The McAfee VirusScan 8.8 Local Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Sort by
c
McAfee VirusScan On-Access Scanner General Settings must be configured to enable on-access scanning at system startup.
For Antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other malware infecting the system during that startup phase.System Administrator
Fix: F-49116r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Under the General tab, locate the "General:" label. Select the "Enable on-access scanning at system startup" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to scan boot sectors.
Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.System Administrator
Fix: F-49048r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the General tab, locate the "Scan:" label. Select the "Boot Sectors" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to scan floppy during shutdown.
Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files, as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk at shutdown.System Administrator
Fix: F-49049r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the General tab, locate the "Scan:" label. Select the "Floppy during shutdown" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to notify local users when detections occur.
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents.
Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling
Ensuring the antivirus software alerts the users when malware is detected will ensure the user is informed of the incident and be able to more closely relate the incident to action being performed by the user at the time of the detection.System Administrator
Fix: F-49050r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Messages tab, locate the "Messages for local users:" label. Select the "Show the messages dialog box when a threat is detected and display the specified text in the message" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to prevent users from removing messages from the list.
Good incident response analysis includes reviewing all logs and alerts on the system reporting the infection. If users were permitted to remove alerts from the display, incident response forensic analysis would be inhibited.System Administrator
Fix: F-49052r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click on Task->On-Access Scanner Properties.
Select the General Settings.
Under the Messages tab, locate the "Actions available to user:" label. Uncheck the "Remove messages from the list" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to log the scan sessions.
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Fix: F-49053r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings log file size must be restricted and be configured to at least 10MB.
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted. If the data in the log file exceeds the file size set, the oldest 20 percent of the entries are deleted and new data is appended to the file, so although the file size is restricted, it must also be large enough to retain forensic value.
System AdministratorECSC-1
Fix: F-49054r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of at least 10MB or more.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to log the session summary.
Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Fix: F-49055r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to log any failure to scan encrypted files.
Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Fix: F-49057r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option.
Click OK to Save.
b
McAfee VirusScan must be configured to receive DAT and Engine updates.
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.System Administrator
Fix: F-49058r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Task column, find the AutoUpdate option, right-click, and choose Properties.
Click the Schedule button.
On the Task tab, select "Enable (scheduled task runs at specified time)".
On the Schedule tab, the "Run task:" option must be configured with Daily.
Click OK to save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to enable on-delivery email scanning.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System Administrator
Fix: F-49200r3_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select "Enable".
Click OK to Save.
b
McAfee VirusScan On-Delivery Email Scanner must be configured to find unknown program threats and trojans.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System Administrator
Fix: F-49063r3_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats and trojans" option.
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to find unknown macro threats.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System Administrator
Fix: F-49074r2_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option.
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to decode MIME encoded files.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System Administrator
Fix: F-49112r2_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Scan Items tab, locate the "Compressed files:" label. Select the "Decode MIME encoded files" option.
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to scan email message body.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System Administrator
Fix: F-49101r4_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Scan Items tab, locate the "Email message body (Setting for Outlook Scanner Only):" label. Select the "Scan email message body" option.
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties, When a threat is found, must be configured to clean attachments as the first action.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System Administrator
Fix: F-49113r2_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments".
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to record scanning activity in a log file.
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Fix: F-49114r2_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location." option.
Click OK to Save.
b
McAfee VirusScan On-Delivery Email Scanner log file size must be restricted and be configured to be at least 10MB.
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted. If the data in the log file exceeds the file size set, the oldest 20 percent of the entries are deleted and new data is appended to the file so although the file size is restricted, it must also be large enough to retain forensic value.System Administrator
Fix: F-49115r3_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Reports tab, locate the "Log file" label.
Select the "Limit the size of log file" option. For the "Maximum log file size:" select a value of at least 10MB.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to scan all subfolders.
