View STIG - McAfee VSEL 1.9/2.0 Managed Client Security Technical Implementation Guide V1R5

c

The anti-virus signature file age must not exceed 7 days.

SI-3 - High - CCI-001240 - V-62793 - SV-77283r1_rule

RMF Control

SI-3

Severity

High

CCI

CCI-001240

Version

DTAVSEL-001

Vuln IDs

V-62793

Rule IDs

SV-77283r1_rule

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.

Checks: C-63601r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. On the System Information page, select the "Products" tab. Under the "Product" section, select "VirusScan Enterprise for Linux". Scroll down. Locate the DAT Date and DAT Version. Verify the "DAT Date:" is within the last 7 days. If the "DAT Date:" is not within the last 7 days, this is a finding.

Fix: F-68713r2_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. On the Client Tasks page, click on Actions >> New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click "Save". Or Select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click "Save". On the Client Task Assignment Builder page, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click "Next" to view Summary. Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates.

SI-3 - Medium - CCI-001240 - V-62997 - SV-77487r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001240

Version

DTAVSEL-002

Vuln IDs

V-62997

Rule IDs

SV-77487r1_rule

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.

Checks: C-63749r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the VirusScan DAT update task. Verify the "Task Type" is listed as "Product Update". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. Next to the "Package selection:", verify the "All packages" radio button is selected. If the "Selected packages" radio button is selected, verify the check box for "DAT" and the check box for "Linux Engine" have been selected for "Signatures and engines:" under the "Package types:" section. If there is not a task designated as the regularly scheduled DAT Update task, this is a finding. If there exists a task designated as the regularly scheduled DAT Update task, but neither the "All packages" nor the "DAT" selection under the "Package types: Signatures and engines:" section is selected, this is a finding.

Fix: F-68915r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. On the Client Tasks page, click on Actions >> New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click "Save". Or Select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click "Save". On the Client Task Assignment Builder, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click Next to view Summary. Click "Save".

c

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning.

SI-3 - High - CCI-001243 - V-62999 - SV-77489r1_rule

RMF Control

SI-3

Severity

High

CCI

CCI-001243

Version

DTAVSEL-003

Vuln IDs

V-62999

Rule IDs

SV-77489r1_rule

For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.

Checks: C-63751r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", verify the check box for "Enable on-access scanning (takes effect when policies are enforced)" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the check box for "Enable on-access scanning (takes effect when policies are enforced)" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

Fix: F-68917r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", select the check box for "Enable on-access scanning (takes effect when policies are enforced)". In the "Quarantine Directory:" field, enter "/quarantine" (or another valid location as determined by the organization).

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning.

SI-3 - Medium - CCI-001243 - V-63001 - SV-77491r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-004

Vuln IDs

V-63001

Rule IDs

SV-77491r1_rule

Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Checks: C-63753r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", verify the check box for "Scan inside multiple-file archives (e.g., .ZIP)" is selected. If the check box for "Compressed files: Scan inside multiple-file archives (e.g., .ZIP)" is not selected, this is a finding. SECURITY OVERRIDE: If the check box for "Compressed files: Scan inside multiple-file archives (e.g., .ZIP)" is not selected but the On-Demand scan decompress of archives is configured in the regularly scheduled scan, as specified in STIG ID DTAVSEL-101, this is a finding but can be dropped to a CAT III.

Fix: F-68919r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", select the check box for "Scan inside multiple-file archives (e.g., .ZIP)". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses.

SI-3 - Medium - CCI-001243 - V-63003 - SV-77493r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-005

Vuln IDs

V-63003

Rule IDs

SV-77493r1_rule

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Checks: C-63755r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown program viruses" is selected. If the check box for "Heuristics: Find unknown program viruses" is not selected, this is a finding.

Fix: F-68921r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown program viruses".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses.

SI-3 - Medium - CCI-001243 - V-63005 - SV-77495r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-006

Vuln IDs

V-63005

Rule IDs

SV-77495r1_rule

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Checks: C-63757r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro viruses" is not selected, this is a finding.

Fix: F-68923r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs.

SI-3 - Medium - CCI-001243 - V-63007 - SV-77497r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-007

Vuln IDs

V-63007

Rule IDs

SV-77497r1_rule

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks: C-63759r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Verify the check box for "Find joke programs" is selected. If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

Fix: F-68925r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk.

