McAfee MOVE Agentless 3.0/3.6.1 Security Virtual Appliance STIG

V1R4 2016-04-05       U_McAfee_MOVE_Agentless_3-0_3-6-1_SVA_V1R4_Manual-xccdf.xml
V1R3 2015-10-06       U_McAfee_MOVE3_0_Agentless_SVA_V1R3_Manual-xccdf.xml
The McAfee MOVE 3.0/3.6.1 Agentless SVA STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 25
No Change 2
Updated 23
Added 0
Removed 0
V-43788 No Change
Findings ID: AV-MOVE-VM-001 Rule ID: SV-56609r1_rule Severity: high CCI: CCI-001242

Discussion

The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on an ESX host in a vCenter Server environment. The vShield Manager user interface or vSphere Client plug-in is used by administrators to install, configure, and maintain vShield components.

vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) does not go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online. vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host. The hypervisor scans guest virtual machines from the outside, removing the need for agents in every virtual machine. This makes vShield Endpoint efficient in avoiding
resource bottlenecks while optimizing memory use.

McAfee MOVE AV Agentless requires vShield Endpoint to be installed on a virtual machine in order for the McAfee MOVE Security Virtual Appliance to protect it. If the virtual machine did not have vShield Endpoint installed, the virtual machine would not be protected from malware and viruses.System Administrator

Checks

This STIG setting validates whether a virtual machine is protected by the McAfee MOVE Agentless 3.0.

With the assistance of the System Administrator, log into the VMware vShield Manager via a web browser.

Set View to "Host & Datacenters", select the ESX host that contains the virtual machine being configured/reviewed.
In the right screen, select the Endpoint tab.
Verify the virtual machine is listed and shows a "Type" of "Protected VM".

If the organization is not using VMware vShield Manager or does not have vShield Endpoint installed and configured, this is a finding.
If the organization does use VMware vShield Manager and has vShield Endpoint installed and configured but the virtual machine being reviewed is not listed, or not showing as "Protected VM", this is a finding.

Fix

If VMware vShield Manager is not being used or the vShield Endpoint is not installed and configured, install and configure vShield Manager. Add component and vShield Endpoint licenses in vCenter. Install vShield Endpoint on the hypervisor(s).

If the virtual machine is not showing as a "Protected VM", install VMware Tools on the guest VM and select Custom install of VMware tools. In the vSphere Client, right-click the appropriate VM, select Guest | Install/Upgrade VMware Tools.
In the Install/Upgrade Tools dialog box, select Interactive Tools Upgrade and click OK.
Depending on the environment, select setup.exe or setup64.exe and run it as administrator.
Select Custom then click Next.
Expand VMware Device Drivers | VMCI Drivers, then select vShield Drivers | This feature will be installed on local hard drive.
Access vShield Manager to confirm the virtual machine is showing as a "Protected VM".
V-43957 Updated
Findings ID: AV-MOVE-SVA-001 Rule ID: SV-56787r12_rule Severity: medium CCI: CCI-001242

Discussion

Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.System Administrator

Checks

NOTE: MOVE Agentless 3.0/3.61 Security Virtual Appliance (SVA) comes pre-installed with McAfee Agent 4.8 and requires that the McAfee Agent 4.8 Extension already be installed on the ePO 4.6 Server. ePO 4.6 environments must upgrade to the McAfee Agent 4.8 Extension prior to deployment of the MOVE Agentless 3.0/3.61 SVA.

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA).

If the system designated as the McAfee MOVE Security Virtual Appliance (SVA) is not in the ePO server System Tree, this is a finding.

If the system designated as the McAfee MOVE Security Virtual Appliance (SVA) is in the ePO server System Tree, click on the system to open the System Information page.

On the System Information page, verify "MOVE AV [Agentless]" is listed as an Installed Product.

If the system does not show MOVE AV [Agentless] listed as an installed product, this is a finding.

