Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the General tab, locate the "General:" label. Ensure the "Enable on-access scanning at system startup" option is selected. Criteria: If the "Enable on-access scanning at startup" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) \SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bStartDisabled is 0, this is not a finding. If the value is 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Under the General tab, locate the "General:" label. Select the "Enable on-access scanning at system startup" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties Select the General Settings. Under the General tab, locate the "Scan:" label. Ensure the "Boot Sectors" option is selected. Criteria: If the "Boot Sectors" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) \SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bDontScanBootSectors is 0, this is not a finding. If the value is 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the General tab, locate the "Scan:" label. Select the "Boot Sectors" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the General tab, locate the "Scan:" label. Ensure the "Floppy during shutdown" option is selected. Criteria: If the "Floppy during shutdown" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\ Criteria: If the value of bScanFloppyonShutdown is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the General tab, locate the "Scan:" label. Select the "Floppy during shutdown" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Messages tab, locate the "Message for local users:" label. Ensure the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected. Criteria: If the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of Alert_AutoShowList is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Messages tab, locate the "Messages for local users:" label. Select the "Show the messages dialog box when a threat is detected and display the specified text in the message" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Remove messages from the list" option is NOT selected. Criteria: If the "Remove messages from the list" option is NOT selected, this is not a finding. On the client machine use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of Alert_UsersCanRemove is 0, this is not a finding. If the value is 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click on Task->On-Access Scanner Properties. Select the General Settings. Under the Messages tab, locate the "Actions available to user:" label. Uncheck the "Remove messages from the list" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "Log file" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit)SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bLogtoFile is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "Log file size:" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is at least 10MB. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bLimitSize is 1 and dwMaxLogSizeMB is configured to Decimal (10) or higher, this is not a finding. If bLimitSize is 0, this is a finding. If dwMaxLogSizeMB is less than Decimal (10), this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of at least 10MB or more. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Session summary" option is selected. Criteria: If the "Session summary" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bLogSummary is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Failure to scan encrypted files" option is selected. Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value ReportEncryptedFiles is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option. Click OK to Save.
NOTE: Automatic updates to antivirus signature definitions are to be performed once every 24 hours for hosts connected to the network. Hosts not connected to the network must be updated manually. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the “Task” column, right-click on the “AutoUpdate” option, select “Properties”. Click the “Schedule” button. On the “Task” tab, the selection for "Enable (scheduled task runs at specified time)" must be selected. On the “Schedule” tab, the "Run task:" option must be configured with “Daily”. Alternative Registry method: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee for 32-bit systems HKLM\Software\Wow6432Node\McAfee for 64-bit systems \DesktopProtection\Tasks\{A14CD6FC-3BA8-4703-87BF-e3247CE382F5} Criteria: If “bSchedEnabled=1” (indicates Scheduling is enabled) and “eScheduleType=0” (indicates Daily), this is not a finding. If “bSchedEnabled=0” (indicates Scheduling is not enabled), this is a finding. If the “AutoUpdate” task schedule is not enabled, or is not configured to run at a frequency of “Daily”, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, find the AutoUpdate option, right-click, and choose Properties. Click the Schedule button. On the Task tab, select "Enable (scheduled task runs at specified time)". On the Schedule tab, the "Run task:" option must be configured with Daily. Click OK to save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner option. Under the Status column next to the On-Delivery Email Scanner option, ensure status shows "Enabled". Criteria: If the "On-Delivery Email Scanner" status is "Enabled", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\GeneralOptions Criteria: If the value bEnabled is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select "Enable". Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown program threats and trojans" option is selected. Criteria: If the "Find unknown program threats and trojans" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value dwProgramHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats and trojans" option. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If the "Find unknown macro threats" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value dwMacroHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Decode MIME encoded files" option is selected. Criteria: If the "Decode MIME encoded files" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value ScanMime is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Decode MIME encoded files" option. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Email message body (Setting for Outlook Scanner Only):" label. Ensure the "Scan email message body" option is selected. Criteria: If the option "Scan email message body" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value ScanMessageBodies is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Email message body (Setting for Outlook Scanner Only):" label. Select the "Scan email message body" option. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When a threat is found:" label. Ensure the "Perform this action first:" pull down menu has "Clean attachments" selected. Criteria: If "Clean attachments" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uAction is not 5, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments". Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Ensure "Enable activity logging and accept the default location for the log file or specify a new location" is selected. Criteria: If the option "Enable activity logging and accept the default location for the log file or specify a new location" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions Criteria: If the value bLogToFile is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location." option. Click OK to Save.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Reports tab, locate the "Log file size" label. Criteria: If the "Limit the size of log file" is checked and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions Criteria: If both the value of bLimitSize is 1 and the value of dwMaxLogSizeMB is at least decimal (10), this is not a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Limit the size of log file" option. For the "Maximum log file size:" select a value of at least 10MB. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, ensure both "All fixed drives" or "All local drives" and "Running processes" options are included. Criteria: If "All fixed drives" or "All local drives" and "Running processes" are displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with the weekly on-demand client scan task. Criteria: If, under the applicable GUID key, there exists a szScanItem with a REG_SZ value of "FixedDrives" or "LocalDrives" and a szScanItem with a REG_SZ value of "SpecialMemory", this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, click the "Add" button and add "All fixed drives" or "All local drives" and "Running processes" options from the drop-down selection. Click OK to save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, locate the "Scan options:" label. Ensure the "Include subfolders" option is selected. Criteria: If "Include subfolders" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the bScanSubdirs has value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, locate the "Scan options:" label. Select the "Include subfolders" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, locate the "Scan options:" label. Ensure the "Scan boot sectors" option is selected. Criteria: If "Scan boot sectors" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the bSkipBootScan has value of 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, find and select the scheduled task that shows a Status of "Daily" or "Weekly" or any frequency other than "Not Scheduled". Right-click the Task and select Properties. Under the Scan Locations tab, locate the "Scan options:" label. Select the "Scan boot sectors" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "File types to scan:" label. Ensure the "All files" option is selected. Criteria: If "All files" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the bScanAllFiles has value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Item tab, locate the "File types to scan:" label. Select the "All files" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Exclusions tab, locate the "What not to scan:" label. Ensure that no items are listed in this area. If any items are listed, they must be documented with, and approved by, the local ISSO/ISSM/DAA. Criteria: If no items are listed in the "What not to scan:" area, this is not a finding. If excluded items exist, and they are documented with and approved by the ISSO/ISSM/DAA, this is not a finding. If excluded items exist, and they are not documented with and approved by the ISSO/ISSM/DAA, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the NumExcludeItems has value of 0, this is not a finding. If the NumExcludeItems has value other than 0, and they are documented with and approved by the ISSO/ISSM/DAA, this is not a finding. If the NumExcludeItems has value other than 0, and they are not documented with and approved by the ISSO/ISSM/DAA, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click on the Task and select Properties. Under the Exclusions tab, locate the "What not to scan:" label, remove any items. Click OK to Save.
NOTE: This setting must be configured. Exclusions for specific extensions may be created. Exclusions must be documented with, and approved by, the local ISSO/ISSM. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Options:" label. Ensure the "Scan inside archives (e.g. .ZIP)" option is selected. Criteria: If "Scan inside archives (e.g. .ZIP)" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the ScanArchives has value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Options:" label. Select the "Scan inside archives (e.g. .ZIP)" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Options:" label. Ensure the "Decode MIME encoded files" option is selected. Criteria: If "Decode MIME encoded files" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the ScanMime has value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Options:" label. Select the "Decode MIME encoded files" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Heuristics: " label. Ensure the "Find unknown program threats" option is selected. Criteria: If "Find unknown program threats" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the dwProgramHeuristicsLevel has value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If "Find unknown macro threats" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the dwMacroHeuristicsLevel has value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "Perform this action first:" pull down menu, "Clean" is selected. Criteria: If "Clean" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the uAction does not have a value of 5, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete" is selected. Criteria: If "Delete" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the uSecAction does not have a value of 4, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Reports tab, locate the "Log File" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If "Enable activity logging and accept the default location for the log file or specify a new location" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the bLogToFile does not have a value of 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Reports tab, locate the "Log file" label. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the bLimitSize value is not 1, this is a finding. If the uKilobytes is less than 10240 (Decimal), this is a finding. If the bLimitSize value is 1 and the uKilobytes value is 10240 (Decimal) or more, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Limit the size of log file" option. Under "Maximum log file size:", choose a value of at least 10MB. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Failure to scan encrypted files" option is selected. Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the value bLogScanEncryptFail is not set to 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option. Click OK to Save
