Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

McAfee VirusScan Managed Client

V4R10 · · · Released 24 Jan 2014 · 70 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

Sort by
c
The McAfee VirusScan Control Panel parameters are not configured as required.
SI-3 - High - CCI-001242 - V-6453 - SV-23670r2_rule
RMF Control
SI-3
Severity
H
CCI
CCI-001242
Version
DTAM001
Vuln IDs
  • V-6453
Rule IDs
  • SV-23670r2_rule
This parameter controls if the scan is started at startup.System AdministratorECSC-1
Checks: C-19432r5_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Enable on-access scanning:" label. Ensure the "Enable on-access scanning at system startup" option is selected. Criteria: If the "Enable on-access scanning at startup" option is selected this is not a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\VSCore\On access scanner\McShield\Configuration Criteria: If the value of bStartDisabled is 0, this is not a finding. If the value is 1, this is a finding

Fix: F-19974r1_fix

From the ePO server console, select Systems Tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Enable on-access scanning:" label. Select the "Enable on-access scanning at system startup" option. Select Save.

b
The McAfee VirusScan on access scan parameter for Boot sectors is incorrect.
SI-3 - Medium - CCI-001242 - V-6467 - SV-21320r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM002
Vuln IDs
  • V-6467
Rule IDs
  • SV-21320r2_rule
This parameter controls if boot sectors are scanned at startup.System AdministratorECSC-1
Checks: C-23398r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Ensure the "Boot Sectors" option is selected. Criteria: If the "Boot Sectors" option is selected this is not a finding.

Fix: F-19975r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Select the "Boot Sectors" option. Select Save.

b
The McAfee VirusScan on access scan parameter for floppy disks is incorrect.
SI-3 - Medium - CCI-001242 - V-6468 - SV-21321r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM003
Vuln IDs
  • V-6468
Rule IDs
  • SV-21321r2_rule
This parameter controls the scanning of floppy disks.System AdministratorECSC-1
Checks: C-23400r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Ensure the "Floppy during shutdown" option is selected. Criteria: If the " Floppy during shutdown " option is selected this is not a finding.

Fix: F-19977r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Select the " Floppy during shutdown " option. Select Save.

b
The McAfee VirusScan message dialog parameters are not configured as required.
SI-3 - Medium - CCI-001242 - V-6469 - SV-21322r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM004
Vuln IDs
  • V-6469
Rule IDs
  • SV-21322r1_rule
This parameter notifies the user when a virus is detected.System AdministratorECSC-1
Checks: C-23402r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "User message:" label. Ensure the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected. Criteria: If the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected this is not a finding.

Fix: F-19980r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "User message:" label. Select the "Show the messages dialog box when a threat is detected and display the specified text in the message" option. Select Save.

b
The McAfee VirusScan remove messages parameters are not configured as required.
SI-3 - Medium - CCI-001242 - V-6470 - SV-25546r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM005
Vuln IDs
  • V-6470
Rule IDs
  • SV-25546r2_rule
This parameter controls if users can remove virus alerts from the display.System AdministratorECSC-1
Checks: C-19436r3_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Remove messages from the list" option is NOT selected. Criteria: If the "Remove messages from the list" option is NOT selected, this is not a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\VSCore\On Access Scanner\mcshield\Configuration Criteria: If the value of Alert_UsersCanRemove is 0, this is not a finding. If the value is 1, this is a finding

Fix: F-19981r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Remove messages from the list" option is NOT selected. Select Save.

b
The McAfee VirusScan Clean Infected file parameter is not configured as required.
Medium - V-6471 - SV-21323r2_rule
RMF Control
Severity
M
CCI
Version
DTAM006
Vuln IDs
  • V-6471
Rule IDs
  • SV-21323r2_rule
This parameter determines if infected files are cleaned.System AdministratorECSC-1
Checks: C-23406r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Clean files" option is selected. Criteria: If the "Clean files" option is selected this is not a finding.

Fix: F-19982r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Select the "Clean files" option. Select Save.

b
The McAfee VirusScan delete infected file parameter is not configured as required.
Medium - V-6472 - SV-21324r1_rule
RMF Control
Severity
M
CCI
Version
DTAM007
Vuln IDs
  • V-6472
Rule IDs
  • SV-21324r1_rule
This parameter controls if infected files are deleted.System AdministratorECSC-1
Checks: C-23408r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Delete files" option is selected. Criteria: If the "Delete files" option is selected, this is not a finding.

Fix: F-19983r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Select the "Delete files" option. Select Save.

b
The McAfee VirusScan Control Panel log parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-6474 - SV-21325r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM009
Vuln IDs
  • V-6474
Rule IDs
  • SV-21325r1_rule
This parameter controls the logging of the scan.System AdministratorECSC-1
Checks: C-23410r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log to file:" label. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding.

Fix: F-19984r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
The McAfee VirusScan limit log size parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-6475 - SV-21326r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM010
Vuln IDs
  • V-6475
Rule IDs
  • SV-21326r1_rule
This parameter controls the log size.System AdministratorECSC-1
Checks: C-23412r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log file size" label. Criteria: If the "Limit the size of the file" option is not selected, this is not a finding. Criteria: If the "Limit the size of the file" option is selected and the “Maximum log file size:” is at least 100MB, this is not a finding.

Fix: F-19985r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log file size:" label. IF the "Limit the size of the file" option is not to be used, ensure "Limit the size of the file" is not selected. If the "Limit the size of the file" option is selected, ensure the “Maximum log file size:” is at least 100MB.

b
The McAfee VirusScan log summary parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-6478 - SV-21328r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM012
Vuln IDs
  • V-6478
Rule IDs
  • SV-21328r1_rule
This parameter controls if the session summary is being logged.System AdministratorECSC-1
Checks: C-23416r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Ensure the "Session summary" option is selected. Criteria: If the "Session summary" option is selected, this is not a finding.