Fix

Obtain the McAfee Agent install files from the McAfee ePO server and install onto the McAfee SVA, following the same procedures as for any other Linux system being managed by the McAfee ePO server.

After installation, from the ePO server console System Tree, select "My Organization". Select the Systems tab. Find and double-click on the asset representing the McAfee MOVE Security Virtual Appliance (SVA) to open its properties.

Under "System Information" section, verify the "Last communication" date and time is within the time period designated by the "Agent-to-Server Communication Interval:" under the "McAfee Agent" section.
Under "System information" section, verify "MOVE AV [Agentless]" is listed as an installed product.
V-43958 Updated
Findings ID: AV-MOVE-SVA-002 Rule ID: SV-56788r12_rule Severity: medium CCI: CCI-001242

Discussion

Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System.


For McAfee MOVE AV Agentless 3.0:

From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

On the Policy Settings page, select the “Authentication” tab in McAfee MOVE Agentless 3.0 and verify the "Protocol:" is set to “https”.

If the "Protocol:" is not set to “https”, this is a finding.

For McAfee MOVE AV Agentless 3.6.1

From the "Product:" drop-down list, select “MOVE AV [Agentle
. Locate "SVA." under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

Iyn the Authentication tablumn.

On the Policy Settines the, seneca the tinGen tab Settings” tab in McAfee MOVE
of the Policy Settings page, verify the "Protocol:" is set to chttpsi.

If the "Protocol:" is not set to
chttpsi, this is a finding.s

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System.


For McAfee MOVE AV Agentless 3.0:

From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Authentication tabOn the Policy Settings page, select the “Authentication” tab in McAfee MOVE Agentless 3.0 and select "https" from the drop-down list.

For McAfee MOVE AV Agentless 3.6.1

From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVM" under the "Category" colunn and se tht the policy eorresponding to it, f und unthe the "Policy" columnn

On the Policytiettings page, celect the aGenertinSet tabs” tab in McAfee MOVE Agentle
of the Policy Settings page,ngs select "https" from the drop-down list.

Click on Save.
V-43959 Updated
Findings ID: AV-MOVE-SVA-003 Rule ID: SV-56789r12_rule Severity: medium CCI: CCI-001242

Discussion

Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on
Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0/3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Authentication tabOn the Policy Settings page, select the “Authentication” tab in McAfee MOVE Agentless 3.0.0 and verify the "User:" field is populated.

On the Policy Settings page, select the enenaral Stining tab tab in McAfee MOVE Agentless 3
of the Policy Settings page, verify the "User:" field is populated.

Note: The "Password:" field will appear to be blank. Since the "User:" field cannot be populated and saved without a password, however, the "Password:" field requirement can be considered compliant provided the "User:" field is validated as populated.

If the "User:" field is not populated, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on
Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0/3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Authentication tabOn the Policy Settings page, select the “Authentication’ tab in McAfee MOVE Agentless 3.0 and populate the "User:" and "Password:" fields with a user/password combination which has authentication access to the hypervisor. Click on "Test the connection".

On the Policy Settings page, select the “Genaral Stining tab tab in McAfee MOVE Agentless 3
of the Policy Settings page,page populate the "User:" and "Password:" fields with a user/password combination which has authentication access to the hypervisor. Click on "Test the connection". n

Click on Save.
V-43960 Updated
Findings ID: AV-MOVE-SVA-004 Rule ID: SV-56790r12_rule Severity: medium CCI: CCI-001242

Discussion

Enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines. System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System.


For McAfee MOVE AV Agentless 3.0:

From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0 Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab MOVE AV Agentless version 3.0 of the Policy Settings page, next to the "SVA cache:", verify the checkbox for "Enabled" is selected.

If the checkbox for "SVA cache: Enabled" is not selected, this is a finding.

For McAfee MOVE AV Agentless 3.6.1:

From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1
. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab
MOVE AV Agentless version 3.6.1 of the Policy Settings page, next to the "SVAM cache:", verify the checkbox for "Enabled" is selected.

If the checkbox for "SV
AM cache: Enabled" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.
0.

Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab of MOVE AV Agentless version 3.0 of the Policy Settings page, next to the "SVA cache:", select the checkbox for "Enabled".

Or

From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1.

Locate "SVAM" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab of
MOVE AV Agentless version 3.6.1 of the Policy Settings page, next to the "SVAM cache:", select the checkbox for "Enabled".

Click on Save.
V-43961 Updated
Findings ID: AV-MOVE-SVA-005 Rule ID: SV-56791r12_rule Severity: medium CCI: CCI-001242

Discussion

While enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines, the file size of cached items needs to be restricted in order to prevent excessively large files from being cached, which would have a negative impact on performance.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on
Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0/3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab of the Policy Settings page, verify the "Cache scan result of file size up to (MB):" is configured for "1".

If the "Cache scan result of file size up to (MB):" is not configured to "1", this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab of the Policy Settings page, populate the "Cache scan result of file size up to (MB):" with a value of "1"

Click on Save.
V-43962 Updated
Findings ID: AV-MOVE-SVA-006 Rule ID: SV-56792r12_rule Severity: medium CCI: CCI-001242

Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on
"Actions | Agent | Modify Policies on a Single System". From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.0.0/3.6.1". Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab of the Policy Settings page, verify the "On-Demand Scan time interval (days):" is set to "7" or less.

If the "On-Demand Scan time interval (days):" is set to a value of more than "7", this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Settings tab of the Policy Settings page, configure the "On-Demand Scan time interval (days):" with a value of "7" or less.

Click on Save.
V-44931 Updated
Findings ID: AV-MOVE-SVA-101 Rule ID: SV-57765r12_rule Severity: high CCI: CCI-001242

Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software should be configured to perform real-time scans of each file as it is downloaded, opened, or executed.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the General tab of the Policy Settings page, next to the "On-Access Scanning:", verify the checkbox for "Enabled" is selected.

If the checkbox for "On-Access Scanning: Enabled" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the General tab of the Policy Settings page, next to the "On-Access Scanning:", select the checkbox for "Enabled".

Click on Save.
V-44933 Updated
Findings ID: AV-MOVE-SVA-102 Rule ID: SV-57767r12_rule Severity: medium CCI: CCI-001242

Discussion

This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type, or heavy load on the offload scan server. In such cases that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the General tab of the Policy Settings page, next to the "On-Access Scan timeout:", verify the "Enforce a maximum scanning time for all files (On-Access Scans only)" checkbox is selected.
Verify the "On-Access Scan timeout: Maximum scan time (seconds):" has a value of 45 or more.

If the checkbox for "On-Access Scan timeout: Enforce a maximum scanning time for all files (On-Access Scans only)"is not selected and/or the "On-Access Scan timeout: Maximum scan time (seconds):" does not have a value of 45 or more, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the General tab of the Policy Settings page, next to the "On-Access Scan timeout:", select the checkbox for "Enforce a maximum scanning time for all files (On-Access Scans only)".
In the "On-Access Scan timeout: Maximum scan time (seconds):" place a value of 45 or more.

Click on Save.
V-44935 Updated
Findings ID: AV-MOVE-SVA-103 Rule ID: SV-57769r12_rule Severity: medium CCI: CCI-001242

Discussion

Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.
System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the General tab of the Policy Settings page, next to the "On-Demand Scanning:", verify the checkbox for "Enabled" is selected.

If the checkbox for "On-Demand Scanning: Enabled" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the General tab of the Policy Settings page, next to the "On-Demand Scanning:", select the checkbox for "Enabled".

Click on Save.
V-44969 Updated
Findings ID: AV-MOVE-SVA-104 Rule ID: SV-57803r12_rule Severity: medium CCI: CCI-001242

Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
. Locate/3.6.1 "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", verify the checkbox for "On Open" is selected.

If the checkbox for "On-Access Scan files: On Open" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", select the checkbox for "On Open".