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Click on the Schedule button. Under the Task tab, under "Schedule Settings", ensure the "Enable (scheduled task runs at a specified time)" option is selected. Under the Schedule tab, ensure the "Run Task:" option is set to at "Weekly" or more frequent. Criteria: If the "Enable (scheduled task runs at a specified time)" option is selected and the "Schedule Type:" is at least "Weekly", or more frequent, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on demand client scan task. Criteria: If the value for bSchedEnabled is not 1, this is a finding. If the value for eScheduletype is not either 0 or 1, this is a finding. If the value for bSchedEnabled is 1 and the value for eScheduletype is 0 or 1 this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Click on the Schedule button. Under the Task tab, select "Enabled". Under the Schedule tab, find the "Run Task: " label and set to at least "Weekly". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the ScriptScan tab, locate the "ScriptScan:" label. Ensure the "Enable scanning of scripts" option is selected. Criteria: If the "Enable scanning of scripts" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Script Scanner Criteria: If the value of ScriptScanEnabled is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the ScriptScan tab, locate the "ScriptScan:" label. Select the "Enable scanning of scripts" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Blocking tab, locate the "Block" label. Ensure the "Block the connection when a threat is detected in a shared folder" option is selected. Criteria: If the "Block the connection when a threat is detected in a shared folder" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of VSIDBlock is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a threat is detected in a shared folder" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Blocking tab, locate the "Block" label. Ensure the "Unblock connections after (minutes)" is set to no less than 30 minutes. Criteria: If the "Unblock connections after (minutes)" option is configured to no less than 30 minutes, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of VSIDBlockTimeout >= to HEX 1E, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Blocking tab, locate the "Block" label. Enter a value in "Unblock connections after (minutes)" where x is set to no less than 30 minutes. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Blocking tab, locate the "Block" label. Ensure the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" is checked. Criteria: If the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of VSIDBlockOnNonVirus is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Processes tab, ensure the "Configure one scanning policy for all processes" is selected. Criteria: If the "Configure one scanning policy for all processes" option is selected, this is not a finding. If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has been documented with, and approved by, the IAO/IAM, this is not a finding. If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has not been documented/approved by the IAO/IAM, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value OnlyUseDefaultConfig is 1, this is not a finding. If the value is 0 and the use of Low-Risk Processes/High-Risk processes has not been documented and approved by the IAO/IAM, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Processes tab, select the "Configure one scanning policy for all processes" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When writing to disk" is selected. Criteria: If the "When writing to disk" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value bScanIncoming is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Scan files:" label. Select the "When writing to disk" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When reading from disk" is selected. Criteria: If the "When reading from disk" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value bScanOutgoing is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Scan files:" label. Select the "When reading from disk" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "What to scan:" label. Ensure the "All Files" radio button is selected. Criteria: If the "All Files" radio button is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value LocalExtensionMode is 1 and the value of NetworkExtensionMode is 1 this is not a finding. If either of these is not 1, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "What to scan:" label. Select the "All Files" radio button option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown unwanted programs and trojans" option is selected. Criteria: If the "Find unknown unwanted programs and trojans" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value dwProgramHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown unwanted programs and trojans" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console On the menu bar, click Task->On-Access Scanner Properties. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If the "Find unknown macro threats" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value dwMacroHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Click OK to Save.
NOTE: This requirement can be left not configured and marked as Not Applicable if the regularly scheduled on-demand scan, validated under V-6611, DTAM052, includes the scanning of archive files. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Scan inside archives (e.g., .ZIP)" option is selected. Criteria: If the "Scan inside archives (e.g., .ZIP)" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value ScanArchives is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Scan inside archives (e.g., .ZIP)" option. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When a threat is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean files automatically" is selected. Criteria: If "Clean files automatically" is selected from "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the uAction does not have a value of 5, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When a threat is found:" label. For the "Perform this action first:" pull down menu, select "Clean files automatically". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When a threat is found:" label. Ensure from the "If the first action fails, then perform this action:" pull down menu, "Delete files automatically" is selected. Criteria: If the "Delete files automatically" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the uSecAction does not have a value of 4, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically". Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When an unwanted attachment is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean attachments" is selected. Criteria: If "Clean attachments" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uAction_Program is not 5, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When an unwanted attachment is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Options:" label. Ensure the "Detect unwanted programs" option is selected. Criteria: If "Detect unwanted programs" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the ApplyNVP has a value of 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Items tab, locate the "Options:" label. Select the "Detect unwanted programs" option. Click OK to Save.
NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Enable buffer overflow protection" option is selected. Criteria: If the "Enable buffer overflow protection" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value BOPEnabled is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Enable buffer overflow protection" option. Click OK to Save.
NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Protection mode" option is selected. Criteria: If the "Protection mode" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value BOPMode is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Protection mode" option. Click OK to Save.
NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Buffer Overflow Protection tab, locate the "Buffer overflow settings" label. Ensure the "Show the messages dialog box when a buffer overflow is detected" option is selected. Criteria: If the "Show the messages dialog box when a buffer overflow is detected" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value BOPShowMessages is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Buffer Overflow Protection tab, locate the "Buffer overflow settings" label. Select the "Show the messages dialog box when a buffer overflow is detected" option. Click OK to Save.
NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value bLogToFile_Ent is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Click OK to Save.
OTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Reports tab, locate the "Log File" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is at least 10MB. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of bLimitSize_Ent is 1 and dwMaxLogSizeMB_Ent is configured to Decimal (10) or higher, this is not a finding. If the bLogToFile_Ent is 0 or if dwMaxLogSizeMB_Ent is less than Decimal (10), this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, click Task->Buffer Overflow Protection, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more. Click OK to Save..
Access the local VirusScan console by clicking on Start->All Programs->McAfee->VirusScan Console. Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties. In the Scan Items tab, ensure the Spyware option is selected. If the Spyware option is not selected, this is a finding. If the Spyware option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\NVP Criteria: If the value DetectSpyware is 1, this is not a finding.
Access the local VirusScan console by clicking on Start->All Programs->McAfee->VirusScan Console. Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties. In the Scan Items tab, select the Spyware option. Click OK to save.
Access the local VirusScan console by clicking on Start->All Programs->McAfee->VirusScan Console. Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties. In the Scan Items tab, ensure the Adware option is selected. If the Adware option is not selected, this is a finding. If the Adware option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\NVP Criteria: If the value DetectAdware is 1, this is not a finding.
Access the local VirusScan console by clicking on Start->All Programs->McAfee->VirusScan Console. Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties. In the Scan Items tab, select the Adware option. Click OK to Save.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Click Help >> About VirusScan Enterprise. The “About” dialog box will be displayed, showing, among other information, the current DAT version installed and the date of that DAT version. Guidance in DTAM016 requires updates be run daily, automatically or manually. If compliant, the DAT date will be within 24-48 hours old. Since automated update tasks’ success is not guaranteed, the expectation is for update task success to be frequently monitored and corrected when unsuccessful. To allow for that correction, the minimum acceptable threshold for DAT date is not to exceed 7 days. If the DAT date displayed is more than “7” days old, this is a finding. If the vendor or trusted site's files match the date of the signature files on the machine, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select the AutoUpdate option, right-click, and select "Start".
NOTE: For systems on the SIPRnet, this check is Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Ensure the Sensitivity level is set to "Medium" or higher. Criteria: If the Sensitivity level of "Medium", or higher, is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner Criteria: If the value of ArtemisEnabled is REG_DWORD = 0, this is a finding. If the value of ArtemisLevel is REG_DWORD = 0 or REG_DWORD = 1, this is a finding. If the value of ArtemisEnabled is REG_DWORD = 1 and the ArtemisLevel is REG_DWORD = 2, 3 or 4, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected. Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uSecAction is not 4, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments". Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When an unwanted attachment is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected. Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uSecAction_Program is not 4, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Actions tab, locate the "When an unwanted attachment is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments". Click OK to Save.
Note: If the HIPS signature 3892 is enabled to provide the "Prevent termination of McAfee processes" protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, ensure the "Prevent McAfee services from being stopped" option is selected. Criteria: If the "Prevent McAfee services from being stopped" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of PVSPTEnabled is REG_DWORD = 1, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, select the "Prevent McAfee services from being stopped" option. Click OK to save.
Note: If DTAM161 "McAfee VirusScan Access Protection Policies must be configured to enable access protection" has been marked as "Not Applicable", this requirement is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Reports tab, locate the "Log File" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of bLogToFile is REG_DWORD = 1, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Click OK to save.
Note: If DTAM161 "McAfee VirusScan Access Protection Policies must be configured to enable access protection" has been marked as "Not Applicable", this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Reports tab, locate the "Log File:" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is 10MB or more. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is 10MB or more, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of bLimitSize is 1 and dwMaxLogSizeMB is configured to Decimal (10) or higher, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Reports tab, locate the "Log File" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more. Click OK to save.
