McAfee MOVE Agentless 3.6.1 Security Virtual Appliance STIG

  • Version/Release: V1R5
  • Published: 2016-09-30
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The McAfee MOVE 3.6.1 Agentless SVA STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
c
The Virtual Machine must have VMware vShield Endpoint thin client installed and shown as protected in the vShield Manager.
SI-3 - High - CCI-001242 - V-43788 - SV-56609r2_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
AV-MOVE-VM-001
Vuln IDs
  • V-43788
Rule IDs
  • SV-56609r2_rule
The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on an ESX host in a vCenter Server environment. The vShield Manager user interface or vSphere Client plug-in is used by administrators to install, configure, and maintain vShield components. vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) does not go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online. vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus vendor (VMware partners) on an ESX host. The hypervisor scans guest virtual machines from the outside, removing the need for agents in every virtual machine. This makes vShield Endpoint efficient in avoiding resource bottlenecks while optimizing memory use. McAfee MOVE AV Agentless requires vShield Endpoint to be installed on a virtual machine in order for the McAfee MOVE Security Virtual Appliance to protect it. If the virtual machine did not have vShield Endpoint installed, the virtual machine would not be protected from malware and viruses.System Administrator
Checks: C-49405r8_chk

This STIG setting validates whether a virtual machine is protected by the McAfee MOVE Agentless 3.6.1. With the assistance of the System Administrator, verify the client is reporting to the endpoint solution in vShield: a. Log in to vShield Manager b. Browse to Datacenters | <yourdatacenter> | <esx host of vm> | Endpoint tab. Virtual machines should be listed with a description of Thin Agent Enabled. If virtual machines are not listed with a description of Thin Agent Enabled, this is a finding.

Fix: F-49394r2_fix

If the virtual machine is not showing as a "Protected VM", install VMware Tools on the guest VM and select Custom install of VMware tools. In the vSphere Client, right-click the appropriate VM, select Guest | Install/Upgrade VMware Tools. In the Install/Upgrade Tools dialog box, select Interactive Tools Upgrade and click OK. Depending on the environment, select setup.exe or setup64.exe and run it as administrator. Select Custom then click Next. Expand VMware Device Drivers | VMCI Drivers, then select vShield Drivers | This feature will be installed on local hard drive. Access vShield Manager to confirm the virtual machine is showing as a "Protected VM".

b
The McAfee MOVE AV Agentless SVA policy must be configured with, and managed by, the HBSS ePO server.
SI-3 - Medium - CCI-001242 - V-43957 - SV-56787r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-001
Vuln IDs
  • V-43957
Rule IDs
  • SV-56787r2_rule
Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.System Administrator
Checks: C-49406r4_chk

NOTE: MOVE Agentless 3.61 Security Virtual Appliance (SVA) comes pre-installed with McAfee Agent 4.8 and requires that the McAfee Agent 4.8 Extension already be installed on the ePO 5.0.x Server. ePO 4.6 environments must upgrade to the McAfee Agent 4.8 Extension prior to deployment of the MOVE Agentless 3.61 SVA. From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). If the system designated as the McAfee MOVE Security Virtual Appliance (SVA) is not in the ePO server System Tree, this is a finding. If the system designated as the McAfee MOVE Security Virtual Appliance (SVA) is in the ePO server System Tree, click on the system to open the System Information page. On the System Information page, verify "MOVE AV [Agentless]" is listed as an Installed Product. If the system does not show MOVE AV [Agentless] listed as an installed product, this is a finding.

Fix: F-49400r6_fix

Obtain the McAfee Agent install files from the McAfee ePO server and install onto the McAfee SVA, following the same procedures as for any other Linux system being managed by the McAfee ePO server. After installation, from the ePO server console System Tree, select "My Organization". Select the Systems tab. Find and double-click on the asset representing the McAfee MOVE Security Virtual Appliance (SVA) to open its properties. Under the System Properties tab, ensure the "Last Communication" date is within the time period designated by the "Agent-to-Server Communication Interval:" under the McAfee Agent tab. Under the System Properties tab, next to the Installed Products field, ensure MOVE AV [Agentless]" is listed as an installed product.

b
The McAfee MOVE AV Agentless SVA Authentication policy must be configured to communicate with the Hypervisor/vCenter server via HTTPS protocol.
SI-3 - Medium - CCI-001242 - V-43958 - SV-56788r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-002
Vuln IDs
  • V-43958
Rule IDs
  • SV-56788r2_rule
Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.System Administrator
Checks: C-49407r9_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. For McAfee MOVE AV Agentless 3.6.1 From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page, verify the "Protocol:" is set to “https”. If the "Protocol:" is not set to “https”, this is a finding.

