Desktop Application Antispyware General

  • Version/Release: V4R1
  • Published:
  • Released: 2009-12-03
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

c
AntiSpyware software is not installed or not configured for on access and on demand detection.
High - V-14678 - SV-15354r4_rule
RMF Control
Severity
High
CCI
Version
DTSG001
Vuln IDs
  • V-14678
Rule IDs
  • SV-15354r4_rule
This setting is required for the antispyware software. Without on-access and on-demand scan enabled, the virus scan is not scanning files as they are being accessed. System Administrator
Checks: C-12821r2_chk

Procedure: Examine the machine to determine if an Antispyware program is installed. If it is installed, ensure that it is configured for on-access and on-demand detection. Criteria: If a program is installed and configured for on-access and on-demand detection, this is not a finding. Please Note: Antispyware products are available on JTF-GNO website for download, such as McAfee Antispyware Enterprise 8.5 and Symantec Antivirus Corporate Edition 10.1 and 10.2 (Vista).

Fix: F-14145r3_fix

Criteria: Install a program and configured for on-access and on-demand detection. Please Note: Products are available on JTF-GNO website for download, such as McAfee Antispyware Enterprise 8.5 and Symantec Antivirus Corporate Edition 10.1 and 10.2 (Vista).

c
The Antispyware software is not at a vendor supported level.
High - V-14679 - SV-15355r2_rule
RMF Control
Severity
High
CCI
Version
DTSG002
Vuln IDs
  • V-14679
Rule IDs
  • SV-15355r2_rule
This setting is required for the antispyware software. Installed software must be at a vendor supported level. System Administrator
Checks: C-12822r1_chk

Procedure: Note the version release level of the antispyware software. This can normally be accomplished by opening the console and clicking on Help, then About. Criteria: Validate with the vendor’s website that this version of the product is on the supported products list. If it is on the list, this is not a finding.

Fix: F-14146r1_fix

Upgrade to a supported version of the product.

b
A migration plan does not exist for Antispyware software that is scheduled to go non-support by the vendor.
Medium - V-14680 - SV-15356r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG003
Vuln IDs
  • V-14680
Rule IDs
  • SV-15356r2_rule
This setting is required for the antispyware software. A migration plan must be in place for the antispyware that is planned for End-of-Life or the end of vendor support. System Administrator
Checks: C-12823r1_chk

Procedure: Note the version release level of the antispyware software. This can normally be accomplished by opening the console and clicking on Help, then About. Criteria: Determine from the vendor’s web site, if the vendor has announced non-support dates for the software. If the vendor has announced a non-support date, ask the IOA for a copy of the migration plan. If a plan exists, this is not a finding. If the product has not been announced as going non-support, this finding is Not Applicable.

Fix: F-14147r1_fix

Create a migration plan for updating to a supported version of the product prior to its becoming non-supported.

b
The Antispyware software does not have the latest maintenance rollup of software update applied
Medium - V-14682 - SV-15358r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG004
Vuln IDs
  • V-14682
Rule IDs
  • SV-15358r2_rule
This setting is required for the antispyware software. The software must be a supported vendor release and current with all maintenance patches and software updates. System Administrator
Checks: C-12825r1_chk

Procedure: Note the version release level of the antispyware software. This can normally be accomplished by opening the console and clicking on Help then About. Criteria: Validate with the vendor’s website that contains the latest maintenance rollup or software update for this version. If it does, this is not a finding.

Fix: F-14149r1_fix

Apply the latest maintenance rollup or software update for this version.

b
The Antispyware software is not configured to download updates from a trusted source.
Medium - V-14684 - SV-15362r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG005
Vuln IDs
  • V-14684
Rule IDs
  • SV-15362r2_rule
This setting is required for the antispyware software. In addition to the vendor, the DoD provides multiple locations for the download of software updates and signature files. It is mandatory that the location from which software updates and signature files are received be a trusted source. System Administrator
Checks: C-12828r1_chk

Procedure: Determine the configuration parameter that controls where the updates are downloaded from. Criteria: If this parameter is configured to pull from a trusted site such as the JTF –GNO , the DoD download server or from the vendor site, this is not a finding.

Fix: F-14151r1_fix

Configure the product to download updates from a trusted site such as the JTF –GNO, the DoD download server or from the vendor site.

b
The Antispyware definition/signature files are not automatically set to be updated at least weekly.
Medium - V-14700 - SV-15416r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG006
Vuln IDs
  • V-14700
Rule IDs
  • SV-15416r2_rule
This setting is required for the antispyware software. There must be a mechanism for the automatic update of antispyware signature files on at least a weekly basis. This mechanism must be enabled and configured. System Administrator
Checks: C-12883r1_chk

Procedure: Determine the parameter that controls whether autoupdates of signatures are done and the frequency of automatic updates of signature files. (Depending upon the product this may be one parameter or multiple parameters. Criteria: If the parameter is set to manual updates, this is a finding. If the parameter is set to automatic updates and the frequency is more than weekly, this is a finding. If the parameter is set to automatic and the parameter is set to weekly (or less – daily recommended), this is not a finding.