Fix: F-19987r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" option. Select Save.

b
The McAfee VirusScan log encrypted files parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-6583 - SV-21329r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM013
Vuln IDs
  • V-6583
Rule IDs
  • SV-21329r2_rule
This parameter controls if failure to scan encrypted files is logged.System AdministratorECSC-1
Checks: C-23418r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Ensure the "Failure to scan encrypted files" option is selected. Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding.

Fix: F-19988r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option. Select Save.

b
The McAfee VirusScan autoupdate parameters are not configured as required.
SI-3 - Medium - CCI-001247 - V-6585 - SV-21337r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001247
Version
DTAM016
Vuln IDs
  • V-6585
Rule IDs
  • SV-21337r2_rule
This parameter ensure that the product is configured to get autoupdates.System AdministratorECVP-1
Checks: C-23422r3_chk

From the ePO server console, select Systems tab, select Client Tasks tab, select New Task. On the Description page, provide a descriptive Name, select "Product Update" from the Type: pull down menu, and select Next. On the Configuration page in the Signatures and engines: section,ensure that Engine and DAT are selected, and select Next. On the Schedule page in the Schedule status: section, ensure Enabled is selected; in the Schedule type: section, ensure that at least Weekly is selected, and select Next. On the Summary page, select Save. Update client machine. Criteria: If a Product update is Enabled with Engine and DAT selected, and scheduled for at least a weekly update, this is not a finding. On the client machine use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the task type. In this case TaskType=update is expected. Information for this check is determined by examining the contents of this file. Criteria:If [Settings] Enabled=1 and [Schedule] Type=0 the schedule is daily, this is not a finding.If [Settings] Enabled=1 and [Schedule] Type=1 the schedule is weekly, this is not a finding.

Fix: F-19991r3_fix

From the ePO server console, select Systems tab, select Client Tasks tab, select New Task. On the Description page, provide a descriptive Name, select "Product Update" from the Type: pull down menu, and select Next. On the Configuration page in the Signatures and engines: section, ensure that Engine and DAT are selected, and select Next. On the Schedule page in the Schedule status: section, ensure Enabled is selected; in the Schedule type: section, ensure that at least Weekly is selected, and select Next. On the Summary page, select Save. Update client machine.

b
The McAfee VirusScan Exchange scanner is not enabled.
Medium - V-6586 - SV-21339r1_rule
RMF Control
Severity
M
CCI
Version
DTAM021
Vuln IDs
  • V-6586
Rule IDs
  • SV-21339r1_rule
This parameter controls if the email client scanner is active.System AdministratorECSC-1
Checks: C-23423r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Scanning of email:" label. Ensure the "Enable on-delivery email scanning" option is selected. Criteria: If the "Enable on-delivery email scanning" is selected, this is not a finding.

Fix: F-19992r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Scanning of email:" label. Select the "Enable on-delivery email scanning" option. Select Save.

b
The McAfee VirusScan find unknown programs email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6587 - SV-21341r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM022
Vuln IDs
  • V-6587
Rule IDs
  • SV-21341r1_rule
This parameter controls if scanning is performed for unknown program viruses.System AdministratorECSC-1
Checks: C-23425r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown program threats and trojans" option is selected. Criteria: If the "Find unknown program threats and trojans" option is selected, this is not a finding.

Fix: F-19993r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats and trojans" option. Select Save.

b
The McAfee VirusScan find unknown macro virus email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6588 - SV-21343r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM023
Vuln IDs
  • V-6588
Rule IDs
  • SV-21343r1_rule
This parameter controls the scanning for unknown macro viruses.System AdministratorECSC-1
Checks: C-23435r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If the "Find unknown macro threats" option is selected, this is not a finding.

Fix: F-20002r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Select Save.

b
The McAfee VirusScan scan inside archives email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6589 - SV-21344r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM026
Vuln IDs
  • V-6589
Rule IDs
  • SV-21344r1_rule
This parameter controls if the contents of archives are checked for viruses.System AdministratorECSC-1
Checks: C-23433r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Scan inside archives (e.g. .ZIP)" option is selected. Criteria: If the "Scan inside archives (e.g. .ZIP)" option is selected, this is not a finding.

Fix: F-20005r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Scan inside archives (e.g. .ZIP)" option. Select Save.

b
The McAfee VirusScan decode MIME email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6590 - SV-21345r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM027
Vuln IDs
  • V-6590
Rule IDs
  • SV-21345r1_rule
This parameter controls if encoded files should be decoded for virus scans.System AdministratorECSC-1
Checks: C-23437r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Decode MIME encoded files" option is selected. Criteria: If the "Decode MIME encoded files" option is selected, this is not a finding.

Fix: F-20006r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Decode MIME encoded files" option. Select Save.

b
The McAfee VirusScan scan e-mail message body email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6591 - SV-21346r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM028
Vuln IDs
  • V-6591
Rule IDs
  • SV-21346r1_rule
This parameter ensures the email message contents is scanned for viruses.System AdministratorECSC-1
Checks: C-23439r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Email message body (for Microsoft Outlook only):" label. Ensure the "Scan email message body" option is selected. Criteria: If the option "Scan email message body" is selected, this is not a finding.