Fix: F-49425r7_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page and select "https" from the drop-down list. Click on Save.

b
The McAfee MOVE AV Agentless SVA Authentication policy must be configured to authenticate to the Hypervisor/vCenter server with user name and password.
SI-3 - Medium - CCI-001242 - V-43959 - SV-56789r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-003
Vuln IDs
  • V-43959
Rule IDs
  • SV-56789r2_rule
Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.System Administrator
Checks: C-49451r12_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on “Actions | Agent | Modify Policies on a Single System”. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page, verify the "User:" field is populated. Note: The "Password:" field will appear to be blank. Since the "User:" field cannot be populated and saved without a password, however, the "Password:" field requirement can be considered compliant provided the "User:" field is validated as populated. If the "User:" field is not populated, this is a finding.

Fix: F-49563r11_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on “Actions | Agent | Modify Policies on a Single System”. From the "Product:" drop-down list, select “MOVE AV [Agentless]3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page and populate the "User:" and "Password:" fields with a user/password combination which has authentication access to the hypervisor. Click on "Test the connection". Click on Save.

b
The McAfee MOVE AV Agentless SVA Scan Settings policy must be configured with the SVA cache enabled.
SI-3 - Medium - CCI-001242 - V-43960 - SV-56790r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-004
Vuln IDs
  • V-43960
Rule IDs
  • SV-56790r2_rule
Enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines. System Administrator
Checks: C-49452r8_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. For McAfee MOVE AV Agentless 3.6.1: From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "SVM" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab MOVE AV Agentless version 3.6.1 of the Policy Settings page, next to the "SVM cache:", verify the checkbox for "Enabled" is selected. If the checkbox for "SVM cache: Enabled" is not selected, this is a finding.

Fix: F-49564r6_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "SVM" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of MOVE AV Agentless version 3.6.1 of the Policy Settings page, next to the "SVA cache:", select the checkbox for "Enabled". Click on Save.

b
The McAfee MOVE AV Agentless SVA Scan Settings policy must be configured to cache scan results for files up to a file size of 1 MB.
SI-3 - Medium - CCI-001242 - V-43961 - SV-56791r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-005
Vuln IDs
  • V-43961
Rule IDs
  • SV-56791r2_rule
While enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines, the file size of cached items needs to be restricted in order to prevent excessively large files from being cached, which would have a negative impact on performance.System Administrator
Checks: C-49453r6_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on “Actions | Agent | Modify Policies on a Single System”. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, verify the "Cache scan result of file size up to (MB):" is configured for "1". If the "Cache scan result of file size up to (MB):" is not configured to "1", this is a finding.

Fix: F-49565r3_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, populate the "Cache scan result of file size up to (MB):" with a value of "1" Click on Save.

b
The McAfee MOVE AV Agentless SVA Scan Settings policy for On-Demand Client Scan time interval must be set to no more than every 7 days.
SI-3 - Medium - CCI-001242 - V-43962 - SV-56792r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-006
Vuln IDs
  • V-43962
Rule IDs
  • SV-56792r2_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.System Administrator
Checks: C-49454r8_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on "Actions | Agent | Modify Policies on a Single System". From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, verify the "On-Demand Scan time interval (days):" is set to "7" or less. If the "On-Demand Scan time interval (days):" is set to a value of more than "7", this is a finding.