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.System Administrator
Fix: F-49117r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Locations tab, locate the "Scan options:" label. Select the "Include subfolders" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to scan boot sectors.
Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.System Administrator
Fix: F-49118r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, find and select the scheduled task that shows a Status of "Daily" or "Weekly" or any frequency other than "Not Scheduled".
Right-click the Task and select Properties.
Under the Scan Locations tab, locate the "Scan options:" label. Select the "Scan boot sectors" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to scan all files.
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
System Administrator
Fix: F-49119r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Item tab, locate the "File types to scan:" label. Select the "All files" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured so there are no exclusions from the scan unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.System Administrator
Fix: F-49120r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click on the Task and select Properties.
Under the Exclusions tab, locate the "What not to scan:" label, remove any items.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to scan inside archives.
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
System Administrator
Fix: F-49121r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Items tab, locate the "Options:" label. Select the "Scan inside archives (e.g. .ZIP)" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to decode MIME encoded files.
Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.System Administrator
Fix: F-49122r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Items tab, locate the "Options:" label. Select the "Decode MIME encoded files" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to find unknown program threats.
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator
Fix: F-49123r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to find unknown macro threats.
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. The scanning for unknown macro viruses will mitigate zero day attacks.System Administrator
Fix: F-49124r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to clean files automatically as first action.
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.System Administrator
Fix: F-49125r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean".
Click OK to Save.
b
McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to delete files automatically if first action fails.
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.System Administrator
Fix: F-49126r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete".
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to record scanning activity in a log file.
Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Fix: F-49128r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
Click OK to Save.
b
McAfee VirusScan On-Demand scan log file size must be restricted, but be configured to at least 10MB.
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.
.System Administrator
Fix: F-49129r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Reports tab, locate the "Log file" label.
Select the "Limit the size of log file" option.
Under "Maximum log file size:", choose a value of at least 10MB.
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to log any failure to scan encrypted files.
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Fix: F-49130r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option.
Click OK to Save
b
McAfee VirusScan On-Demand scan must be scheduled to be executed at least on a weekly basis.
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.System Administrator
Fix: F-49131r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Click on the Schedule button.
Under the Task tab, select "Enabled".
Under the Schedule tab, find the "Run Task: " label and set to at least "Weekly".
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to enable scanning of scripts.
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and script that can be used to probe and attack hosts. (NIST SP 800-83) The scanning of scripts is crucial in preventing these attacks.System AdministratorInformation Assurance Officer
Fix: F-49132r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the ScriptScan tab, locate the "ScriptScan:" label. Select the "Enable scanning of scripts" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to block the connection when a threatened file is detected in a shared folder.
Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism.
These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance Officer
Fix: F-49133r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a threat is detected in a shared folder" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to unblock connections after a minimum of 30 minutes.
Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism.
These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance Officer
Fix: F-49134r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Blocking tab, locate the "Block" label. Enter a value in "Unblock connections after (minutes)" where x is set to no less than 30 minutes.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to block the connection when a file with a potentially unwanted program is detected in a shared folder.
Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism.
These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance Officer
Fix: F-49135r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to use only one scanning policy for all processes, unless the use of Low-Risk Processes/High-Risk Processes has been documented with, and approved by, the IAO/IAM.
Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signatures and software updates through the organizations. (FISMA SP 800-83) Some processes are known to be higher risk, while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings and will provide the highest level of protection. Best practice dictates configuring Low Risk and/or High Risk policies only when it is necessary to improve system performance, and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low Risk and/or High Risk policies for the purpose of specifically excluding processes from scanning, and should only be done after evaluating other policy settings and determining risk.System AdministratorInformation Assurance Officer
Fix: F-49136r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Processes tab, select the "Configure one scanning policy for all processes" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan when writing to disk.
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.System AdministratorInformation Assurance Officer
Fix: F-49137r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Scan Items tab, locate the "Scan files:" label. Select the "When writing to disk" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan when reading from disk.