SI-3 - Medium - CCI-001243 - V-63009 - SV-77499r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-008

Vuln IDs

V-63009

Rule IDs

SV-77499r1_rule

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Checks: C-63761r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When writing to disk" is selected. If the check box for "Scan files: When writing to disk" is not selected, this is a finding.

Fix: F-68927r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When writing to disk".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk.

SI-3 - Medium - CCI-001243 - V-63011 - SV-77501r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-009

Vuln IDs

V-63011

Rule IDs

SV-77501r1_rule

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Checks: C-63763r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When reading from disk" is selected. If the check box for "Scan files: When reading from disk" is not selected, this is a finding.

Fix: F-68929r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When reading from disk". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types.

SI-3 - Medium - CCI-001243 - V-63013 - SV-77503r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-010

Vuln IDs

V-63013

Rule IDs

SV-77503r1_rule

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Checks: C-63765r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

Fix: F-68931r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", select the radio button for "All files". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds.

SI-3 - Medium - CCI-001243 - V-63015 - SV-77505r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-011

Vuln IDs

V-63015

Rule IDs

SV-77505r1_rule

When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner.

Checks: C-63767r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", verify the check box for "Enforce maximum scanning time for all files" has been selected. Verify the "Maximum scan time (seconds):" is configured to 45 or more. If the check box for "Maximum Scan Time: Enforce maximum scanning time for all files" is not selected, this is a finding. If the "Maximum Scan Time (seconds):" is not configured to 45 or more, this is a finding. If both the "Maximum Scan Time:" setting for "Enforce maximum scanning time for all files" has a check in the check box and the "Maximum Scan Time:" setting for "Maximum scan time (seconds):" is configured to 45 or more, this is not a finding.

Fix: F-68933r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", select the check box for "Enforce maximum scanning time for all files". Configure the "Maximum scan time (seconds):" to 45 or more. Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO.

SI-3 - Medium - CCI-001243 - V-63017 - SV-77507r2_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-012

Vuln IDs

V-63017

Rule IDs

SV-77507r2_rule

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Checks: C-63769r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", verify the only entries for the "Select files and directories to be excluded from virus scanning" field are those below: Under "Paths Excluded From Scanning", verify no entries exist other than the allowed default paths referenced below: /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys If any entries other than the default paths referenced above are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, verify the exclusion of those files and directories has been formally documented by the System Administrator and has been approved by the ISSO/ISSM. If any entries other than the default paths referenced above are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding. If any entries other than the default paths referenced above are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

Fix: F-68935r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", verify the only entries for the "Select files and directories to be excluded from virus scanning" field are those below: Under "Paths Excluded From Scanning", remove all entries other than the below listed of approved exclusions. Any additional required exclusions must be documented by the System Administrator and approved by the ISSO/ISSM. /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm| FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.

SI-3 - Medium - CCI-001243 - V-63019 - SV-77509r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-013

Vuln IDs

V-63019

Rule IDs

SV-77509r1_rule

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks: C-63771r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Viruses and Trojans are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

Fix: F-68937r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.

SI-3 - Medium - CCI-001243 - V-63021 - SV-77511r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-014

Vuln IDs

V-63021

Rule IDs

SV-77511r1_rule

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks: C-63773r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

Fix: F-68939r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

SI-3 - Medium - CCI-001243 - V-63023 - SV-77513r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-015

Vuln IDs

V-63023

Rule IDs

SV-77513r1_rule

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks: C-63775r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Programs & Jokes are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

Fix: F-68941r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

SI-3 - Medium - CCI-001243 - V-63025 - SV-77515r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-016

Vuln IDs

V-63025

Rule IDs

SV-77515r1_rule

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks: C-63777r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, under the "When Programs & Jokes are found:", next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

Fix: F-68943r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if scanning fails.

SI-3 - Medium - CCI-001243 - V-63027 - SV-77517r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-017

Vuln IDs

V-63027

Rule IDs

SV-77517r1_rule

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Checks: C-63779r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning fails:" "Deny access to the file" radio button is selected. If the "If scanning fails: Deny access to the file" radio button is not selected, this is a finding.

Fix: F-68945r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning fails:" "Deny access to the file" radio button is selected. Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out.

SI-3 - Medium - CCI-001243 - V-63029 - SV-77519r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001243

Version

DTAVSEL-018

Vuln IDs

V-63029

Rule IDs

SV-77519r1_rule

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Checks: C-63781r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning times out: Allow access to the file" radio button is selected. If the "If scanning times out: Allow access to the file" radio button is not selected, this is a finding.