Fix: F-49566r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless]3.6.1". Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, configure the "On-Demand Scan time interval (days):" with a value of "7" or less. Click on Save.

c
The McAfee MOVE AV Agentless Scan policy must be configured to enable On-Access scanning.
SI-3 - High - CCI-001242 - V-44931 - SV-57765r2_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
AV-MOVE-SVA-101
Vuln IDs
  • V-44931
Rule IDs
  • SV-57765r2_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software should be configured to perform real-time scans of each file as it is downloaded, opened, or executed.System Administrator
Checks: C-49455r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scanning:", verify the checkbox for "Enabled" is selected. If the checkbox for "On-Access Scanning: Enabled" is not selected, this is a finding.

Fix: F-49567r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scanning:", select the checkbox for "Enabled". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to enforce a maximum On-Access Scan timeout of no less than 45 seconds.
SI-3 - Medium - CCI-001242 - V-44933 - SV-57767r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-102
Vuln IDs
  • V-44933
Rule IDs
  • SV-57767r2_rule
This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type, or heavy load on the offload scan server. In such cases that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.System Administrator
Checks: C-49456r5_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scan timeout:", verify the "Enforce a maximum scanning time for all files (On-Access Scans only)" checkbox is selected. Verify the "On-Access Scan timeout: Maximum scan time (seconds):" has a value of 45 or more. If the checkbox for "On-Access Scan timeout: Enforce a maximum scanning time for all files (On-Access Scans only)"is not selected and/or the "On-Access Scan timeout: Maximum scan time (seconds):" does not have a value of 45 or more, this is a finding.

Fix: F-49568r3_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scan timeout:", select the checkbox for "Enforce a maximum scanning time for all files (On-Access Scans only)". In the "On-Access Scan timeout: Maximum scan time (seconds):" place a value of 45 or more. Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to enable On-Demand scanning.
SI-3 - Medium - CCI-001242 - V-44935 - SV-57769r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-103
Vuln IDs
  • V-44935
Rule IDs
  • SV-57769r2_rule
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected. System Administrator
Checks: C-49457r5_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Demand Scanning:", verify the checkbox for "Enabled" is selected. If the checkbox for "On-Demand Scanning: Enabled" is not selected, this is a finding.

Fix: F-49569r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Demand Scanning:", select the checkbox for "Enabled". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to scan files when opened.
SI-3 - Medium - CCI-001242 - V-44969 - SV-57803r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-104
Vuln IDs
  • V-44969
Rule IDs
  • SV-57803r2_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.System Administrator
Checks: C-49458r6_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1 and locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", verify the checkbox for "On Open" is selected. If the checkbox for "On-Access Scan files: On Open" is not selected, this is a finding.

Fix: F-49570r5_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", select the checkbox for "On Open". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to scan all file types.
SI-3 - Medium - CCI-001242 - V-44973 - SV-57807r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-105
Vuln IDs
  • V-44973
Rule IDs
  • SV-57807r2_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. System Administrator
Checks: C-49459r5_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Files types to scan:", verify the radio button for "All files" is selected. If radio button for the "Files types to scan: All files" is not selected, this is a finding.

Fix: F-49571r5_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Files types to scan:", select the radio button for "All files". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to scan files when closed.
SI-3 - Medium - CCI-001242 - V-44979 - SV-57813r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-106
Vuln IDs
  • V-44979
Rule IDs
  • SV-57813r2_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.
Checks: C-49460r5_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", verify the checkbox for "On Close" is selected. If the checkbox for "On-Access Scan files: On Close" is not selected, this is a finding.

Fix: F-49572r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", select the checkbox for "On Close". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to scan inside archives.
SI-3 - Medium - CCI-001242 - V-44993 - SV-57827r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-107
Vuln IDs
  • V-44993
Rule IDs
  • SV-57827r3_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System Administrator
Checks: C-49461r8_chk

Note: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable. If configuring this setting causes performance degradation on virtual machines, this can be downgraded to a CAT III. From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the "Scan Items" tab of the Policy Settings, next to the "Compressed files:" Verify the checkbox for "Scan inside archives (e.g., .ZIP)" is selected. If the checkbox for "Compressed files: Scan inside archives (e.g., .ZIP)" is not selected, this is a finding.

