McAfee VSEL 1.9/2.0 Managed Client Security Technical Implementation Guide

U_McAfee_VSEL_1-9_2-0_Managed_Client_STIG_V1R1_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V1R1 2015-11-30      
Update existing CKLs to this version of the STIG
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-77283r1_rule DTAVSEL-001 CCI-001240 HIGH The anti-virus signature file age must not exceed 7 days. Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.
SV-77487r1_rule DTAVSEL-002 CCI-001240 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates. Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.
SV-77489r1_rule DTAVSEL-003 CCI-001243 HIGH The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning. For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
SV-77491r1_rule DTAVSEL-004 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning. Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
SV-77493r1_rule DTAVSEL-005 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses. Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.
SV-77495r1_rule DTAVSEL-006 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
SV-77497r1_rule DTAVSEL-007 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-77499r1_rule DTAVSEL-008 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.
SV-77501r1_rule DTAVSEL-009 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
SV-77503r1_rule DTAVSEL-010 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
SV-77505r1_rule DTAVSEL-011 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds. When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner.
SV-77507r1_rule DTAVSEL-012 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO. When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
SV-77509r1_rule DTAVSEL-013 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
SV-77511r1_rule DTAVSEL-014 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
SV-77513r1_rule DTAVSEL-015 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-77515r1_rule DTAVSEL-016 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-77517r1_rule DTAVSEL-017 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if scanning fails. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
SV-77519r1_rule DTAVSEL-018 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
SV-77521r1_rule DTAVSEL-019 CCI-001242 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed. Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.
SV-77523r1_rule DTAVSEL-100 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.
SV-77525r1_rule DTAVSEL-101 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning. Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
SV-77527r1_rule DTAVSEL-102 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses. Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.
SV-77529r1_rule DTAVSEL-103 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
SV-77531r1_rule DTAVSEL-104 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-77533r1_rule DTAVSEL-105 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
SV-77535r1_rule DTAVSEL-106 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
SV-77537r1_rule DTAVSEL-107 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
SV-77539r1_rule DTAVSEL-108 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO. When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
SV-77541r1_rule DTAVSEL-109 CCI-000381 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be disabled. If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.
SV-77543r1_rule DTAVSEL-110 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-77545r1_rule DTAVSEL-111 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-77547r1_rule DTAVSEL-112 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files. Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
SV-77549r1_rule DTAVSEL-113 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
SV-77551r1_rule DTAVSEL-114 CCI-001242 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scan must be configured to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed. Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.
SV-77553r1_rule DTAVSEL-200 CCI-000870 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use. Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.
SV-77555r1_rule DTAVSEL-201 CCI-001749 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive all patches, service packs and updates from a DoD-managed source. Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.
SV-77557r1_rule DTAVSEL-202 CCI-002235 MEDIUM The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role. The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.
SV-77559r1_rule DTAVSEL-205 CCI-001240 MEDIUM SMTP email notification must be enabled to ensure administrators are notified of out of date DAT, detected malware and error codes. Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.