Click on Save.
V-44973 Updated
Findings ID: AV-MOVE-SVA-105 Rule ID: SV-57807r12_rule Severity: medium CCI: CCI-001242

Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Files types to scan:", verify the radio button for "All files" is selected.

If radio button for the "Files types to scan: All files" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Files types to scan:", select the radio button for "All files".

Click on Save.
V-44979 Updated
Findings ID: AV-MOVE-SVA-106 Rule ID: SV-57813r12_rule Severity: medium CCI: CCI-001242

Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", verify the checkbox for "On Close" is selected.

If the checkbox for "On-Access Scan files: On Close" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", select the checkbox for "On Close".

Click on Save.
V-44993 Updated
Findings ID: AV-MOVE-SVA-107 Rule ID: SV-57827r23_rule Severity: medium CCI: CCI-001242

Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System Administrator

Checks

NOTEote: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable.

From the ePO server console System Tree, select "My Organization". Select the
"Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA).

Click on the system to open the System Information page.

Click on Actions
|>> Agent |>> Modify Policies on a Single System.

From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the
"Scan Items" tab of the Policy Settings, next to the "Compressed files:", v Verify the checkbox for "Scan inside archives (e.g., .ZIP)" is selected.

If the checkbox for "Compressed files: Scan inside archives (e.g., .ZIP)" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Compressed files:", select the check
box for "Scan inside archives (e.g., .ZIP)".

Click on Save.
V-48853 Updated
Findings ID: AV-MOVE-SVA-108 Rule ID: SV-61731r12_rule Severity: medium CCI: CCI-001242

Discussion

Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.
System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Compressed files:", verify the checkbox for "Decode MIME encoded files" is selected.

If the checkbox for "Compressed files: Decode MIME encoded files" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Compressed files:", select the checkbox for "Decode MIME encoded files".

Click on Save.
V-48855 Updated
Findings ID: AV-MOVE-SVA-109 Rule ID: SV-61733r12_rule Severity: medium CCI: CCI-001242

Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Heuristics:", verify the checkbox for "Find unknown macro threats" is selected.

If the checkbox for "Heuristics: Find unknown macro threats" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Heuristics:", select the checkbox for "Find unknown macro threats".

Click on Save.
V-48857 Updated
Findings ID: AV-MOVE-SVA-110 Rule ID: SV-61735r12_rule Severity: medium CCI: CCI-001242

Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Heuristics:", verify the checkbox for "Find unknown unwanted programs and trojans" is selected.

If the checkbox for "Heuristics: Find unknown unwanted programs and trojans" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Heuristics:", select the checkbox for "Find unknown unwanted programs and trojans".

Click on Save.
V-48859 Updated
Findings ID: AV-MOVE-SVA-111 Rule ID: SV-61737r12_rule Severity: medium CCI: CCI-001242

Discussion

Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.System Administrator

Checks

NOTE: This check is Not Applicable for SIPRNet systems.

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "McAfee Global Threat Intelligence file reputation:", verify the "Sensitivity level:" is set to Medium, or higher.

If the "Sensitivity level:" for the "McAfee Global Threat Intelligence file reputation:" is not set to Medium, or higher, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "McAfee Global Threat Intelligence file reputation:", select Medium or higher from the "Sensitivity level:" drop-down list.

Click on Save.
V-48861 Updated
Findings ID: AV-MOVE-SVA-112 Rule ID: SV-61739r12_rule Severity: medium CCI: CCI-001242

Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", verify the checkbox for "Detect unwanted programs" is selected.
In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", verify the checkboxes for "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs" are all selected.

If the checkbox for "Unwanted programs detection: Detect unwanted programs", or the checkbox for any of "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", select the checkbox for "Detect unwanted programs".
In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", select the checkboxes for "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs".

Click on Save.
V-48863 Updated
Findings ID: AV-MOVE-SVA-113 Rule ID: SV-61741r12_rule Severity: medium CCI: CCI-001242

Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding of files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented and approved before applying.System AdministratorInformation Assurance OfficerInformation Assurance Manager

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System.
From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Exclusions tab, verify the "Path exclusions:" does not have any entry other than the default "**\McAfee\Common Framework\".
If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the IAO/IAM.

