McAfee VirusScan 8.8 Managed Client STIG

U_McAfee_VirusScan88_Managed_Client_V5R6_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V5R6 2015-03-30      
Update existing CKLs to this version of the STIG
The McAfee VirusScan Managed Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-55134r1_rule DTAM001 CCI-001242 HIGH McAfee VirusScan On-Access General Policies must be configured to enable on-access scanning at system startup. For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other malware infecting the system during that startup phase. System AdministratorECSC-1
SV-55135r1_rule DTAM002 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to scan boot sectors. Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system. System AdministratorECSC-1
SV-55139r1_rule DTAM003 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to scan floppy during shutdown. Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk at shutdown.System AdministratorECSC-1
SV-55141r1_rule DTAM004 MEDIUM McAfee VirusScan On-Access General Policies must be configured to notify local users when detections occur. "An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling. Ensuring the antivirus software alerts the users when malware is detected will ensure the user is informed of the incident and be able to more closely relate the incident to actions being performed by the user at the time of the detection." System AdministratorECSC-1
SV-55144r1_rule DTAM005 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to prevent users from removing messages from the list. Good incident response analysis includes reviewing all logs and alerts on the system reporting the infection. If users were permitted to remove alerts from the display, incident response forensic analysis would be inhibited. System AdministratorECSC-1
SV-55145r1_rule DTAM009 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to log the scan sessions. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System AdministratorECSC-1
SV-55147r1_rule DTAM010 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies log file size must be restricted and be configured to at least 10MB. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System AdministratorECSC-1
SV-55148r1_rule DTAM012 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to log the session summary. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. System AdministratorECSC-1
SV-55149r1_rule DTAM013 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to log any failure to scan encrypted files. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted. If the data in the log file exceeds the file size set, the oldest 20 percent of the entries are deleted and new data is appended to the file, so although the file size is restricted, it must also be large enough to retain forensic value. System AdministratorECSC-1
SV-55151r1_rule DTAM016 CCI-001247 MEDIUM McAfee VirusScan must be configured to receive DAT and Engine updates. Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection. System AdministratorECVP-1
SV-55153r1_rule DTAM021 CCI-001668 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to enable on-delivery email scanning. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55169r1_rule DTAM022 CCI-001668 MEDIUM McAfee VirusScan On-Delivery Email Scan Policies must be configured to find unknown program threats and trojans. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55171r1_rule DTAM023 CCI-001668 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to find unknown macro threats. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55173r2_rule DTAM026 CCI-001668 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to scan inside archives. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55174r1_rule DTAM027 CCI-001668 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to decode MIME encoded files. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55177r1_rule DTAM028 CCI-001668 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to scan email message body. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55178r1_rule DTAM029 CCI-001243 MEDIUM McAfee VirusScan On Delivery Email Scan Policies, When a threat is found, must be configured to clean attachments as the first action. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System AdministratorECSC-1
SV-55187r1_rule DTAM035 CCI-001668 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to record scanning activity in a log file. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. System AdministratorECSC-1
SV-55188r1_rule DTAM036 CCI-001668 MEDIUM McAfee VirusScan On-Delivery Email Scan Policies log file size must be restricted and be configured to be at least 10MB. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System AdministratorECSC-1
SV-55191r1_rule DTAM045 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to scan all fixed disks and running processes. Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected. System AdministratorECSC-1
SV-55192r1_rule DTAM046 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to scan all subfolders. Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected. System AdministratorECSC-1
SV-55193r1_rule DTAM047 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to scan boot sectors. Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.System AdministratorECSC-1
SV-55194r1_rule DTAM048 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to scan all files. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. System AdministratorECSC-1
SV-55195r2_rule DTAM050 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured so there are no exclusions from the scan unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA. When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. System AdministratorECSC-1
SV-55196r2_rule DTAM052 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to scan inside archives. Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System AdministratorECSC-1
SV-55197r1_rule DTAM053 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to decode MIME encoded files. Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scan tasks will mitigate this risk. System AdministratorECSC-1
SV-55199r1_rule DTAM054 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to find unknown program threats. Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. System AdministratorECSC-1
SV-55201r1_rule DTAM055 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to find unknown macro threats. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and script that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero day attacks. System AdministratorECSC-1
SV-55203r1_rule DTAM056 CCI-001243 MEDIUM McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to clean files automatically as first action. Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network. System AdministratorECSC-1
