jokes are found: Clean infected files automatically" is not selected, this is a finding.

Fix: F-52393r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.
SI-3 - Medium - CCI-001242 - V-49103 - SV-62005r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-111
Vuln IDs
  • V-49103
Rule IDs
  • SV-62005r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System Administrator
Checks: C-50139r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "When Programs & Jokes are found: If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated with "/quarantine" (or another valid location as determined by the organization), this is a finding.

Fix: F-52395r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory" is selected. Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to include all local drives and their sub-directories.
SI-3 - Medium - CCI-001242 - V-49109 - SV-62011r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-113
Vuln IDs
  • V-49109
Rule IDs
  • SV-62011r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.System Administrator
Checks: C-50143r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, verify the "Specify where scanning will take place" field is populated with all local drives. Next to "Scan options", verify the checkbox for "Include sub-directories" is selected. If the "Specify where scanning will take place" field is not populated with all local drives, this is a finding. If the "Include sub-directories" is not selected, this is a finding.

Fix: F-52399r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, populate the "Specify where scanning will take place" field with all local drives. Next to "Scan options", select the checkbox for "Include sub-directories". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to decompress archives when scanning.
SI-3 - Medium - CCI-001242 - V-49243 - SV-62149r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-101
Vuln IDs
  • V-49243
Rule IDs
  • SV-62149r1_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.System Administrator
Checks: C-49443r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Scan inside multiple-file archives (e.g. .ZIP)" is not selected, this is a finding.

Fix: F-49554r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g. .ZIP)". Click Save.

b
The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to decode MIME encoded files.
SI-3 - Medium - CCI-001242 - V-49245 - SV-62151r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-112
Vuln IDs
  • V-49245
Rule IDs
  • SV-62151r1_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.System Administrator
Checks: C-50141r4_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Decode MIME encoded files:" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Decode MIME encoded files:" is not selected, this is a finding.

Fix: F-52397r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:". Click Save.