Fix: F-20008r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Email message body (for Microsoft Outlook only):" label. Select the "Scan email message body” option. Select Save.

b
The McAfee VirusScan allowed actions email parameter is not configured as required.
SI-3 - Medium - CCI-001243 - V-6592 - SV-21347r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTAM029
Vuln IDs
  • V-6592
Rule IDs
  • SV-21347r1_rule
This parameter controls what actions should happen when a virus is detected.System AdministratorECSC-1
Checks: C-23441r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" section. In the “Perform this action first:” pull down menu, select the "Prompt for action” option. Criteria: If the option "Prompt for action" is selected this is not a finding.

Fix: F-20009r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" section. In the “Perform this action first:” pull down menu, select the "Prompt for action” option. Select Save.

b
The McAfee VirusScan action prompt email parameter is not configured as required.
Medium - V-6593 - SV-21348r2_rule
RMF Control
Severity
M
CCI
Version
DTAM030
Vuln IDs
  • V-6593
Rule IDs
  • SV-21348r2_rule
This parameter ensures appropriate actions are prompted for when a virus is found.System AdministratorECSC-1
Checks: C-23443r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "Allowed actions in Prompt dialog box:" section, ensure that Clean attachment, Delete attachment, and Move attachment are selected. Criteria: If the options "Clean attachment, Delete attachment, and Move attachment" are selected, this is not a finding.

Fix: F-20010r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "Allowed actions in Prompt dialog box:" section. Select the Clean attachment, Delete attachment, and Move attachment options. Select Save.

b
The McAfee VirusScan return reply email parameter is not configured as required.
Medium - V-6594 - SV-21349r1_rule
RMF Control
Severity
M
CCI
Version
DTAM033
Vuln IDs
  • V-6594
Rule IDs
  • SV-21349r1_rule
This parameter controls if an email is sent back to the original email sender indicating there was a virus detected.System AdministratorECSC-1
Checks: C-23446r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Alerts tab, locate the "Email alert for user:" section and ensure that "Send alert mail to user" is selected. Criteria: If the option "Send alert mail to user" is selected, this is not a finding.

Fix: F-20011r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Alerts tab, locate the "Email alert for user:" section. Select the "Send alert mail to user" option. Select Save.

b
The McAfee VirusScan prompt message email parameter is not configured as required.
Medium - V-6595 - SV-21350r2_rule
RMF Control
Severity
M
CCI
Version
DTAM034
Vuln IDs
  • V-6595
Rule IDs
  • SV-21350r2_rule
This parameter ensures an appropriate message is displayed for the user to indicate a virus was found within an email.System AdministratorECSC-1
Checks: C-23448r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Alerts tab, locate the "Prompt for action message:" section and ensure that "Specify the message that displays to the user when prompting for action. The Prompt for action option must be selected on the Actions tab. Accept the default message or type a new message." is selected. Criteria: If the option "Specify the message that displays to the user when prompting for action. The Prompt for action option must be selected on the Actions tab. Accept the default message or type a new message." is selected, this is not a finding.

Fix: F-20012r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Alerts tab, locate the "Prompt for action message:" section, select "Specify the message that displays to the user when prompting for action. The Prompt for action option must be selected on the Actions tab. Accept the default message or type a new message." Select Save.

b
The McAfee VirusScan log to file email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6596 - SV-21351r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM035
Vuln IDs
  • V-6596
Rule IDs
  • SV-21351r2_rule
This parameter ensures that virus scanning sessions for email are logged.System AdministratorECSC-1
Checks: C-23450r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Reports tab, locate the "Log to file:" section and ensure that "Enable activity logging and accept the default location for the log file or specify a new location." is selected. Criteria: If the option "Enable activity logging and accept the default location for the log file or specify a new location." is selected, this is not a finding.

Fix: F-20013r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Reports tab, locate the "Log to file:" section and select "Enable activity logging and accept the default location for the log file or specify a new location." Select Save.

b
The McAfee VirusScan limit log size email parameter is not configured as required.
SI-3 - Medium - CCI-001668 - V-6597 - SV-21354r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM036
Vuln IDs
  • V-6597
Rule IDs
  • SV-21354r2_rule
This parameter deteremines the size of the log file to ensure data is available for review.System AdministratorECSC-1
Checks: C-23453r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On delivery Email Scan Policies. Select from the Policy column the policy associated with the On delivery Email Scan Policies. Under the Reports tab, locate the "Log file size" label. Criteria: If the "Limit the size of the file" option is not selected, this is not a finding. Criteria: If the "Limit the size of the file" option is selected and the “Maximum log file size:” is at least 100MB this is not a finding.

Fix: F-20014r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Reports tab, locate the "Log file size:" label. If the "Limit the size of the file" option is not to be used, ensure "Limit the size of the file" is not selected. If the "Limit the size of the file" option is selected, ensure the “Maximum log file size:” is at least 100MB.

b
The McAfee VirusScan log content email parameter is not configured as required.
Medium - V-6598 - SV-21352r3_rule
RMF Control
Severity
M
CCI
Version
DTAM037
Vuln IDs
  • V-6598
Rule IDs
  • SV-21352r3_rule
This setting controls the entries that are stored in the virus scanning log.System AdministratorECSC-1
Checks: C-23456r2_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Policies. Select from the Policy column the policy associated with the On Delivery Email Policies. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Ensure the "Session summary", and "Failure to scan encrypted files", options are selected. Criteria: If the "Session summary", and "Failure to scan encrypted files", options are selected, this is not a finding.