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.System AdministratorInformation Assurance Officer
Fix: F-49138r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Scan Items tab, locate the "Scan files:" label. Select the "When reading from disk" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan all files.
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.System AdministratorInformation Assurance Officer
Fix: F-49139r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Scan Items tab, locate the "What to scan:" label. Select the "All Files" radio button option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to find unknown unwanted programs and trojans.
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System AdministratorInformation Assurance Officer
Fix: F-49140r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown unwanted programs and trojans" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to find unknown macro viruses.
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System AdministratorInformation Assurance Officer
Fix: F-49141r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan inside archive files.
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.Information Assurance Officer
Fix: F-49142r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Scan Items tab, locate the "Compressed files:" label. Select the "Scan inside archives (e.g., .ZIP)" option.
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings actions, When a threat is found must be configured to clean files automatically as first action.
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.System AdministratorInformation Assurance Officer
Fix: F-49143r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Actions tab, locate the "When a threat is found:" label. For the "Perform this action first:" pull down menu, select "Clean files automatically".
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings actions, When a threat is found must be configured to delete files automatically if first action fails.
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
System AdministratorInformation Assurance Officer
Fix: F-49144r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically".
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to clean attachments as the first action for When an unwanted program is found.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System AdministratorInformation Assurance Officer
Fix: F-49211r4_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Actions tab, locate the "When an unwanted attachment is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments".
Click OK to Save.
b
McAfee VirusScan On-Demand scan must be configured to detect for unwanted programs.
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.System AdministratorInformation Assurance Officer
Fix: F-49127r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Scan Items tab, locate the "Options:" label. Select the "Detect unwanted programs" option.
Click OK to Save.
b
McAfee VirusScan Unwanted Programs Policy must be configured to detect spyware.
Spyware is software that aids in gathering information about a person or organization without their knowledge, and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the user's knowledge. Spyware may try to deceive users by bundling itself with desirable software. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Some types of spyware disable software firewalls and antivirus software. Detecting, blocking, and eradicating malicious spyware or preventing it from being installed will alleviate the negative side effects of the spyware.System AdministratorInformation Assurance Officer
Fix: F-49150r1_fix
Access the local VirusScan console by clicking on Start->All Programs->McAfee->VirusScan Console.
Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties.
In the Scan Items tab, select the Spyware option.
Click OK to save.
b
McAfee VirusScan Unwanted Programs Policy must be configured to detect adware.
Adware, like spyware, is, at best, an annoyance by presenting unwanted advertisements to the user of a computer, sometimes in the form of a popup. At worst, it redirects the user to malicious websites. Detecting and blocking will mitigate the likelihood of users being tricked into visiting sites with malicious content.System AdministratorInformation Assurance Officer
Fix: F-49151r1_fix
Access the local VirusScan console by clicking on Start->All Programs->McAfee->VirusScan Console.
Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties.
In the Scan Items tab, select the Adware option.
Click OK to Save.
c
The antivirus signature file age must not exceed 7 days.
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system.
System Administrator
Fix: F-49199r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Task column, select the AutoUpdate option, right-click, and select "Start".
b
McAfee VirusScan On-Access Scanner General Settings Artemis Heuristic network check for suspicious files must be enabled and set to sensitivity level Medium or higher.
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.System Administrator
Fix: F-49213r1_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option.
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties, when a threat is found, must be configured to delete attachments if the first action fails.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Fix: F-48082r3_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments".
Click OK to Save.
b
McAfee VirusScan On Delivery Email Scanner Properties must be configured to delete attachments if the first action fails for when an unwanted attachment is found.
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Fix: F-48084r8_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Actions tab, locate the "When an unwanted attachment is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments".
Click OK to Save.
c
McAfee VirusScan Access Protection Rules must be configured to prevent McAfee services from being stopped.