SV-55204r1_rule DTAM057 CCI-001243 MEDIUM McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to delete files automatically if first action fails. Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network. System AdministratorECSC-1
SV-55209r1_rule DTAM059 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to record scanning activity in a log file. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System AdministratorECSC-1
SV-55211r1_rule DTAM060 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan log file size must be restricted and be configured to at least 10MB. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System AdministratorECSC-1
SV-55212r1_rule DTAM063 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to log any failure to scan encrypted files. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System AdministratorECSC-1
SV-55213r1_rule DTAM070 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be scheduled to be executed at least on a weekly basis. Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected. System AdministratorECSC-1
SV-55214r1_rule DTAM090 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to enable scanning of scripts. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. (NIST SP 800-83) The scanning of scripts is crucial in preventing these attacks. System AdministratorInformation Assurance OfficerECVP-1
SV-55217r1_rule DTAM091 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to block the connection when a threatened file is detected in a shared folder. Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism. These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance OfficerECVP-1
SV-55219r1_rule DTAM092 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to unblock connections after a minimum of 30 minutes. Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism. These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance OfficerECVP-1
SV-55221r1_rule DTAM093 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to block the connection when a file with a potentially unwanted program is detected in a shared folder. Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism. These block connection settings will most often be used on a server housing shared folders and files and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance OfficerECVP-1
SV-55222r1_rule DTAM100 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to use only one scanning policy for all processes, unless the use of Low-Risk Processes/High-Risk Processes has been documented with, and approved by, the IAO/IAM. Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates through the organizations. Some processes are known to be higher risk while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings, and will provide the highest level of protection. Best practice dictates configuring Low-Risk and/or High-Risk policies only when it is necessary to improve system performance and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low-Risk and/or High-Risk policies for the purpose of specifically excluding processes from scanning, and should only be done after evaluating other policy settings and determining risk. System AdministratorInformation Assurance OfficerECVP-1
SV-55224r1_rule DTAM101 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to scan when writing to disk. Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks. System AdministratorInformation Assurance OfficerECVP-1
SV-55225r1_rule DTAM102 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to scan when reading from disk. Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks. System AdministratorInformation Assurance OfficerECVP-1
SV-55228r1_rule DTAM103 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to scan all files. When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. System AdministratorInformation Assurance OfficerECVP-1
SV-55230r1_rule DTAM104 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to find unknown unwanted programs and trojans. Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. System AdministratorInformation Assurance OfficerECVP-1
SV-55231r1_rule DTAM105 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to find unknown macro viruses. Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. System AdministratorInformation Assurance OfficerECVP-1
SV-55232r2_rule DTAM106 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to scan inside archives. Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System AdministratorECVP-1
SV-55233r1_rule DTAM110 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies Actions for When a threat is found must be configured to clean files automatically as first action. Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware does is not introduced onto the system or network. System AdministratorInformation Assurance OfficerECVP-1
SV-55234r1_rule DTAM111 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies actions for When a threat is found must be configured delete files automatically if first action fails. Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware does is not introduced onto the system or network. System AdministratorInformation Assurance OfficerECVP-1
SV-55189r1_rule DTAM039 CCI-001243 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to clean attachments as the first action for When an unwanted program is found. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System AdministratorInformation Assurance OfficerECVP-1
SV-55207r1_rule DTAM058 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to detect for unwanted programs. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. System AdministratorInformation Assurance OfficerECVP-1
SV-55235r1_rule DTAM130 CCI-001242 MEDIUM McAfee VirusScan Buffer Overflow Protection Policies must be configured to enable Buffer Overflow Protection. Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to craft exploits. Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled, systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. Buffer overflow protection is only configurable on non-64-bit systems. System AdministratorInformation Assurance OfficerECVP-1
SV-55236r1_rule DTAM131 CCI-001242 MEDIUM McAfee VirusScan Buffer Overflow Protection Policies must be configured for Protection mode. Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to craft exploits. Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled, systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. Protection mode will ensure buffer overflow is detected and blocked. Otherwise, only a warning message will be logged. Buffer overflow protection is only configurable on non-64-bit systems. System AdministratorInformation Assurance OfficerECVP-1