Fix: F-20016r2_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Policies. Select from the Policy column the policy associated with the On Delivery Email Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary", and "Failure to scan encrypted files", options. Select Save.

b
The McAfee VirusScan fixed disk and running processes are not configured as required.
SI-3 - Medium - CCI-001241 - V-6599 - SV-21353r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM045
Vuln IDs
  • V-6599
Rule IDs
  • SV-21353r1_rule
This parameter ensures that all fixed disks and running processes are scanned for viruses.System AdministratorECSC-1
Checks: C-23455r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Locations tab in Locations to scan: area, ensure that “All fixed drives” and “Running processes” are displayed. Criteria: If “All fixed drives” and “Running processes” are displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding. On the client machine use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [ScanItems] szScanItemX=All fixed disks, and [Settings] scScanItemX=Special Memory are present, this is not a finding. : For the values of szScanItemX, the character X represents some integer =>0. Example: szScanItem0=All fixed disks, szScanItem1=Special Memory,

Fix: F-20015r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the daily or weekly on demand client scan task. In the same row as the on demand client scan task ensure that the Product Name column contains VirusScan Enterprise 8.7.0, in the Status column ensure that the status is Enabled. Select edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Locations tab in Locations to scan: area, from the pull down menus, select “All fixed drives” and “Running processes”. Select Save.

b
The McAfee VirusScan include subfolders parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6600 - SV-21355r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM046
Vuln IDs
  • V-6600
Rule IDs
  • SV-21355r1_rule
This parameter ensures that subfolders are scanned for viruses.System AdministratorECSC-1
Checks: C-23458r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select edit from the Actions column. In the Description tab ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Locations tab, Scan options area, ensure that “Include subfolders” is displayed. Criteria: If “Include subfolders” is displayed, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Where] bScanSubDirs=1, this is not a finding.

Fix: F-20017r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Locations tab, Scan options area, select “Include subfolders”. Select Save.

b
The McAfee VirusScan include boot sectors parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6601 - SV-21356r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM047
Vuln IDs
  • V-6601
Rule IDs
  • SV-21356r1_rule
This parameter ensures that the boot sector is scanned for viruses.System AdministratorECSC-1
Checks: C-23459r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0, in the Status column ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Locations tab, Scan options area, ensure that “Scan boot sectors” is displayed. Criteria: If “Scan boot sectors” is displayed, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Where] bSkipBootScan=0, this is not a finding.

Fix: F-20018r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Locations tab, Scan options area, select “Scan boot sectors”. Select Save.

b
The McAfee VirusScan scan all files parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6602 - SV-21357r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM048
Vuln IDs
  • V-6602
Rule IDs
  • SV-21357r1_rule
This parameter ensures all files are scanned.System AdministratorECSC-1
Checks: C-23460r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, File types to scan: area, ensure that “All files” is selected. Criteria: If “All files” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [What] bScanAllFiles=1, this is not a finding.

Fix: F-20019r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, File types to scan: area, select “All files”. Select Save.

b
The McAfee VirusScan exclusions parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6604 - SV-21358r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM050
Vuln IDs
  • V-6604
Rule IDs
  • SV-21358r2_rule
This parameter ensures that there are no unapproved exclusions from the virus scanning.System AdministratorECSC-1
Checks: C-23461r5_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Exclusions tab, “What not to scan:” area, ensure that no items are listed in this area. Criteria: If no items are listed in the “What not to scan:” area, this is not a finding. Criteria: If items exist, ensure the justification for exclusions have been documented with the IAO/IAM. If exclusions are documented with the IAO/IAM, this is not a finding. If exclusions have not been documented, this is a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Exclusions] dwExclusionCount=0, this is not a finding. Criteria: If not set to 0, ensure the justification for exclusions found have been documented with the IAO/IAM. If exclusions are documented with the IAO/IAM, this is not a finding. If exclusions have not been documented, this is a finding.

Fix: F-20020r2_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Exclusions tab, “What not to scan:” area, no items should be entered into this area. Select Save. If exclusions do exist, these must be documented and approved by the IAO/IAM.

b
The McAfee VirusScan scan archives parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6611 - SV-21359r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM052
Vuln IDs
  • V-6611
Rule IDs
  • SV-21359r1_rule
This parameter ensures that archive files are checked for viruses.System AdministratorECSC-1
Checks: C-23462r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Options: area, ensure that “Scan inside archives (e.g. .ZIP)” is selected. Criteria: If “Scan inside archives (e.g. .ZIP)” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [What] ScanArchives=1, this is not a finding.

Fix: F-20021r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Options: area, select “Scan inside archives (e.g. .ZIP)””. Select Save.

b
The McAfee VirusScan decode MIME encoded files parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6612 - SV-21360r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM053
Vuln IDs
  • V-6612
Rule IDs
  • SV-21360r1_rule
This file ensures that MIME encoded files are scanned for viruses.System AdministratorECSC-1
Checks: C-23463r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the On Demand Client Scan task under review ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Options: area, ensure that “Decode MIME encoded files” is selected. Criteria: If “Decode MIME encoded files” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [What] ScanMIME=1, this is not a finding.

Fix: F-20022r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the On Demand Client Scan task ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Options: area, select “Decode MIME encoded files”. Select Save.

b
The McAfee VirusScan find unknown programs parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6614 - SV-21361r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM054
Vuln IDs
  • V-6614
Rule IDs
  • SV-21361r1_rule
This parameter will ensure the virus scanner checks for unknown program viruses.System AdministratorECSC-1
Checks: C-23464r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Heuristics: area, ensure that “Find unknown program threats” is selected. Criteria: If “Find unknown program threats” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Advanced] dwProgramHeuristicsLevel=1, this is not a finding.