Fix: F-14165r1_fix

Configure the product to perform automatic updates and the frequency to weekly (or less – daily recommended).

c
The Antispyware signature files are older than 7 days.
High - V-14701 - SV-15417r2_rule
RMF Control
Severity
High
CCI
Version
DTSG007
Vuln IDs
  • V-14701
Rule IDs
  • SV-15417r2_rule
This setting is required for the antispyware software. Antispyware signatures files are updated on a daily basis by antispyware software vendors. It is mandatory that the antispyware signature file on the system be no older that 7 days. Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding. System Administrator
Checks: C-12884r2_chk

Procedure: Determine the date of the signature files. Criteria: If they are less than 7 days old, this is not a finding. If they are older than 7 days, this is a finding. Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.

Fix: F-14166r1_fix

Update the signature files to the most current available.

b
Beta or non-production Antispyware definitions/signature files are being used on a production machine.
Medium - V-14702 - SV-15418r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG008
Vuln IDs
  • V-14702
Rule IDs
  • SV-15418r2_rule
This setting is required for the antispyware software. AntiSpyware signature or spyware definition files must be from a trusted source and in a production status. Beta or non-production files are prohibited. System Administrator
Checks: C-12885r1_chk

Procedure: Determine the date and version of the signature files. Criteria: Validate with the vendor’s website that this signature file is a production version. (Vendors normally have a special area for test/beta versions.) If the signature files are beta or non-production versions, this is a finding.

Fix: F-14167r1_fix

Remove any Beta or non-production versions of signature files and replace with valid current signature files on production systems.

c
The Antispyware software does not start on-access protection automatically when the machine is booted.
High - V-14704 - SV-15422r2_rule
RMF Control
Severity
High
CCI
Version
DTSG009
Vuln IDs
  • V-14704
Rule IDs
  • SV-15422r2_rule
This setting is required for the antispyware software. Without on-access protection enabled at system boot, the antispyware software is not scanning files as they are being accessed. System Administrator
Checks: C-12886r1_chk

Procedure: Determine the parameter that controls on-access antispyware protection. This is normally found as a high level setting on the initial screen of the Antispyware software. Criteria: Validate that the on-access protection is configured to start automatically when the machine is booted. If it is configured to start at boot time, this is not a finding.

Fix: F-14169r1_fix

Configure on-access protection to start automatically when the machine is booted.

b
The Antispyware software is not configured to perform a scan of local hard drives at least weekly.
Medium - V-14706 - SV-15426r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG010
Vuln IDs
  • V-14706
Rule IDs
  • SV-15426r2_rule
This setting is required for the antispyware software. A weekly antispyware scan of all local hard drives is required. This scan must be performed on at least a weekly basis if not more frequently. System Administrator
Checks: C-12893r1_chk

Procedure: Check for a scheduled scan. Ensure all the local drives are included in the scan. Determine the frequency of the schedule. Normally, there is a scheduled scan section. Next, select the properties of each scan to see if there is at least one scan that meets the criteria listed below. Criteria: Ensure there is at least one scan that includes all the drives and is scheduled at least weekly. If one exists, this is not a finding. If a scan does not exist that meet this criterion, this is a finding. NOTE: Scans at boot time (or daily) are recommended when this would not cause a significant impact to operations. This is highly recommended for machines that browse the web and are used as email clients regularly.

Fix: F-14171r1_fix

Create a scheduled scan which includes all the local drives and is performed at least weekly. NOTE: Scans at boot time (or daily) are recommended when this would not cause a significant impact to operations. This is highly recommended for machines that browse the web and are used as email clients regularly.

b
The Antispyware scheduled scan is not configured to scan memory and drives (with an indepth scan option).
Medium - V-14708 - SV-15428r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG011
Vuln IDs
  • V-14708
Rule IDs
  • SV-15428r2_rule
This setting is required for the antispyware software. A weekly scheduled antispyware scan is required to scan memory as well as all local hard drives. The indepth scan option must be enabled. System Administrator
Checks: C-12895r1_chk

Procedure: Refer to the scheduled or boot scans found for DTSG010. Criteria: If no scans were found in DTSG010, this (DTSG011) is also a finding. Validate if the scheduled (or boot) scan is configured to scan in memory, all drives. Also validate that in depth (sometimes called deep) scanning is also performed. If any of these are not being scanned as part of the scan from DTSG010, this is a finding.