Fix: F-68947r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning times out: Allow access to the file" radio button. Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.

SI-3 - Medium - CCI-001242 - V-63031 - SV-77521r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001242

Version

DTAVSEL-019

Vuln IDs

V-63031

Rule IDs

SV-77521r1_rule

Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

Checks: C-63783r1_chk

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed on, and configured to protect, the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy" In the "Detections" tab, next to "Scan files:", verify the check box for "On network mounted volumes" is selected. If the check box for "On network mounted volumes" is not selected, this is a finding.

Fix: F-68949r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "On network mounted volume". Click "Apply".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week.

SI-3 - Medium - CCI-001241 - V-63033 - SV-77523r2_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-100

Vuln IDs

V-63033

Rule IDs

SV-77523r2_rule

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.

Checks: C-63785r3_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". If the task designated as the weekly On Demand scan client task’s "Status" is not listed as "Enabled", this is a finding.

Fix: F-68951r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Create a New Client Task to run a regularly schedule On Demand scan at least weekly, with the following selected: In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses". In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g. .ZIP)". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". In the "Advanced" tab, select the check box for "Disable client Web UI:". In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:". In the "Where" tab, select the "Specify where scanning will take place" field is populated with all local drives. In the "Detection" tab, next to "What to scan:", select the radio button for "All files". In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning.

SI-3 - Medium - CCI-001241 - V-63035 - SV-77525r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-101

Vuln IDs

V-63035

Rule IDs

SV-77525r1_rule

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Checks: C-63787r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Scan inside multiple-file archives (e.g., .ZIP)" is not selected, this is a finding.

Fix: F-68953r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g., .ZIP)". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses.

SI-3 - Medium - CCI-001241 - V-63037 - SV-77527r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-102

Vuln IDs

V-63037

Rule IDs

SV-77527r1_rule

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Checks: C-63789r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, verify the check box for "Find unknown program viruses" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Heuristics, the check box for "Find unknown program viruses" has not been selected, this is a finding.

Fix: F-68955r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses.

SI-3 - Medium - CCI-001241 - V-63039 - SV-77529r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-103

Vuln IDs

V-63039

Rule IDs

SV-77529r1_rule

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Checks: C-63791r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro program viruses" is not selected, this is a finding.

Fix: F-68957r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs.

SI-3 - Medium - CCI-001241 - V-63041 - SV-77531r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-104

Vuln IDs

V-63041

Rule IDs

SV-77531r1_rule

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks: C-63793r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Select the check box for "Find joke programs". If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

Fix: F-68959r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types.

SI-3 - Medium - CCI-001241 - V-63043 - SV-77533r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-105

Vuln IDs

V-63043

Rule IDs

SV-77533r1_rule

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Checks: C-63795r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

Fix: F-68961r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", select the radio button for "All files". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.

SI-3 - Medium - CCI-001241 - V-63045 - SV-77535r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-106

Vuln IDs

V-63045

Rule IDs

SV-77535r1_rule

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks: C-63797r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Viruses and Trojans are found: Clean infected files automatically" is not selected, this is a finding.

Fix: F-68963r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.

SI-3 - Medium - CCI-001241 - V-63047 - SV-77537r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-107

Vuln IDs

V-63047

Rule IDs

SV-77537r1_rule

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks: C-63799r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

Fix: F-68965r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO.

SI-3 - Medium - CCI-001241 - V-63049 - SV-77539r2_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-108

Vuln IDs

V-63049

Rule IDs

SV-77539r2_rule

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Checks: C-63801r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", verify no entries exist other than the following approved paths: /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm| FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys /quarantine (or other custom configured quarantine directory) If any entries exist, verify the exclusion of those files and directories has been documented by the System Administrator and approved by the ISSO/ISSM.

Fix: F-68967r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", remove any entries from the "What not to scan:" section for which there has not been ISSO/ISSM approval. Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be disabled.

CM-7 - Medium - CCI-000381 - V-63051 - SV-77541r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

DTAVSEL-109

Vuln IDs

V-63051

Rule IDs

SV-77541r1_rule

If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.

Checks: C-63803r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, verify the check box for "Disable client Web UI:" is selected. If the check box for "Disable client Web UI:" is not selected, this is a finding.