Note: If the HIPS signature 3898 is enabled to provide this same protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee files and settings" (Block and Report) options are selected. Criteria: If "Prevent modification of McAfee files and settings" (Block and Report) options are both selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select "Prevent modification of McAfee files and settings" (Block and Report) options. Click OK to Save.
Note: If the HIPS signature 3899 is enabled to provide this same protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are selected. Criteria: If "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are both selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options. Click OK to Save.
Note: If the HIPS signature 3900 is enabled to provide this same protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected. Criteria: If "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options. Click OK to save.
Note: If the HIPS signature 3892 is enabled to provide this same protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent termination of McAfee processes" (Block and Report) options are selected. Criteria: If both "Prevent termination of McAfee processes" (Block and Report) options are selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select "Prevent termination of McAfee processes" (Block and Report) options. Click OK to save.
Note: If the HIPS signatures 7010 and 7035 are enabled to provide this same protection, this check is Not Applicable.Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select the "Prevent common programs from running files from the temp folder" (Block and Report) option. Click OK to save.
Note: If the HIPS signature 6051 is enabled to provide this same protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent hooking of McAfee processes" (Block and Report) options are both selected. Criteria: If "Prevent hooking of McAfee processes" (Block and Report) options are both selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent hooking of McAfee processes" (Block and Report) options. Click OK to save.
Note: If the HIPS signature 3910 is enabled to provide this same protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Ensure the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected. Criteria: If the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Select the "Prevent launching of files from the Downloaded Program Files folder" (Report) option. Click OK to Save.
Note: If the HIPS signature 7035 is enabled to provide this same protection, this check is Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected, this is not a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent execution of scripts from the Temp folder" (Block and Report) option. Click OK to save.
Note: If the HIPS signature 3886 is enabled to provide this same protection, this check is Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure "Prevent remote creation of autorun files" (Block and Report) options are both selected. Criteria: If "Prevent remote creation of autorun files" (Block and Report) options are both selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select "Prevent remote creation of autorun files" (Block and Report) options. Click OK to save.
NOTE: If the system being reviewed has the function of sending email via the SMTP protocol, this setting is not applicable. NOTE: Since there is no HIPS signature to provide this same protection, this check is applicable even if HIPS is enabled. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure "Prevent mass mailing worms from sending email" (Block and Report) options are both selected. Click Edit. Under the "Processes to exclude:" section, verify no processes are listed. If any processes are listed, they must be documented with, and approved by, the IAO/IAM. Criteria: If "Prevent mass mailing worms from sending email" (Block and Report) options are not both selected. This is a finding. If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, and any listed "Processes to exclude:" are approved by the IAO/IAM, this is not a finding. If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, but listed "Processes to exclude:" have not been approved by the IAO/IAM, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent mass mailing worms from sending email" (Block and Report) options. Click OK to save.
NOTE: If IRC Communication is enabled on a Classified network, in accordance with published Ports, Protocols, and Services Management (PPSM) guidelines, this requirement is not applicable. NOTE: Since there is no HIPS signature to provide this same protection, this check is applicable even if HIPS is enabled. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure both "Prevent IRC communication" (Block and Report) options are selected. Criteria: If both "Prevent IRC communication" (Block and Report) options are selected, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent IRC communication" (Block and Report) options. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the ScriptScan tab, locate the "ScriptScan process exclusions:" label. Ensure there are no exclusions listed in the Process field. Criteria: If there are no exclusions listed in the Process field, this is a not finding. If there are exclusions listed in the Process field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding. If there are exclusions listed in the Process field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Script Scanner Criteria: If the ExcludedProcesses REG_MULTI_SZ has any entries, and the excluded processes have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the ScriptScan tab, locate the "ScriptScan process exclusions" label. Remove any exclusions listed in the Process field.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed. If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO. Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value NumExcludeItems is 0, this is not a finding. If NumExcludeItems is not 1 or greater, and exclusions have been not been documented with and approved by the ISSO/ISSM/AO, this is a finding. If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, ensure the "Memory for rootkits" option is displayed. Criteria: If "Memory for rootkits" is displayed in the in the configuration for the daily or weekly On-Demand Scan, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on demand client scan task. Criteria: If, under the applicable GUID key, there exists a szScanItem with a REG_SZ value of "SpecialScanForRootkits", this is not a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, select "Memory for rootkits" from the drop-down selection box. Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean" is selected. Criteria: If "Clean" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the uAction_Program does not have a value of 5, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When an unwanted program is found:" label. For the "Perform this action first:" pull down menu, select "Clean". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure from the "If the first action fails, then perform this action:" pull down menu, "Delete" is selected. Criteria: If "Delete" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) DesktopProtection\Tasks Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task. Criteria: If, under the applicable GUID key, the uSecAction_Program does not have a value of 4, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task. Right-click the Task and select Properties. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete". Click OK to Save.