If there are entries in the "Path exclusions:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the IAO/IAM, this is a finding.
If the "Path Exclusions:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the IAO/IAM, this is not a finding.


For McAfee MOVE AV Agentless 3.0:

From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.0.0”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the “Exclusions” tab, verify the "Path exclusions:" does not have any entry other than the default "**\McAfee\Common Framework\".

If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM.

If there are entries in the "Path exclusions:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

If the "Path Exclusions:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

For McAfee MOVE AV Agentless 3.6.1:

From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the “Exclusions” tab, verify the "Path and File Exclusion:" does not have any entry other than the default "**\McAfee\Common Framework\".

If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM.

If there are entries in the "Path and File Exclusion:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

If the "Path and File Exclusion:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Exclusions tab, remove any entries from the "Path exclusions:" which have not been documented by the System Administrator and approved by the IAO/IAM.

Click on Save.
V-48865 Updated
Findings ID: AV-MOVE-SVA-115 Rule ID: SV-61743r12_rule Severity: medium CCI: CCI-001242

Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Actions tab, next to the "On-Access Scan: When a threat is found:", verify "Delete files automatically" is selected from the drop-down list for the "Perform this action first".

If the "On-Access Scan: When a threat is found: Perform this action first:" does not have "Delete files automatically" selected from the drop-down list, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Actions tab, next to the "On-Access Scan: When a threat is found:", select "Delete files automatically" from the "Perform this action first:" drop-down list.

Click on Save.
V-48869 Updated
Findings ID: AV-MOVE-SVA-117 Rule ID: SV-61747r12_rule Severity: medium CCI: CCI-001242

Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Actions tab, next to the "On-Demand Scan: When a threat is found:", verify "Delete files automatically" is selected from the drop-down list for "Perform this action first".

If the "On-Demand Scan: When a threat is found: Perform this action first:" does not have "Delete files automatically" selected from the drop-down list, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Actions tab, next to the "On-Demand Scan: When a threat is found:", select "Delete files automatically" from the "Perform this action first:" drop-down list.

Click on Save.
V-48871 Updated
Findings ID: AV-MOVE-SVA-118 Rule ID: SV-61749r12_rule Severity: medium CCI: CCI-001242

Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Actions tab, next to the "On-Demand Scan: When a threat is found:", verify "Notify Only" is selected from the drop-down list for "If the first action fails, then perform this action".

If the "On-Demand Scan: When a threat is found: If the first action fails, then perform this action:" does not have "Notify Only" selected from the drop-down list, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Actions tab, next to the "On-Demand Scan: When a threat is found:", select the "Notify Only" from the "If the first action fails, then perform this action:" drop-down list.

Click on Save.
V-48873 Updated
Findings ID: AV-MOVE-SVA-119 Rule ID: SV-61751r12_rule Severity: medium CCI: CCI-001242

Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the Quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.System Administrator

Checks

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.0.0
/3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Quarantine tab, next to Quarantine configuration, verify the checkbox for "Enabled" is selected.

If the checkbox for "Quarantine configuration: Enabled" is not selected, this is a finding.

Fix

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select
"MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Quarantine tab, next to the "Quarantine configuration:", select the checkbox for "Enabled".

Click on Save.
V-49679 No Change
Findings ID: AV-MOVE-SVA-10 Rule ID: SV-62603r1_rule Severity: high CCI: CCI-001242

Discussion

The pre-configured Security Virtual Appliance (SVA) comes with a default password for the SVAadmin account. This account has root privileges to the Linux O/S of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.
System Administrator

Checks

Have the System Administrator confirm the default SVAadmin password has been change from the default of "admin".

If the SVAadmin password has not been changed from the default of "admin", this is a finding.

Fix

Following local password change procedures for Linux systems, change the SVAadmin password from the default of "admin".