Fix: F-68969r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, select the check box for "Disable client Web UI:". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

SI-3 - Medium - CCI-001241 - V-63053 - SV-77543r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-110

Vuln IDs

V-63053

Rule IDs

SV-77543r1_rule

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks: C-63805r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Programs & Jokes are found: Clean infected files automatically" is not selected, this is a finding.

Fix: F-68971r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

SI-3 - Medium - CCI-001241 - V-63055 - SV-77545r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-111

Vuln IDs

V-63055

Rule IDs

SV-77545r1_rule

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks: C-63807r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, for "When Programs & Jokes are found: If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "When Programs & Jokes are found: If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated with "/quarantine" (or another valid location as determined by the organization), this is a finding.

Fix: F-68973r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, for "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory" is selected. Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files.

SI-3 - Medium - CCI-001241 - V-63057 - SV-77547r1_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-112

Vuln IDs

V-63057

Rule IDs

SV-77547r1_rule

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Checks: C-63809r1_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Decode MIME encoded files:" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Decode MIME encoded files:" is not selected, this is a finding.

Fix: F-68975r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories.

SI-3 - Medium - CCI-001241 - V-63059 - SV-77549r2_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001241

Version

DTAVSEL-113

Vuln IDs

V-63059

Rule IDs

SV-77549r2_rule

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Checks: C-63811r2_chk

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, verify the "Specify where scanning will take place" field is populated with "/" and "Scan options" has the "Include sub-directories" check box selected. If the "Specify where scanning will take place" field is not populated with all "/" and/or the "Include sub-directories" check box is not selected, this is a finding.

Fix: F-68977r1_fix

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, populate the "Specify where scanning will take place" field with "/". Next to "Scan options", select the check box for "Include sub-directories". Click "Save".

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.

MA-3 - Medium - CCI-000870 - V-63063 - SV-77553r1_rule

RMF Control

MA-3

Severity

Medium

CCI

CCI-000870

Version

DTAVSEL-200

Vuln IDs

V-63063

Rule IDs

SV-77553r1_rule

Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.

Checks: C-63815r1_chk

Consult with the System Administrator of the Linux system being reviewed. Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used. If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, this is a finding.

Fix: F-68981r1_fix

Create procedures, or add to existing system administration procedures, which require the scanning of all media used for system maintenance before media is used.

b

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive all patches, service packs and updates from a DoD-managed source.

CM-5 - Medium - CCI-001749 - V-63065 - SV-77555r1_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001749

Version

DTAVSEL-201

Vuln IDs

V-63065

Rule IDs

SV-77555r1_rule

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.

Checks: C-63817r1_chk

Log into the ePO server console. From Menu, select Configuration >> Server Settings. From Setting Categories, select Source Sites. Verify the DoD-controlled entry (mcafee.csd.disa.mil) for source repositories is present. If the DoD-controlled entry for source sites is not present, this is a finding. Note: If this is a disconnected network, this requirement can be met via the use of a manual distribution. The process must be documented and meet the requirements for frequency as defined in this document. Note: If the ePO server is outside of the .mil address space (such as, .edu, .gov, etc.), connection to the DoD-controlled servers for updates will not be possible. In this case, updates from the vendor are acceptable and this check should be marked NA.

Fix: F-68983r1_fix

Configure the ePO server to use the DoD-controlled source repository.

b

The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role.

AC-6 - Medium - CCI-002235 - V-63067 - SV-77557r1_rule

RMF Control

AC-6

Severity

Medium

CCI

CCI-002235

Version

DTAVSEL-202

Vuln IDs

V-63067

Rule IDs

SV-77557r1_rule

The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.

Checks: C-63819r1_chk

Access the Linux system console command line as root. Execute the following commands. This command will pipe the results to text files for easier review. find / -group nailsgroup >nailsgroup.txt find / -user nails >nails.txt Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page until the end of the exported text. more nailsgroup.txt more nails.txt When reviewing the results, verify the nailsgroup group and nails user only own the following paths. The following paths assume an INSTALLDIR of /opt/NAI/LinuxShield and a RUNTIMEDIR of /var/opt/NAI/LinuxShield. If alternative folders were used, replace the following paths accordingly when validating. /var/opt/NAI and sub-folders /opt/NAI and sub-folders /McAfee/lib /var/spool/mail/nails /proc/##### (where ##### represents the various process IDs for the VSEL processes.) If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.

Fix: F-68985r1_fix

Access the Linux system console command line as root. Navigate to each path to which the nails user or nailsgroup group has unnecessary permissions/ownership. Using the chmod command, reduce or remove permissions for the nails user. Using the chown command to remove ownership by the nails user or nailsgroup group.

b

A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes.