Fix: F-49573r5_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Compressed files:", select the check box for "Scan inside archives (e.g., .ZIP)". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to decode MIME encoded files.
SI-3 - Medium - CCI-001242 - V-48853 - SV-61731r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-108
Vuln IDs
  • V-48853
Rule IDs
  • SV-61731r2_rule
Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk. System Administrator
Checks: C-49462r5_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Compressed files:", verify the checkbox for "Decode MIME encoded files" is selected. If the checkbox for "Compressed files: Decode MIME encoded files" is not selected, this is a finding.

Fix: F-49574r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Compressed files:", select the checkbox for "Decode MIME encoded files". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to find unknown macro threats.
SI-3 - Medium - CCI-001242 - V-48855 - SV-61733r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-109
Vuln IDs
  • V-48855
Rule IDs
  • SV-61733r2_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator
Checks: C-49463r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", verify the checkbox for "Find unknown macro threats" is selected. If the checkbox for "Heuristics: Find unknown macro threats" is not selected, this is a finding.

Fix: F-49575r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", select the checkbox for "Find unknown macro threats". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy for Heuristics must be configured to find unknown unwanted programs and Trojans.
SI-3 - Medium - CCI-001242 - V-48857 - SV-61735r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-110
Vuln IDs
  • V-48857
Rule IDs
  • SV-61735r2_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator
Checks: C-49464r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", verify the checkbox for "Find unknown unwanted programs and trojans" is selected. If the checkbox for "Heuristics: Find unknown unwanted programs and trojans" is not selected, this is a finding.

Fix: F-49576r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", select the checkbox for "Find unknown unwanted programs and trojans". Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to use McAfee Global Threat Intelligence file reputation set to a sensitivity level of Medium or higher.
SI-3 - Medium - CCI-001242 - V-48859 - SV-61737r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-111
Vuln IDs
  • V-48859
Rule IDs
  • SV-61737r2_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.System Administrator
Checks: C-49465r4_chk

NOTE: This check is Not Applicable for SIPRNet systems. From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "McAfee Global Threat Intelligence file reputation:", verify the "Sensitivity level:" is set to Medium, or higher. If the "Sensitivity level:" for the "McAfee Global Threat Intelligence file reputation:" is not set to Medium, or higher, this is a finding.

Fix: F-49577r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "McAfee Global Threat Intelligence file reputation:", select Medium or higher from the "Sensitivity level:" drop-down list. Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to detect unwanted programs.
SI-3 - Medium - CCI-001242 - V-48861 - SV-61739r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-112
Vuln IDs
  • V-48861
Rule IDs
  • SV-61739r2_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator
Checks: C-49466r5_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", verify the checkbox for "Detect unwanted programs" is selected. In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", verify the checkboxes for "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs" are all selected. If the checkbox for "Unwanted programs detection: Detect unwanted programs", and/or the checkbox for any of "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs" is not selected, this is a finding.

Fix: F-49578r5_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", select the checkbox for "Detect unwanted programs". In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", select the checkboxes for "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs". Click on Save.

b
For any path or file exclusions configured in the McAfee MOVE AV Agentless Scan policy, those exclusions must be formally documented by the System Administrator and approved by the IAO/IAM.
SI-3 - Medium - CCI-001242 - V-48863 - SV-61741r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-113
Vuln IDs
  • V-48863
Rule IDs
  • SV-61741r2_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding of files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented and approved before applying.System AdministratorInformation Assurance OfficerInformation Assurance Manager
Checks: C-49467r6_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the “Exclusions” tab, verify the "Path and File Exclusion:" does not have any entry other than the default "**\McAfee\Common Framework\". If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM. If there are entries in the "Path and File Exclusion:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding. If the "Path and File Exclusion:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

Fix: F-49579r5_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the “Exclusions” tab, removed any entries from the "Path and File Exclusion:" which have not been documented by the System Administrator and approved by the IAO/IAM. Click on Save.

b
When a threat is found by the McAfee MOVE AV Agentless On-Access Scan, the Scan policy must be configured to delete files automatically as first action.
SI-3 - Medium - CCI-001242 - V-48865 - SV-61743r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-115
Vuln IDs
  • V-48865
Rule IDs
  • SV-61743r2_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.
Checks: C-49468r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", verify "Delete files automatically" is selected from the drop-down list for the "Perform this action first". If the "On-Access Scan: When a threat is found: Perform this action first:" does not have "Delete files automatically" selected from the drop-down list, this is a finding.