Fix: F-20023r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Heuristics: area, select “Find unknown program threats”. Select Save.

b
The McAfee VirusScan find unknown macro viruses parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6615 - SV-21362r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM055
Vuln IDs
  • V-6615
Rule IDs
  • SV-21362r1_rule
This parameter controls checking for unknown macro viruses.System AdministratorECSC-1
Checks: C-23465r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Heuristics: area, ensure that “Find unknown macro threats” is selected. Criteria: If “Find unknown macro threats” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Advanced] dwMacroHeuristicsLevel=1, this is not a finding.

Fix: F-20024r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Heuristics: area, select “Find unknown macro threats”. Select Save.

b
The McAfee VirusScan action for Virus parameter is not configured as required.
SI-3 - Medium - CCI-001243 - V-6616 - SV-21363r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTAM056
Vuln IDs
  • V-6616
Rule IDs
  • SV-21363r1_rule
This parameter controls the action when a virus is found.System AdministratorECSC-1
Checks: C-23466r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0, in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Actions tab, When a threat is found: area, ensure that for the “Perform this action first:” pull down menu, “Clean files” is selected. Criteria: If “Clean files” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Actions] uAction=5, this is not a finding.

Fix: F-20025r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Actions tab, When a threat is found: area, Perform this action first:, select “Clean files”. Select Save.

b
The McAfee VirusScan secondary action for virus parameter is not configured as required.
SI-3 - Medium - CCI-001243 - V-6617 - SV-21364r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTAM057
Vuln IDs
  • V-6617
Rule IDs
  • SV-21364r1_rule
This parameter controls the secondary action that is performed when a virus is found.System AdministratorECSC-1
Checks: C-23467r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Actions tab, When a threat is found: area, ensure that for the “If the first action fails, then perform this action:” pull down menu, “Delete files” is selected. Criteria: If “Delete files” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Actions] uSecAction=4, this is not a finding.

Fix: F-20026r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Actions tab, When a threat is found: area, If the first action fails, then perform this action:, select “Delete files”. Select Save.

b
The McAfee VirusScan log to file parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6618 - SV-21365r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM059
Vuln IDs
  • V-6618
Rule IDs
  • SV-21365r1_rule
This parameter ensures that virus scan activities are written to a log file.System AdministratorECSC-1
Checks: C-23468r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column, contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, ensure that for the Log to file: selection “Enable activity logging and accept the default location for the log file or specify a new location” is selected. Criteria: If “Enable activity logging and accept the default location for the log file or specify a new location” is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Reports] bLogToFile=1, this is not a finding.

Fix: F-20027r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, for the Log to file: selection, select “Enable activity logging and accept the default location for the log file or specify a new location”. Select Save.

b
The McAfee VirusScan log file limit parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6620 - SV-21366r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM060
Vuln IDs
  • V-6620
Rule IDs
  • SV-21366r1_rule
This parameter determines the minimum size for the log to ensure enough data is available for review.System AdministratorECSC-1
Checks: C-23469r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, locate the "Log file size" label. Criteria: If the "Limit the size of the file" option is not selected, this is not a finding. Criteria: If the "Limit the size of the file" option is selected, and the “Maximum log file size:” is at least 100MB this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Reports] bLogToFile=1 and [Reports] bLimitSize =>100, this is not a finding.

Fix: F-20028r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, locate the "Log file size:" label. If the "Limit the size of the file" option is not to be used, ensure "Limit the size of the file" is not selected. If the "Limit the size of the file" option is selected, ensure the “Maximum log file size:” is at least 100MB. Select Save.

b
The McAfee VirusScan log session summary parameter is not configured as required.
Medium - V-6624 - SV-21369r1_rule
RMF Control
Severity
M
CCI
Version
DTAM062
Vuln IDs
  • V-6624
Rule IDs
  • SV-21369r1_rule
This parameter ensures that session summary information is logged for future review if needed.System AdministratorECSC-1
Checks: C-23473r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Criteria: If the "Session summary" option is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Reports] bLogSummary=1, this is not a finding.

Fix: F-20030r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select Session summary. Select Save.

b
The McAfee VirusScan failure on encrypted files parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-6625 - SV-21370r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM063
Vuln IDs
  • V-6625
Rule IDs
  • SV-21370r1_rule
This parameter ensures that failures on encrypted files are logged.System AdministratorECSC-1
Checks: C-23474r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Reports] bLogScanFailure=1, this is not a finding.

Fix: F-20031r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select Failure to scan encrypted files. Select Save.

b
The McAfee VirusScan schedule is not configured as required.
SI-3 - Medium - CCI-001241 - V-6627 - SV-21379r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM070
Vuln IDs
  • V-6627
Rule IDs
  • SV-21379r1_rule
This parameter ensures that a comprehensive On-Demand system virus scan is scheduled to be executed on at least a weekly basis. System AdministratorECSC-1
Checks: C-23480r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Schedule tab. In the "Schedule Status:" area, ensure Enabled is selected. Also, in the Schedule type: area (using the pull down menu), ensure that the scan is scheduled for at least a weekly scan. Criteria: If the Scheduled status: is Enabled and the Schedule type: is at least weekly, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Settings] Enabled=1 and [Schedule] Type=0 the schedule is daily, this is not a finding. If [Settings] Enabled=1 and [Schedule] Type=1 the schedule is weekly, this is not a finding.

Fix: F-20035r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Schedule tab. In the "Schedule Status:" area select Enabled, in the Schedule type: area (using the pull down menu), ensure that the scan is scheduled on at least a weekly basis.

b
The McAfee VirusScan on access scan parameter for script scan is incorrect.
SI-3 - Medium - CCI-001242 - V-14618 - SV-21382r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM090
Vuln IDs
  • V-14618
Rule IDs
  • SV-21382r1_rule
ScriptScan analyzes each webpage opened on your computer via Outlook or a web browser for JavaScript and VBScript. If an unwanted script is found it is not allowed to execute.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23484r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan:" label. Ensure the "Enable scanning of scripts" option is selected. Criteria: If the "Enable scanning of scripts" option is selected, this is not a finding.