When the "Prevent McAfee services from being stopped" check box is selected under Access Protection, VSE will prevent anyone except the System account from terminating McAfee services. This protects VirusScan from being disabled by malicious programs that seek to circumvent virus protection programs by terminating their services.
Fix: F-48131r3_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
Under the Access Protection tab, select the "Prevent McAfee services from being stopped" option.
Click OK to save.
b
McAfee VirusScan Access Protection Reports settings must be configured to record scanning activity in a log file.
Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
Fix: F-48132r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
Click OK to save.
b
McAfee VirusScan Access Protection Reports log file size must be restricted and be configured to at least 10MB.
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.
Fix: F-48133r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
Under the Reports tab, locate the "Log File" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more.
Click OK to save.
b
McAfee VirusScan On-Access Scanner General Settings must be configured to not exclude any script processes from being scanned unless the process exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. All scripts should be scanned and none should be excluded from scanning.
Fix: F-48145r3_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the ScriptScan tab, locate the "ScriptScan process exclusions" label. Remove any exclusions listed in the Process field.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to not exclude any files from being scanned unless exclusions have been documented with, but also be approved by the ISSO/ISSM/AO.
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
Fix: F-48146r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.
b
McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to clean files automatically as first action.
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix: F-48148r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Actions tab, locate the "When an unwanted program is found:" label. For the "Perform this action first:" pull down menu, select "Clean".
Click OK to Save.
b
McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to delete files automatically if first action fails.
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix: F-48149r3_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete".
Click OK to Save.
b
McAfee VirusScan On-Delivery Email Scanner Artemis sensitivity level must be configured to Medium or higher.
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Fix: F-48151r3_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option.
Click OK to Save.
b
McAfee VirusScan On-Delivery Email Scanner must be configured to log session summary and failure to scan encrypted files.
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
Fix: F-48153r4_fix
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the “Task” column, select the “On-Delivery Email Scanner” Option, right-click, and select “Properties”.
Under the “Reports” tab, locate the "What to log in addition to scanning activity:" label.
Select the "Session summary" and "Failure to scan encrypted files" options.
Click “OK” to save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to not exclude any script URLs from being scanned unless the URL exclusions have been documented with, and approved by the ISSO/ISSM/DAA.
Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. All scripts should be scanned and none should be excluded from scanning.
Fix: F-48154r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select the General Settings.
Under the ScriptScan tab, locate the "ScriptScan exclusions" label. Ensure there are no exclusions listed in the URL field.
b
McAfee VirusScan Access Protection Properties must be configured to enable access protection.
Access Protection prevents unwanted changes to a computer by restricting access to specified ports, files and folders, shares, and registry keys and values. It prevents users from stopping McAfee processes and services, which are critical before and during outbreaks. Access Protection for VSE uses predefined and user-defined rules to strengthen systems against virus attacks. For instance, rules are used to specify which items can and cannot be accessed. Each rule can be configured to block and/or report access violations when they occur, and rules can also be disabled.
Fix: F-48155r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
Under the Access Protection tab, select the "Enable Access Protection" option.
Click OK to save.
b
McAfee VirusScan On-Access Scanner All Processes settings must be configured to detect unwanted programs.
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Fix: F-48156r3_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Scan Items tab, locate the "Unwanted programs detection:" label.
Place a check in the "Detect unwanted programs" checkbox.
Click OK.
b
McAfee VirusScan On-Access Scanner All Processes settings actions, When an unwanted program is found must be configured to clean files automatically as first action.
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Fix: F-48157r3_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Actions tab, locate the "When an unwanted program is found:" label. From the "Perform this action first:" pull down menu, select "Clean files automatically".
Click OK to Save.
b
McAfee VirusScan On-Access Scanner All Processes settings actions, When an unwanted program is found must be configured to delete files automatically if first action fails.
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Fix: F-48158r2_fix
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.
On the menu bar, click Task->On-Access Scanner Properties.
Select All Processes.
Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically".
Click OK to Save.