Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Procedure: Examine the machine to determine if an Antispyware program is installed. If it is installed, ensure that it is configured for on-access and on-demand detection. Criteria: If a program is installed and configured for on-access and on-demand detection, this is not a finding. Please Note: Antispyware products are available on JTF-GNO website for download, such as McAfee Antispyware Enterprise 8.5 and Symantec Antivirus Corporate Edition 10.1 and 10.2 (Vista).
Criteria: Install a program and configured for on-access and on-demand detection. Please Note: Products are available on JTF-GNO website for download, such as McAfee Antispyware Enterprise 8.5 and Symantec Antivirus Corporate Edition 10.1 and 10.2 (Vista).
Procedure: Note the version release level of the antispyware software. This can normally be accomplished by opening the console and clicking on Help, then About. Criteria: Validate with the vendor’s website that this version of the product is on the supported products list. If it is on the list, this is not a finding.
Upgrade to a supported version of the product.
Procedure: Note the version release level of the antispyware software. This can normally be accomplished by opening the console and clicking on Help, then About. Criteria: Determine from the vendor’s web site, if the vendor has announced non-support dates for the software. If the vendor has announced a non-support date, ask the IOA for a copy of the migration plan. If a plan exists, this is not a finding. If the product has not been announced as going non-support, this finding is Not Applicable.
Create a migration plan for updating to a supported version of the product prior to its becoming non-supported.
Procedure: Note the version release level of the antispyware software. This can normally be accomplished by opening the console and clicking on Help then About. Criteria: Validate with the vendor’s website that contains the latest maintenance rollup or software update for this version. If it does, this is not a finding.
Apply the latest maintenance rollup or software update for this version.
Procedure: Determine the configuration parameter that controls where the updates are downloaded from. Criteria: If this parameter is configured to pull from a trusted site such as the JTF –GNO , the DoD download server or from the vendor site, this is not a finding.
Configure the product to download updates from a trusted site such as the JTF –GNO, the DoD download server or from the vendor site.
Procedure: Determine the parameter that controls whether autoupdates of signatures are done and the frequency of automatic updates of signature files. (Depending upon the product this may be one parameter or multiple parameters. Criteria: If the parameter is set to manual updates, this is a finding. If the parameter is set to automatic updates and the frequency is more than weekly, this is a finding. If the parameter is set to automatic and the parameter is set to weekly (or less – daily recommended), this is not a finding.
Configure the product to perform automatic updates and the frequency to weekly (or less – daily recommended).
Procedure: Determine the date of the signature files. Criteria: If they are less than 7 days old, this is not a finding. If they are older than 7 days, this is a finding. Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.
Update the signature files to the most current available.
Procedure: Determine the date and version of the signature files. Criteria: Validate with the vendor’s website that this signature file is a production version. (Vendors normally have a special area for test/beta versions.) If the signature files are beta or non-production versions, this is a finding.
Remove any Beta or non-production versions of signature files and replace with valid current signature files on production systems.
Procedure: Determine the parameter that controls on-access antispyware protection. This is normally found as a high level setting on the initial screen of the Antispyware software. Criteria: Validate that the on-access protection is configured to start automatically when the machine is booted. If it is configured to start at boot time, this is not a finding.
Configure on-access protection to start automatically when the machine is booted.
Procedure: Check for a scheduled scan. Ensure all the local drives are included in the scan. Determine the frequency of the schedule. Normally, there is a scheduled scan section. Next, select the properties of each scan to see if there is at least one scan that meets the criteria listed below. Criteria: Ensure there is at least one scan that includes all the drives and is scheduled at least weekly. If one exists, this is not a finding. If a scan does not exist that meet this criterion, this is a finding. NOTE: Scans at boot time (or daily) are recommended when this would not cause a significant impact to operations. This is highly recommended for machines that browse the web and are used as email clients regularly.
Create a scheduled scan which includes all the local drives and is performed at least weekly. NOTE: Scans at boot time (or daily) are recommended when this would not cause a significant impact to operations. This is highly recommended for machines that browse the web and are used as email clients regularly.
Procedure: Refer to the scheduled or boot scans found for DTSG010. Criteria: If no scans were found in DTSG010, this (DTSG011) is also a finding. Validate if the scheduled (or boot) scan is configured to scan in memory, all drives. Also validate that in depth (sometimes called deep) scanning is also performed. If any of these are not being scanned as part of the scan from DTSG010, this is a finding.
Create a scheduled scan which is configured to scan in memory, all drives, at least weekly. This scan also needs to perform in depth or deep scanning.
Procedure: Locate the parameters that control the on access scans. Criteria: If on access is not enabled (DTSG009 was a finding), this check (DTSG012) is also a finding. Locate the notification parameters configuration. Ensure that the parameters are configured to either notify the user or remote to a central console. If either notification is configured, this is not a finding. Enabling both types of notification is recommended.
Configure the on-access scan notification parameter to inform the user or send notification to a central monitoring console when malicious activity or spyware is found. Enabling both types of notification is recommended.
Procedure: Refer to the scheduled or boot scans found for DTSG010. Criteria: If no scans were found in DTSG010, this (DTSG013) is also a finding. Locate the parameters for the scheduled (or boot) scan. Locate the notification parameters configuration. Ensure that the parameters are configured to either notify the user or remote to a central console. If either notification is configured, this is not a finding. Enabling both types of notification is recommended.
Configure the scheduled scan notification parameter to inform the user or send notification to a central monitoring console when malicious activity or spyware is found. Enabling both types of notification is recommended.
Procedure: Locate the parameters (or the execution point for the on demand scanner. (DTSG001) Criteria: If the software is not capable of on demand scanning, this is a finding. Locate the notification parameters configuration. Ensure that the parameters are configured to either notify the user or remote to a central console. If either notification is configured, this is not a finding. Enabling both types of notification is recommended.
Configure the on demand scan notification parameter to inform the user or send notification to a central monitoring console when malicous activity or spyware is found. Enabling both types of notification is recommended.
Procedure: Determine the parameters that control the log retention. (This action might possibly be performed on the server.) Criteria: Validate the log retention is set to at least 30 days. If the logs are not being maintained or the retention is less than 30 days, this is a finding.
Configure the log retention to at least 30 days.
Procedure: Ask the SA about the procedures for log review. Criteria: Validate that the logs are being reviewed. If the logs are not being reviewed, this is a finding.
Create a procedure for reviewing the log data. Validate the logs are being reviewed.
Procedure: Ask for a copy of the incident response plan. Criteria: Ensure that Antispyware is included in the incident response plan. If it is not, this is a finding.
Ensure that Antispyware is included in the incident response plan.