Fix: F-20037r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan:" label. Select the "Enable scanning of scripts" option. Select Save.

b
The McAfee VirusScan on access scan parameter for connection blocking is incorrect.
SI-3 - Medium - CCI-001242 - V-14619 - SV-21386r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM091
Vuln IDs
  • V-14619
Rule IDs
  • SV-21386r1_rule
This setting is required to block connections from remote computers when a threat or unwanted program is detected in a shared folder.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23491r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Ensure the "Block the connection when a threatened file is detected in a shared folder" option is selected. Criteria: If the "Block the connection when a threatened file is detected in a shared folder" option is selected, this is not a finding.

Fix: F-20041r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Select the "Block the connection when a threatened file is detected in a shared folder" option.

b
The McAfee VirusScan on access scan parameter for connection blocking time is incorrect.
SI-3 - Medium - CCI-001242 - V-14620 - SV-21400r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM092
Vuln IDs
  • V-14620
Rule IDs
  • SV-21400r1_rule
This parameter unblocks suspected threats in a remote computer shared connection. If a threat is detected blocking blocks the connection. This parameter unblocks the connection after at minimum of 30 minutes.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23494r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Ensure the "Unblock connections after x minutes" where x is set to no less than 30 minutes. Criteria: If the "Unblock connections after 30 minutes" option is selected, this is not a finding.

Fix: F-20051r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Set the "Unblock connections after x minutes", where x is set to no less than 30 minutes.

b
The McAfee VirusScan on access scan parameter for blocking unwanted programs is incorrect.
SI-3 - Medium - CCI-001242 - V-14621 - SV-21404r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM093
Vuln IDs
  • V-14621
Rule IDs
  • SV-21404r2_rule
This setting blocks the connection to a remote computer share where an unwanted program is found in the remote share folder.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23509r2_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Ensure the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" is checked. Criteria: If the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option is selected, this is not a finding.

Fix: F-20057r2_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Check the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option.

b
The McAfee VirusScan scan default values for processes are not configured as required.
SI-3 - Medium - CCI-001242 - V-14622 - SV-21405r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM100
Vuln IDs
  • V-14622
Rule IDs
  • SV-21405r1_rule
With this setting set to "Configure one scanning policy for all processes" one policy baseline for all on-access scanning is set using one set of policy options.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23511r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Processes tab, locate the "Process Settings:" label. Ensure the “Configure one scanning policy for all processes” is selected. Criteria: If the “Configure one scanning policy for all processes” option is selected, this is not a finding.

Fix: F-20058r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Processes tab, locate the "Process Settings:" label. Select the “Configure one scanning policy for all processes” option. Select Save.

b
The McAfee VirusScan scan when writing to disk is not configured as required.
SI-3 - Medium - CCI-001242 - V-14623 - SV-21406r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM101
Vuln IDs
  • V-14623
Rule IDs
  • SV-21406r2_rule
This setting requires on-access scanning to be performed whenever a files is written to a non-networked disk drive.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23514r2_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files label. Ensure the “When writing to disk” is selected. Criteria: If the “When writing to disk” option is selected, this is not a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\software\McAfee\VSCore\On Access Scanner\McShield\Configuration\default Criteria: If the value bScanIncoming is 1, this is not a finding.

Fix: F-20059r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files:" label. Select the “When writing to disk” option. Select Save.

b
The McAfee VirusScan scan when reading parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14624 - SV-21407r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM102
Vuln IDs
  • V-14624
Rule IDs
  • SV-21407r2_rule
This setting requires on-access scanning to be performed whenever a files are read from a non-networked disk drive.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23516r2_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files label. Ensure the “When reading from disk” is selected. Criteria: If the “When reading from disk” option is selected, this is not a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\software\McAfee\VSCore\On Access Scanner\McShield\Configuration\default Criteria: If the value bScanOutgoing is 1, this is not a finding.

Fix: F-20060r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files:" label. Select the “When reading from disk” option. Select Save.

b
The McAfee VirusScan scan all files parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14625 - SV-21409r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM103
Vuln IDs
  • V-14625
Rule IDs
  • SV-21409r2_rule
This setting requires on-access scanning to be performed whenever a file is read from or written to network drives.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23522r2_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Policies. Select from the Policy column the policy associated with the On-Access Default Policies. Under the Scan Items tab, locate the "File Types to Scan" label. Ensure the "All Files" radio button is selected. Criteria: If the "All Files" radio button is selected, this is not a finding.

Fix: F-20062r2_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Policies. Select from the Policy column the policy associated with the On-Access Default Policies. Under the Scan Items tab, locate the "File Types to Scan" label. Select the "All Files" radio button. Select Save.

b
The McAfee VirusScan heuristics program viruses parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14626 - SV-21410r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM104
Vuln IDs
  • V-14626
Rule IDs
  • SV-21410r1_rule
This setting requires on-access scanning to "Find unknown program threats and trojans" based on heuristic problem solving techniques. System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23527r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown program threats and trojans" option is selected. Criteria: If the "Find unknown program threats and trojans" option is selected, this is not a finding.

Fix: F-20065r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats and trojans" option. Select save.

b
The McAfee VirusScan heuristics macro viruses parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14627 - SV-21411r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM105
Vuln IDs
  • V-14627
Rule IDs
  • SV-21411r1_rule
This setting requires on-access scanning to "Find unknown macro threats" based on heuristic problem solving techniques. System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23529r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If the "Find unknown macro threats" option is selected, this is not a finding.