Note: For systems on the SIPRnet, this check is Not Applicable. Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Ensure the Sensitivity level is set to "Medium" or higher. Criteria: If the Sensitivity level is set to "Medium" or higher, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner Criteria: If the value of ArtemisEnabled is REG_DWORD = 0, this is a finding. If the value of ArtemisLevel is REG_DWORD = 0 or REG_DWORD = 1, this is a finding. If the value of ArtemisEnabled is REG_DWORD = 1 and the ArtemisLevel is REG_DWORD = 2, 3 or 4, this is not a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Alerts tab, locate the "Email alert:" label. Ensure "Send alert to mail user:" is selected. Click on Configure. Verify the email recipient information is configured for a notification email to be sent to the ISSO, ISSM, ePO administrator, or System Administrator. Criteria: If the option "Email alert:" is selected and the email recipient information is configured for a notification email to be sent to ISSO, ISSM,ePO administrator, or System Administrator, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\AlertOptions Criteria: If the value bSendMailToUser is 0, this is a finding. If the value for szSendTo is configured to any recipient other than the ISSO, ISSM,ePO Administrator, or System Administrator, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Alerts tab, locate the "Email alert:" label. Click on Configure. Select the "Send alert to mail user:" option. Enter the email recipient information for the notification email to be sent to the ISSO, ISSM,ePO administrator, or System Administrator. Click OK to Save.
Note: If an email client is not running on this system, this check can be marked as Not Applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Ensure the "Session summary", and "Failure to scan encrypted files", options are both selected. Criteria: If the "Session summary" and "Failure to scan encrypted files" options are selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions Criteria: If the “dwLogEvent” value is not “0x000001a0 (416)”, this is a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the “Task” column, select the “On-Delivery Email Scanner” Option, right-click, and select “Properties”. Under the “Reports” tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" and "Failure to scan encrypted files" options. Click “OK” to save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the ScriptScan tab, locate the "ScriptScan URL exclusions:" label. Ensure there are no URL exclusions listed in the URL field. Criteria: If there are no exclusions listed in the URL field, this is a not finding. If there are exclusions listed in the URL field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding. If there are exclusions listed in the URL field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Script Scanner Criteria: If the ExcludedURLs REG_MULTI_SZ has any entries, and the excluded URLs have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the ScriptScan tab, locate the "ScriptScan exclusions" label. Ensure there are no exclusions listed in the URL field.
NOTE: Access Protection must be enabled in order to afford protection identified in DTAM150 and DTAM151. If HIPS signatures are enabled to provide the same protection as DTAM138, DTAM139, DTAM140, DTAM141, DTAM142, DTAM143, DTAM144, DTAM145, DTAM146, DTAM147, DTAM148 and DTAM149, those checks may be individually marked as not applicable. Under the Access Protection tab, ensure the "Enable Access Protection" option is selected. Criteria: If the "Enable Access Protection" option is not selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value APEnabled is not set to "1", this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, select the "Enable Access Protection" option. Click OK to save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Unwanted programs detection:" label. Ensure the "Detect unwanted programs" option is selected. Criteria: If the "Detect unwanted programs" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value ApplyNVP is 1, this is not a finding. If the value is 0, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Scan Items tab, locate the "Unwanted programs detection:" label. Place a check in the "Detect unwanted programs" checkbox. Click OK.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean files automatically" is selected. Criteria: If "Clean files automatically" is selected from "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the uAction_Program does not have a value of 5, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "Perform this action first:" pull down menu, select "Clean files automatically". Click OK to Save.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure from the "If the first action fails, then perform this action:" pull down menu, "Delete files automatically" is selected. Criteria: If "Delete files automatically" is selected from "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the uSecAction_Program does not have a value of 4, this is a finding.
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically". Click OK to Save.
Note: If the HIPS signatures 7010, 7011, 7020 and 7035 are enabled to provide this same protection, this check is Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent all programs from running files from the Temp folder"(Block and Report) option. Click OK to save.