SI-3 - Medium - CCI-001240 - V-63069 - SV-77559r2_rule

RMF Control

SI-3

Severity

Medium

CCI

CCI-001240

Version

DTAVSEL-205

Vuln IDs

V-63069

Rule IDs

SV-77559r2_rule

Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.

Checks: C-63821r3_chk

The preferred method for notification is via ePO Automatic Responses using SMTP. Consult with the System Administrator to determine whether ePO Automatic Responses are configured or whether some other notification mechanism (i.e., regular manual review of reports)is used. If ePO Automatic Responses are not configured, some other notification mechanism must be configured. For ePO Automatic Response using SMTP: Log onto the ePO server console. From Menu, select Automation >> Automatic Responses. With the assistance of the System Administrator, determine the Automatic Responses configured for this requirement. Click on Edit to review each of the designated Automatic Responses. Automatic Responses must be configured for the following Event Descriptions, at a minimum, with a response of "Send Email" to System Administrator(s). The DAT version was not new enough. Boot record infection clean error. Buffer overflow detected and NOT blocked. Centralized Alerting-Scan reported an internal application error. Centralized Alerting-Scan reports general system error. Centralized Alerting-Scan reports memory allocation error. File infected. Delete failed, quarantine failed. If Automatic Response is not configured to detect the minimum Event Descriptions and/or is not configured to send an email notification to the System Administrator(s) or some other mechanism is not used to provide this notification to System Administrators, this is a finding.

Fix: F-68987r1_fix

Configure Automatic Response to capture all required event descriptions and to send email notifications to the System Administrator(s).

McAfee VSEL 1.9/2.0 Managed Client Security Technical Implementation Guide

Compare

View

Checks: C-63601r1_chk

Fix: F-68713r2_fix

Generate Mitigation Statement:

Checks: C-63749r1_chk

Fix: F-68915r1_fix

Generate Mitigation Statement:

Checks: C-63751r1_chk

Fix: F-68917r1_fix

Generate Mitigation Statement:

Checks: C-63753r1_chk

Fix: F-68919r1_fix

Generate Mitigation Statement:

Checks: C-63755r1_chk

Fix: F-68921r1_fix

Generate Mitigation Statement:

Checks: C-63757r1_chk

Fix: F-68923r1_fix

Generate Mitigation Statement:

Checks: C-63759r1_chk

Fix: F-68925r1_fix

Generate Mitigation Statement:

Checks: C-63761r1_chk

Fix: F-68927r1_fix

Generate Mitigation Statement:

Checks: C-63763r1_chk

Fix: F-68929r1_fix

Generate Mitigation Statement:

Checks: C-63765r1_chk

Fix: F-68931r1_fix

Generate Mitigation Statement:

Checks: C-63767r1_chk

Fix: F-68933r1_fix

Generate Mitigation Statement:

Checks: C-63769r2_chk

Fix: F-68935r1_fix

Generate Mitigation Statement:

Checks: C-63771r1_chk

Fix: F-68937r1_fix

Generate Mitigation Statement:

Checks: C-63773r1_chk

Fix: F-68939r1_fix

Generate Mitigation Statement:

Checks: C-63775r1_chk

Fix: F-68941r1_fix

Generate Mitigation Statement:

Checks: C-63777r1_chk

Fix: F-68943r1_fix

Generate Mitigation Statement:

Checks: C-63779r1_chk

Fix: F-68945r1_fix

Generate Mitigation Statement:

Checks: C-63781r1_chk

Fix: F-68947r1_fix

Generate Mitigation Statement:

Checks: C-63783r1_chk

Fix: F-68949r1_fix

Generate Mitigation Statement:

Checks: C-63785r3_chk

Fix: F-68951r1_fix

Generate Mitigation Statement:

Checks: C-63787r1_chk

Fix: F-68953r1_fix

Generate Mitigation Statement:

Checks: C-63789r1_chk

Fix: F-68955r1_fix

Generate Mitigation Statement:

Checks: C-63791r1_chk

Fix: F-68957r1_fix

Generate Mitigation Statement:

Checks: C-63793r1_chk

Fix: F-68959r1_fix

Generate Mitigation Statement:

Checks: C-63795r1_chk

Fix: F-68961r1_fix

Generate Mitigation Statement:

Checks: C-63797r1_chk

Fix: F-68963r1_fix