Fix: F-20066r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Select save.

b
The McAfee VirusScan scan inside archives parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14628 - SV-21412r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM106
Vuln IDs
  • V-14628
Rule IDs
  • SV-21412r1_rule
This setting requires on-access scanning to scan inside archive files such as .ZIP files. This also enables on-access scanning to be perfomed on other compressed file types as well.System AdministratorECVP-1
Checks: C-23537r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Scan inside archives (e.g. .ZIP)" option is selected. Criteria: If the "Scan inside archives (e.g. .ZIP)" option is selected, this is not a finding.

Fix: F-20070r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Scan inside archives (e.g. .ZIP)" option. Select Save.

b
The McAfee VirusScan process primary action parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14630 - SV-21414r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM110
Vuln IDs
  • V-14630
Rule IDs
  • SV-21414r2_rule
This setting requires that for On-Access scanning the first response to a threat that is detected is to “Clean files automatically”.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23541r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, When a threat is found: area, ensure that for the “Perform this action first:” pull down menu, “Clean files” is selected. Criteria: If “Clean files” is selected, this is not a finding.

Fix: F-20072r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, in When a threat is found: area, Perform this action first:, select “Clean files”. Select Save.

b
The McAfee VirusScan process secondary action parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14631 - SV-21415r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM111
Vuln IDs
  • V-14631
Rule IDs
  • SV-21415r2_rule
This setting is required in response to a threat that could not be cleaned by the On-Access "Clean Files Automatically" setting. In this event the On_access setting for "If the first action fails, then perform this action:" is "Delete Files Automatically". If the file cannot be repaired it should be deleted. System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23543r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, When a threat is found: area, ensure that for the “If the first action fails, then perform this action:” pull down menu, “Delete files” is selected. Criteria: If “Delete files” is selected, this is not a finding.

Fix: F-20074r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access Default Processes Policies. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, When a threat is found: area, If the first action fails, then perform this action:, select “Delete files”. Select Save.

b
The McAfee VirusScan detects unwanted programs email parameter is not configured as required.
Medium - V-14651 - SV-21416r1_rule
RMF Control
Severity
M
CCI
Version
DTAM038
Vuln IDs
  • V-14651
Rule IDs
  • SV-21416r1_rule
This setting is required for the On-Delivery Email scan. This settings enables the detection of unwanted programs to include Malware and Spyware.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23545r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Unwanted programs detection:" label. Ensure the "Detect unwanted programs" option is selected. Criteria: If the option "Detect unwanted programs" is selected, this is not a finding.

Fix: F-20075r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Unwanted programs detection:" label. Select the "Detect unwanted programs" option.

b
The McAfee VirusScan unwanted programs action email parameter is not configured as required.
SI-3 - Medium - CCI-001243 - V-14652 - SV-21417r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTAM039
Vuln IDs
  • V-14652
Rule IDs
  • SV-21417r2_rule
This setting is required for the On Delivery Email Scan Policies. When an unwanted program is found the first action to be performed is the "Prompt for action” option. At that time the option to delete, clean, or archive the program is presented to the user. System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23547r4_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When an unwanted program is found:" section. In the “Perform this action first:” pull down menu, select the "Clean Attachments” option. Select save. Criteria: If the option "Clean Attachments” is selected, this is not a finding.

Fix: F-20076r2_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When an unwanted program is found:" section. In the “Perform this action first:” pull down menu, select the "Clean attachments” option. Select save.

b
The McAfee VirusScan check for unwanted programs parameter is not configured as required.
SI-3 - Medium - CCI-001241 - V-14654 - SV-21418r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTAM058
Vuln IDs
  • V-14654
Rule IDs
  • SV-21418r1_rule
This setting enables the detection of unwanted programs during a scheduled, On-Demand Scan, scan. The “Detect unwanted programs” option is required to be selected in the configuration for the daily or weekly On Demand Scan.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23549r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Options: area, ensure that “Detect unwanted programs” is selected. Criteria: If “Detect unwanted programs” is selected in the configuration for the daily or weekly On Demand Scan, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Spyware] ApplyNVP=1 is present, this is not a finding.

Fix: F-20077r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Scan Items tab, Options: area, select “Detect unwanted programs”. Select Save.

b
The McAfee VirusScan buffer overflow protection is not configured as required.
SI-3 - Medium - CCI-001242 - V-14657 - SV-21419r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM130
Vuln IDs
  • V-14657
Rule IDs
  • SV-21419r1_rule
This setting is required to ensure that buffer overflow protection is enabled. Buffer overflow protection prevents tampered with application code from being executed on the computer.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23551r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Enable buffer overflow protection" option is selected. Criteria: If the "Enable buffer overflow protection" option is selected, this is not a finding.

Fix: F-20079r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with, in the same row as, the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Enable buffer overflow protection" option. Select Save.

b
The McAfee VirusScan buffer overflow protection mode is not configured as required.
SI-3 - Medium - CCI-001242 - V-14658 - SV-21420r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM131
Vuln IDs
  • V-14658
Rule IDs
  • SV-21420r2_rule
This setting is required to ensure that buffer overflow protection is enabled and that "Protection mode" is enabled. Buffer overflow protection prevents tampered with application code from being executed on the computer. The "Protection mode" option is selected to ensure that the application is prevented from executing. System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23554r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Protection mode" option is selected. Criteria: If the "Protection mode" option is selected, this is not a finding.