Fix: F-49580r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless]3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", select "Delete files automatically" from the "Perform this action first:" drop-down list. Click on Save.

b
When a threat is found by the McAfee MOVE AV Agentless On-Access Scan, the Scan policy must be configured to deny access to files if first action fails.
Medium - V-48867 - SV-61745r2_rule
RMF Control
Severity
Medium
CCI
Version
AV-MOVE-SVA-116
Vuln IDs
  • V-48867
Rule IDs
  • SV-61745r2_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. System Administrator
Checks: C-49469r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", verify "Deny access to files" is selected from the drop-down list for "If the first action fails, then perform this action". If the "On-Access Scan: When a threat is found: If the first action fails, then perform this action:" does not have "Deny access to files" selected from the drop-down list, this is a finding.

Fix: F-49581r3_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", select "Deny access to files" from the "If the first action fails, then perform this action:" drop-down list. Click on Save.

b
When a threat is found by the McAfee MOVE AV Agentless On-Demand Scan, the Scan policy must be configured to delete files automatically as first action.
SI-3 - Medium - CCI-001242 - V-48869 - SV-61747r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-117
Vuln IDs
  • V-48869
Rule IDs
  • SV-61747r2_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.System Administrator
Checks: C-49470r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", verify "Delete files automatically" is selected from the drop-down list for "Perform this action first". If the "On-Demand Scan: When a threat is found: Perform this action first:" does not have "Delete files automatically" selected from the drop-down list, this is a finding.

Fix: F-49582r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", select "Delete files automatically" from the "Perform this action first:" drop-down list. Click on Save.

b
When a threat is found by the McAfee MOVE AV Agentless On-Demand Scan, the Scan policy must be configured to notify only if first action fails.
SI-3 - Medium - CCI-001242 - V-48871 - SV-61749r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-118
Vuln IDs
  • V-48871
Rule IDs
  • SV-61749r2_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.System Administrator
Checks: C-50963r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", verify "Notify Only" is selected from the drop-down list for "If the first action fails, then perform this action". If the "On-Demand Scan: When a threat is found: If the first action fails, then perform this action:" does not have "Notify Only" selected from the drop-down list, this is a finding.

Fix: F-49583r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", select the "Notify Only" from the "If the first action fails, then perform this action:" drop-down list. Click on Save.

b
The McAfee MOVE AV Agentless Scan policy must be configured to enable the quarantine.
SI-3 - Medium - CCI-001242 - V-48873 - SV-61751r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
AV-MOVE-SVA-119
Vuln IDs
  • V-48873
Rule IDs
  • SV-61751r2_rule
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the Quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.System Administrator
Checks: C-49472r4_chk

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Quarantine tab, next to Quarantine configuration, verify the checkbox for "Enabled" is selected. If the checkbox for "Quarantine configuration: Enabled" is not selected, this is a finding.

Fix: F-49584r4_fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Quarantine tab, next to the "Quarantine configuration:", select the checkbox for "Enabled". Click on Save.

c
The McAfee MOVE AV Agentless SVAadmin account password must be changed from the default.
SI-3 - High - CCI-001242 - V-49679 - SV-62603r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
AV-MOVE-SVA-10
Vuln IDs
  • V-49679
Rule IDs
  • SV-62603r1_rule
The pre-configured Security Virtual Appliance (SVA) comes with a default password for the SVAadmin account. This account has root privileges to the Linux O/S of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals. System Administrator
Checks: C-51549r1_chk

Have the System Administrator confirm the default SVAadmin password has been change from the default of "admin". If the SVAadmin password has not been changed from the default of "admin", this is a finding.

Fix: F-53181r1_fix

Following local password change procedures for Linux systems, change the SVAadmin password from the default of "admin".