Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Access the server designated as the McAfee MOVE Offload Scan Server. In the taskbar, right-click the red McAfee Agent shield and select "About". Under "McAfee Agent", ensure the "Last agent-to-server communication:" is within the time period designated by the "Agent to Server Communication Interval". Ensure the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" is listed as an installed product. Ensure the version number is 8.8.0 or higher. An alternative method for validating--From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. Under "System Information" section, ensure the "Last communication" is within the time period designated by the "Agent-to-Server Communication Interval:" under the "McAfee Agent" section. Under "System information" section, ensure "VirusScan Enterprise" is listed as an installed product. Ensure the "Product Version" for VirusScan Enterprise is listed as 8.8.0 or higher. If VirusScan Enterprise 8.8.0 or higher is not installed and/or the Last communication to the ePO server is not within the specified Agent-to-Server Communication interval, this is a finding.
Access the ePO server. From the System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. Click on Actions, Agent, Modify Tasks on a Single System. Click on Actions, then click New Task. Name the new task "Deploy McAfee VSE 8.8 to MOVE server". For the "Type:", select "Product Deployment" from the drop-down list and click Next. For the "Products and components:", select "VirusScan Enterprise 8.8.x" and ensure the "Action:" is "Install" and click Next. For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click Next. On "Summary" tab, click "Save", and then "Close". Back at the "System Details" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, place a check in the "Force complete policy and task update" check box. Click on OK.
Access the server designated as the McAfee MOVE Offload Scan Server. In the taskbar, right-click the red McAfee Agent shield and select "McAfee Agent Status Monitor". Click the "Check New Policies" button. In the McAfee Agent Monitor, review the Agent Subsystem status lines and ensure there is a status for "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed". These status lines will confirm the system is making a successful connection to the ePO server. Click the "Enforce Policies" button. In the McAfee Agent Monitor, review the Management status lines and ensure one shows a status of "Enforcing Policies for MOVEOSS_2xxx" (where 2xxx represents the version level). This status line will confirm the system is enforcing policies for the McAfee MOVE AV Offload Scan Server. If either the system does not show "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed", or does not show a Management status line of "Enforcing Policies for MOVEOSS_2xxx", this is a finding.
Access the ePO server. From the System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. If the asset representing the McAfee MOVE Offload Scan Server is not in the ePO server system tree, configure a task to deploy the McAfee Agent to the system designated as the McAfee MOVE Offload Scan Server. Once the system is communicating with the ePO server and is in the ePO server system tree, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. Click on Actions, Agent, Modify Tasks on a Single System. Click on the "New Task" button. Name the new task "Deploy McAfee MOVE to McAfee MOVE Offload Scan Server". For the "Type:", select "Product Deployment" from the drop down and click Next. For the "Products and components:", select "MOVE AVE [Multi-Platform] Offload Scan Server" and ensure the "Action:" is "Install" and click Next. For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click Next. On "Summary" tab, click "Save", then "Close". Back at the "System Details" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, place a check in the "Force complete policy and task update" check box. Click on OK.
Access the server designated as the McAfee MOVE Offload Scan Server. Access Network properties. From listed Network adapters, right-click on the active adapter, select Properties. Highlight the "Internet Protocol Version 4 (TCP/IPv4)", click on the Properties button. On the General tab, ensure the "Use the following IP address:" is selected, the IP address:, Subnet mask:, and Default gateway: are all populated. If the IPv4 protocol has not been configured to use a static IP address, Subnet mask, and Default Gateway, this is a finding.
In accordance with local operational procedures, assign a static IP address to the server designated as the McAfee MOVE AV [Multi-Platform] Offload Scan Server.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, ensure the "Number of Log Files:" is set to 20 or more. If the "Number of Log Files:" is set to less than 20, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "LogFileNum" value is set to “20” or more. If the "LogFileNum" is set to less than “20”, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, enter a value of "20" or more for the "Number of Log Files:". Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, ensure the "Log File Size:" is set to 10 or more. If the "Log file Size:" is not set to 10 or more, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "LogFileSize" value is set to 10 or more. If the "LogFileSize" is set to less than 10, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, set the "Log File Size:" to "10" or more. Click Save.
Note: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable. From the ePO server console System Tree, select the "Systems" tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "MOVE AV [Multi-Platform] Offload Scan Server 2.x.x". Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the "Scan Settings" tab, ensure the "Scan Archive Files:” has a check in the "Enable scanning inside of archive files" check box. If the "Enable scanning inside of archive files." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "ScanArchiveFiles" value is set to "1". If the "ScanArchiveFiles" is set to "0", this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan Archive Files: Enable scanning inside of archive files." check box. Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, ensure the "Scan for Unwanted Programs:" "Enable scanning for potentially unwanted programs" check box is selected. If the "Enable scanning for potentially unwanted programs." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "ScanPUPS" value is set to 1. If the "ScanPUPS" is set to 0, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan for Unwanted Programs: Enable scanning for potentially unwanted programs." check box. Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, ensure the "Scan MIME files:" "Enable scanning for MIME-encoded files." check box is selected. If the "Enable scanning for MIME-encoded files." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "ScanMIMEFiles" value is set to 1. If the "ScanMIMEFiles" is set to 0, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan MIME files: Enable scanning for MIME-encoded files." check box. Click Save.