Fix: F-14173r1_fix

Create a scheduled scan which is configured to scan in memory, all drives, at least weekly. This scan also needs to perform in depth or deep scanning.

b
The Antispyware, when running in on access mode, is not configured to inform the user (or report or report to a central monitoring console) when malicious activity or spyware is found.
Medium - V-14709 - SV-15431r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG012
Vuln IDs
  • V-14709
Rule IDs
  • SV-15431r2_rule
This setting is required for the antispyware software. An automated reporting function is required to be enabled for the occurrence of any malicious activity or spyware. The SA or user is required to be informed via report, email, or report to a central monitoring system. System Administrator
Checks: C-12898r1_chk

Procedure: Locate the parameters that control the on access scans. Criteria: If on access is not enabled (DTSG009 was a finding), this check (DTSG012) is also a finding. Locate the notification parameters configuration. Ensure that the parameters are configured to either notify the user or remote to a central console. If either notification is configured, this is not a finding. Enabling both types of notification is recommended.

Fix: F-14174r2_fix

Configure the on-access scan notification parameter to inform the user or send notification to a central monitoring console when malicious activity or spyware is found. Enabling both types of notification is recommended.

b
The Antispyware, when running in a scheduled scan, is not configured to inform the user (or report to a central monitoring console) when malicious activity or spyware is found.
Medium - V-14710 - SV-15433r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG013
Vuln IDs
  • V-14710
Rule IDs
  • SV-15433r2_rule
This setting is required for the antispyware software. Whenever suspicious or malicious activity is found the SA or user must be notified of such an occurrence. This notification can take the form of a report, email, or central monitoring console. System Administrator
Checks: C-12899r1_chk

Procedure: Refer to the scheduled or boot scans found for DTSG010. Criteria: If no scans were found in DTSG010, this (DTSG013) is also a finding. Locate the parameters for the scheduled (or boot) scan. Locate the notification parameters configuration. Ensure that the parameters are configured to either notify the user or remote to a central console. If either notification is configured, this is not a finding. Enabling both types of notification is recommended.

Fix: F-14177r1_fix

Configure the scheduled scan notification parameter to inform the user or send notification to a central monitoring console when malicious activity or spyware is found. Enabling both types of notification is recommended.

b
The Antispyware, when running in on-demand mode, is not configured to inform the user (or report to a central monitoring console) when malicious activity or spyware is found.
Medium - V-14711 - SV-15436r2_rule
RMF Control
Severity
Medium
CCI
Version
DTSG014
Vuln IDs
  • V-14711
Rule IDs
  • SV-15436r2_rule
This setting is required for the antispyware software. Whenever suspicious or malicious activity is found the SA or user must be notified of such an occurrence. This notification can take the form of a report, email, or central monitoring console. System Administrator
Checks: C-12901r1_chk

Procedure: Locate the parameters (or the execution point for the on demand scanner. (DTSG001) Criteria: If the software is not capable of on demand scanning, this is a finding. Locate the notification parameters configuration. Ensure that the parameters are configured to either notify the user or remote to a central console. If either notification is configured, this is not a finding. Enabling both types of notification is recommended.

Fix: F-14178r1_fix

Configure the on demand scan notification parameter to inform the user or send notification to a central monitoring console when malicous activity or spyware is found. Enabling both types of notification is recommended.

a
The Antispyware software is not configured to maintain logs for at least 30 days.
Low - V-14712 - SV-15438r3_rule
RMF Control
Severity
Low
CCI
Version
DTSG015
Vuln IDs
  • V-14712
Rule IDs
  • SV-15438r3_rule
This setting is required for the antispyware software. Log files for antispyware activity must be maintained for at least 30 days. These logs can be archived locally or an a central log file repository. System Administrator
Checks: C-12903r1_chk

Procedure: Determine the parameters that control the log retention. (This action might possibly be performed on the server.) Criteria: Validate the log retention is set to at least 30 days. If the logs are not being maintained or the retention is less than 30 days, this is a finding.

Fix: F-14179r2_fix

Configure the log retention to at least 30 days.

a
The Antispyware software is not configured to maintain logs for at least 30 days.
Low - V-14713 - SV-15439r2_rule
RMF Control
Severity
Low
CCI
Version
DTSG016
Vuln IDs
  • V-14713
Rule IDs
  • SV-15439r2_rule
This setting is required for the antispyware software. Antispyware log files must be reviewed. There must exist a formal plan for log file review detailing the process. System Administrator
Checks: C-12904r1_chk

Procedure: Ask the SA about the procedures for log review. Criteria: Validate that the logs are being reviewed. If the logs are not being reviewed, this is a finding.

Fix: F-14180r1_fix

Create a procedure for reviewing the log data. Validate the logs are being reviewed.

a
The Antispyware software is included in the incident response procedures both for the user and the site.
Low - V-14714 - SV-15440r2_rule
RMF Control
Severity
Low
CCI
Version
DTSG017
Vuln IDs
  • V-14714
Rule IDs
  • SV-15440r2_rule
This setting is required for the antispyware software. Every site must maintain a incident response plan. Antispyware, as an integral part of any organizations security practice, must be included in the site's incident response plan. System Administrator
Checks: C-12905r1_chk

Procedure: Ask for a copy of the incident response plan. Criteria: Ensure that Antispyware is included in the incident response plan. If it is not, this is a finding.

Fix: F-14181r1_fix

Ensure that Antispyware is included in the incident response plan.