McAfee VSEL 1.9/2.0 Managed Client Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R5

Published: 2020-03-24

Updated At: 2020-05-11 21:06:48

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-77283r1_rule DTAVSEL-001 CCI-001240 HIGH The anti-virus signature file age must not exceed 7 days. Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By
    SV-77487r1_rule DTAVSEL-002 CCI-001240 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates. Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Th
    SV-77489r1_rule DTAVSEL-003 CCI-001243 HIGH The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning. For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
    SV-77491r1_rule DTAVSEL-004 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning. Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
    SV-77493r1_rule DTAVSEL-005 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses. Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus fam
    SV-77495r1_rule DTAVSEL-006 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infec
    SV-77497r1_rule DTAVSEL-007 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mec
    SV-77499r1_rule DTAVSEL-008 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.
    SV-77501r1_rule DTAVSEL-009 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
    SV-77503r1_rule DTAVSEL-010 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malw
    SV-77505r1_rule DTAVSEL-011 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds. When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-
    SV-77507r2_rule DTAVSEL-012 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO. When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
    SV-77509r1_rule DTAVSEL-013 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the
    SV-77511r1_rule DTAVSEL-014 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the
    SV-77513r1_rule DTAVSEL-015 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mec
    SV-77515r1_rule DTAVSEL-016 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mec
    SV-77517r1_rule DTAVSEL-017 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if scanning fails. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
    SV-77519r1_rule DTAVSEL-018 CCI-001243 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
    SV-77521r1_rule DTAVSEL-019 CCI-001242 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed. Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by
    SV-77523r2_rule DTAVSEL-100 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week. Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a
    SV-77525r1_rule DTAVSEL-101 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning. Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
    SV-77527r1_rule DTAVSEL-102 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses. Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus fam
    SV-77529r1_rule DTAVSEL-103 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infec
    SV-77531r1_rule DTAVSEL-104 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mec
    SV-77533r1_rule DTAVSEL-105 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malw
    SV-77535r1_rule DTAVSEL-106 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the
    SV-77537r1_rule DTAVSEL-107 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected. Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the
    SV-77539r2_rule DTAVSEL-108 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO. When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
    SV-77541r1_rule DTAVSEL-109 CCI-000381 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be disabled. If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.
    SV-77543r1_rule DTAVSEL-110 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mec
    SV-77545r1_rule DTAVSEL-111 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mec
    SV-77547r1_rule DTAVSEL-112 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files. Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
    SV-77549r2_rule DTAVSEL-113 CCI-001241 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malw
    SV-77553r1_rule DTAVSEL-200 CCI-000870 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use. Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.
    SV-77555r1_rule DTAVSEL-201 CCI-001749 MEDIUM The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive all patches, service packs and updates from a DoD-managed source. Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Th
    SV-77557r1_rule DTAVSEL-202 CCI-002235 MEDIUM The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role. The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary
    SV-77559r2_rule DTAVSEL-205 CCI-001240 MEDIUM A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes. Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not b