SV-55237r1_rule DTAM132 CCI-001242 MEDIUM McAfee VirusScan Buffer Overflow Protection Policies must be configured to display a dialog box when a buffer overflow is detected. An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling. Ensuring the antivirus software alerts the users when a buffer overflow is detected will ensure the user is aware of the incident and be able to more closely relate the incident to actions being performed by the user at the time of the detection.System AdministratorInformation Assurance OfficerECVP-1
SV-55239r1_rule DTAM133 CCI-001242 MEDIUM McAfee VirusScan Buffer Overflow Protection Policies must be configured to record scanning activity in a log file. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. System AdministratorInformation Assurance OfficerECVP-1
SV-55238r1_rule DTAM134 CCI-001242 MEDIUM McAfee VirusScan Buffer Overflow Protection Policies log file size must be restricted and be configured to at least 10MB. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System AdministratorInformation Assurance OfficerECVP-1
SV-55241r1_rule DTAM135 CCI-001668 MEDIUM McAfee VirusScan Unwanted Programs Policies must be configured to detect spyware. Spyware is software that aids in gathering information about a person or organization without their knowledge, and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the user's knowledge. Spyware may try to deceive users by bundling itself with desirable software. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Some types of spyware disable software firewalls and antivirus software. Detecting, blocking, and eradicating malicious spyware or preventing it from being installed will alleviate the negative side effects of the spyware. System AdministratorInformation Assurance OfficerECVP-1
SV-55242r1_rule DTAM136 CCI-001248 MEDIUM McAfee VirusScan Unwanted Programs Policies must be configured to detect adware. Adware, like spyware, is, at best, an annoyance by presenting unwanted advertisement to the user of a computer, sometimes in the form of a popup. At worst, it redirects the user to malicious websites. Detecting and blocking will mitigate the likelihood of users being tricked into visiting sites with malicious content. System AdministratorInformation Assurance OfficerECVP-1
SV-55133r1_rule DTAG008 HIGH The antivirus signature file age must not exceed 7 days. Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. System AdministratorECVP-1
SV-55243r1_rule DTAM137 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies Artemis sensitivity level must be configured to medium or higher. Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems. System AdministratorECSC-1
SV-55180r1_rule DTAM162 CCI-001243 MEDIUM McAfee VirusScan On Delivery Email Scan Policies, When a threat is found, must be configured to clean attachments as the first action and delete attachments if the first action fails. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
SV-55190r1_rule DTAM163 CCI-001243 MEDIUM McAfee VirusScan On Delivery Email Scan Policies must be configured to delete attachments if the first action fails for when an unwanted program is found. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
SV-55244r1_rule DTAM138 CCI-001248 HIGH McAfee VirusScan Access Protection Policies must be configured to prevent McAfee services from being stopped. When the Prevent McAfee services from being stopped check box is selected under Access Protection, VSE will prevent anyone except the System account from terminating McAfee services. This protects VirusScan from being disabled by malicious programs that seek to circumvent virus protection programs by terminating their services.
SV-55245r1_rule DTAM139 CCI-001248 MEDIUM McAfee VirusScan Access Protection Policies must be configured to record scanning activity in a log file. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
SV-55246r1_rule DTAM140 CCI-001248 MEDIUM McAfee VirusScan Access Protection log file size must be restricted and be configured to at least 10MB. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.
SV-55247r1_rule DTAM141 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee files and settings. Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
SV-55248r1_rule DTAM142 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Common Management Agent files and settings. Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
SV-55249r1_rule DTAM143 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Scan Engine files and settings. Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
SV-55250r1_rule DTAM144 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent termination of McAfee processes. Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
SV-55251r4_rule DTAM145 CCI-001248 MEDIUM McAfee VirusScan Access Protection Rules Common Standard Protection must be set to block and report when common programs are run from the Temp folder. This rule will block common programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: "don't open attachments from email." The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.
SV-55252r1_rule DTAM146 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent hooking of McAfee processes. Hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls, messages, or events passed between software components. Code that handles such intercepted function calls, events, or messages is called a 'hook'. Hooking can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use hooking techniques. This rule prevents other processes from hooking of McAfee processes.
SV-55253r1_rule DTAM147 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Common Maximum Protection must be set to detect and log launching of files from the Downloaded Programs Files folder. A common distribution method for adware and spyware is to have the user download an executable file and run it automatically from the Downloaded Program Files folder. This rule is specific to Microsoft Internet Explorer and prevents software installations through the web browser. Internet Explorer runs code from the Downloaded Program Files directory, notably ActiveX controls. Some vulnerabilities in Internet Explorer and viruses place an .exe file into this directory and run it. This rule closes that attack vector.
SV-55254r4_rule DTAM148 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Anti-Spyware Maximum Protection must be set to block and log execution of scripts from the Temp folder. This rule prevents the Windows scripting host from running VBScript and JavaScript scripts from the Temp directory. This would protect against a large number of trojans and questionable web installation mechanisms that are used by many adware and spyware applications.
SV-55255r1_rule DTAM149 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent remote creation of autorun files. Autorun files are used to automatically launch program files, typically setup files from CDs. Preventing other computers from making a connection and creating or altering autorun.inf files can prevent spyware and adware from being executed. There are many spyware and virus programs distributed on CDs.