Fix: F-20080r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Protection mode" option. Select Save.

b
The McAfee VirusScan buffer overflow message parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14659 - SV-21421r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM132
Vuln IDs
  • V-14659
Rule IDs
  • SV-21421r1_rule
This setting is required to ensure when buffer overflow protection is enabled that the "Show the messages dialog box when a buffer overflow is detected" is selected. Buffer overflow protection prevents tampered with application code from being executed on the computer. The "Show the messages dialog box when a buffer overflow is detected" option is selected to ensure that the user is notified . System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23556r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Client system warning:" label. Ensure the "Show the messages dialog box when a buffer overflow is detected" option is selected. Criteria: If the "Show the messages dialog box when a buffer overflow is detected" option is selected, this is not a finding.

Fix: F-20081r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Client system warning:" label. Select the "Show the messages dialog box when a buffer overflow is detected" option. Select Save.

b
The McAfee VirusScan buffer overflow log parameter is not configured as required.
SI-3 - Medium - CCI-001242 - V-14660 - SV-21422r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM133
Vuln IDs
  • V-14660
Rule IDs
  • SV-21422r1_rule
This setting is required to ensure when buffer overflow protection is enabled that the "Enable activity logging and accept the default location for the log file or specify a new location" is selected. Buffer overflow protection prevents tampered with application code from being executed on the computer. The "Enable activity logging and accept the default location for the log file or specify a new location" option is selected to ensure that buffer overflow logging is being performed .System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23558r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log to file:" label. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding.

Fix: F-20082r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
The McAfee VirusScan log size limitation parameters are not configured as required.
SI-3 - Medium - CCI-001242 - V-14661 - SV-21423r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM134
Vuln IDs
  • V-14661
Rule IDs
  • SV-21423r2_rule
This setting is required to ensure when buffer overflow protection is enabled that the "Log file size" is selected. Buffer overflow protection prevents tampered with application code from being executed on the computer. The "Log file size" option is selected to ensure that buffer overflow log file size does not excced 100mb.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23560r2_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log file size" label. Criteria: If the "Limit the size of the file" option is selected, and the “Maximum log file size:” is less than or equals 100MB, this is not a finding.

Fix: F-20083r2_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Buffer Overflow Protection Policies. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log file size:" label. If the "Limit the size of the file" option is selected, ensure the “Maximum log file size:” is less than 100MB.

b
The McAfee VirusScan detection of Spyware is not configured as required.
SI-3 - Medium - CCI-001668 - V-14662 - SV-21424r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM135
Vuln IDs
  • V-14662
Rule IDs
  • SV-21424r1_rule
This setting is required to ensure that under the Unwanted Programs Policies, Spyware is selected. This enables the detection of Spyware on the system.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23562r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Unwanted Programs Policies. Select the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Ensure the "Spyware" option is selected. Criteria: If the "Spyware" option is selected, this is not a finding.

Fix: F-20084r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Unwanted Programs Policies . Select from the Policy column the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Select the "Spyware" option. Select Save.

b
The McAfee VirusScan detection of Adware is not configured as required.
SI-3 - Medium - CCI-001668 - V-14663 - SV-21426r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTAM136
Vuln IDs
  • V-14663
Rule IDs
  • SV-21426r1_rule
This setting is required to ensure that under the Unwanted Programs Policies, Adware is selected. This enables the detection of Adware on the system.System AdministratorInformation Assurance OfficerECVP-1
Checks: C-23564r1_chk

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Unwanted Programs Policies. Select the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Ensure the "Adware" option is selected. Criteria: If the "Adware" option is selected, this is not a finding.

Fix: F-20085r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the Unwanted Programs Policies. Select from the Policy column the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Select the "Adware" option. Select Save.

c
The antivirus signature file age exceeds 7 days.
SI-3 - High - CCI-001240 - V-19910 - SV-22090r1_rule
RMF Control
SI-3
Severity
H
CCI
CCI-001240
Version
DTAG008
Vuln IDs
  • V-19910
Rule IDs
  • SV-22090r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Note: If the vendor or trusted site’s files match the date of the signature files on the machine, this is not a finding. System AdministratorECVP-1
Checks: C-25622r1_chk

On client machine locate McAfee icon in system tray. Right click to open and choose VirusScan Console. Select Help then choose About VirusScan Enterprise. Displayed will be a date for "DAT Created On:. Criteria: If the "DAT Created On:" date is older than 7 calendar days from the current date, this is a finding. Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.

Fix: F-20632r1_fix

Update client machines via ePo. If this fails to update the client, update antivirus signature file as your local process describes e.g autoupdate or runtime executable.

b
The McAfee VirusScan File Reputation Service setting is not configured as required.
SI-3 - Medium - CCI-001242 - V-35027 - SV-46287r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTAM137
Vuln IDs
  • V-35027
Rule IDs
  • SV-46287r1_rule
This parameter controls setting the Heuristic network check for suspicious files in the File Reputation Service.System AdministratorECSC-1
Checks: C-43438r2_chk

- 8.7 Managed Client: From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the " Heuristic network check for suspicious files:" label. Ensure the "Medium" option is selected. Criteria: If the "Medium" option is selected this is not a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\VSCore\On access scanner Criteria: If the value of ArtemisEnabled is REG_DWORD = 1, this is not a finding. AND Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\VSCore\On access scanner Criteria: If the value of ArtemisLevel is REG_DWORD = 2, this is not a finding. NOTE: This setting applies to product versions of 8.7i and above only.

Fix: F-39581r2_fix

- 8.7 Managed Client: From the ePO server console, select Systems Tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column, the policy associated with the On-Access General Policies. Under the General tab, locate the "Heuristic network check for suspicious files:" label. Select the "Medium" option. Select Save. NOTE: This setting applies to product versions of 8.7i and above only.