NOTE: For systems on the SIPRNet, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings Tab, ensure the "McAfee Global Threat Intelligence file reputation:" setting is set to a Sensitivity Level of Medium, or higher. If the "McAfee Global Threat Intelligence file reputation:" setting is not set to a Sensitivity Level of Medium, or higher, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "GTILevel" value is set to 3 or more. If the "GTILevel" is set to less than 3, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings Tab, click on the dropdown selection for the "McAfee Global Threat Intelligence file reputation:" setting and set the Sensitivity Level to Medium, or higher. Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Alerts tab, ensure the "Alerts:" "Offload Scan Server events reported to the Windows Event Log." check box is selected. If the "Offload Scan Server events reported to the Windows Event Log." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "EventSink" value is set to 2 (Events reported to the Windows Event Log) or 6 (Events reported to both the Windows Event Log and the ePO Server). If the "EventSink" is set to 0 or 4, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Alerts tab, place a check in the "Offload Scan Server events reported to the Windows Event Log." check box. Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Alerts tab, ensure the "Alerts:" "Offload Scan Server events are sent to ePolicy Orchestrator." check box is selected. If the "Offload Scan Server events are sent to ePolicy Orchestrator." check box is not selected, this is a finding On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "EventSink" value is set to 4 (Events reported to the ePO Server) or 6 (Events reported to both the Windows Event Log and the ePO Server). If the "EventSink" is set to 0 or 2, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Alerts tab, place a check in the "Alerts: Offload Scan Server events are sent to ePolicy Orchestrator." check box. Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, ensure the "On-Demand Scanning:" setting has a check in the "Enabled" check box. If the "On-Demand Scanning:" setting does not have a check in the "Enabled" check box, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, place a check in the "On-Demand Scanning: Enabled" check box. Click Save.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, ensure the "On-Demand Client Scan interval (days):" setting is configured for 7 or less. If the "On-Demand Client Scan interval (days):" setting is not configured to 7 or less, this is a finding.
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, enter a value in the "On-Demand Client Scan interval (days):" setting representing a frequency of every seven days, or less. Click on Save.
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected. Select the rule, and click on Edit. Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console. Under the Task column, select "Access Protection", right click and select "Properties". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected. Select the rule, and click Edit. Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules" and click on "New". Choose "File/Folder Blocking Rule" to create the rule identified as the File protection rule. Specify an appropriate Rule name: (i.e., McAfee MOVE OSS File and Folder Protection). Enter "mvserver.exe" under the "Processes to exclude:" section. Enter the path to which the McAfee MOVE OSS has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) in the "File or folder name to block:" section. Select the "Write access to files", "New files being created", and "Files being deleted" under the "File actions to prevent:" section. Click OK. After rule is created, select the "Block" and "Report" check boxes. Click Save.
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure three rules are configured for McAfee MOVE OSS registry key protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For each of the Access Protection Rules created to protect the McAfee MOVE OSS registry keys, ensure both the "Block" and "Report" check boxes are selected. There should be three individual Registry Blocking Rules, one for each of the following criteria: Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters\ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. If three Registry Blocking Rules do not exist to protect each of the "HKCCS\services\mvserver", "HKCCS\services\mvserver\Parameters", and "HKCCS\services\mvserver\Parameters\ODS" registry keys and values, this is a finding. On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console. Under the Task column, select "Access Protection", right click and select "Properties". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure three rules are configured for McAfee MOVE OSS registry key protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For each of the Access Protection Rules created to protect the McAfee MOVE OSS registry keys, ensure both the "Block" and "Report" check boxes are selected. There should be three individual Registry Blocking Rules, one for each of the following criteria: Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters\ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. If three Registry Blocking Rules do not exist to protect each of the "HKCCS\services\mvserver", "HKCCS\services\mvserver\Parameters", and "HKCCS\services\mvserver\Parameters\ODS" registry keys and values, this is a finding.
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules" and click on "New". Click New to create each of the following three "Registry Blocking Rules:", naming each rule according to the protection they afford. "HKCCS/services/mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. "HKCCS/services/mvserver/Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. "HKCCS/services/mvserver/Parameters/ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. After each of the above rules are created, select both the "Block" and "Report" check boxes. Click Save.