SV-55256r1_rule DTAM150 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent mass mailing worms from sending mail. Many viruses and worms find email addresses on the infected system and send themselves to these addresses. They do this by connecting directly to the email servers whose names they have harvested from the local system. This rule prevents any process from talking to a foreign email server using SMTP. By blocking this communication, a machine may become infected with a new mass mailing virus, but that virus will be unable to spread further by email. It prevents outbound access to SMTP ports 25 and 587 on all programs except known email clients listed as an exclusion.
SV-55257r2_rule DTAM151 CCI-001248 MEDIUM McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent IRC communication. Internet Relay Chat (IRC) is the preferred communication method used by botnet herders and remote-access trojans to control botnets (a set of scripts or an independent program that connects to IRC). IRC allows an attacker to control infected machines that are sitting behind network address translation (NAT), and the bot can be configured to connect back to the command and control server listening on any port.
SV-55258r2_rule DTAM152 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to not exclude any script processes from being scanned unless the process exclusions have been documented with, and approved by, the ISSO/ISSM/DAA. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scripts are a common carrier of malware and none should be excluded from scanning. In the unlikely event that excluding scanning a script impacts the operational function and/or availability of a system, and reasonable mitigation efforts have been put into place, the exclusion may be put into place but must be documented with, and approved by, the ISSO/ISSM/DAA.
SV-55259r2_rule DTAM153 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to not exclude any files from being scanned unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA. When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
SV-55260r1_rule DTAM154 CCI-001241 MEDIUM McAfee VirusScan On-Demand scan must be configured to scan memory for rootkits. A rootkit is a stealthy type of software, usually malicious, and is designed to mask the existence of processes or programs from normal methods of detection. Rootkits will often enable continued privileged access to a computer. Scanning and handling detection of rootkits will mitigate the likelihood of rootkits being installed and used maliciously on the system.
SV-55261r1_rule DTAM155 CCI-001243 MEDIUM McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to clean files automatically as first action. Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
SV-55262r1_rule DTAM164 CCI-001243 MEDIUM McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to delete files automatically if first action fails. Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
SV-55263r1_rule DTAM156 CCI-001241 MEDIUM McAfee VirusScan General Options Policies must be configured to not allow On-Demand scans to utilize the scan cache. The cache is a list of scanned files that have been determined to be clean. The scanner will use this list to reduce duplicate file scanning. While disabling the cache persistence may result in performance degradation, the risk of enabling it may allow malware to go undetected.
SV-55264r1_rule DTAM157 CCI-001668 MEDIUM McAfee VirusScan On-Delivery Email Scan Policies Artemis sensitivity level must be configured to medium or higher. Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
SV-55265r1_rule DTAM158 CCI-001668 MEDIUM McAfee VirusScan On-Delivery Email Scan Policies must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected. Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
SV-55266r1_rule DTAM159 CCI-001668 MEDIUM McAfee VirusScan On-Delivery Email Scan Policies must be configured to log session summary and failure to scan encrypted files. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
SV-55267r3_rule DTAM160 CCI-001242 MEDIUM McAfee VirusScan On-Access General Policies must be configured to not exclude any URL scripts from being scanned unless the URL exclusions have been documented with, and approved by, the ISSO/ISSM/DAA. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scripts are a common carrier of malware and none should be excluded from scanning. In the unlikely event that excluding scanning a script impacts the operational function and/or availability of a system, and reasonable mitigation efforts have been put into place, the exclusion may be put into place but must be documented with, and approved by, the ISSO/ISSM/DAA.
SV-55268r2_rule DTAM161 CCI-001248 MEDIUM McAfee VirusScan Access Protection Policies must be configured to enable access protection. Access Protection prevents unwanted changes to a computer by restricting access to specified ports, files and folders, shares, and registry keys and values. It prevents users from stopping McAfee processes and services, which are critical before and during outbreaks. Access Protection for VSE uses predefined and user-defined rules to strengthen systems against virus attacks. For instance, rules are used to specify which items can and cannot be accessed. Each rule can be configured to block and/or report access violations when they occur, and rules can also be disabled.
SV-55269r1_rule DTAM165 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies must be configured to detect unwanted programs. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-55270r1_rule DTAM166 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies actions, When an unwanted program is found must be configured to clean files automatically as first action. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-55271r2_rule DTAM167 CCI-001242 MEDIUM McAfee VirusScan On-Access Default Processes Policies actions, When an unwanted program is found must be configured to delete files automatically if first action fails. Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
SV-73793r1_rule DTAM170 CCI-001248 MEDIUM McAfee VirusScan Access Protection Rules Common Standard Protection must be set to block and report when common all programs are run from the Temp folder. This rule prevents all program from running files from the Temp directory. This would protect against a large number of trojans and questionable web installation mechanisms that are used by many adware and spyware applications. System Administrator