Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Symantec AntiVirus Locally Configured Client

  • Version/Release: V4R1
  • Published:
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
The Symantec Antivirus is not configured to restart for configuration changes.
Medium - V-6359 - SV-6432r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS002
Vuln IDs
  • V-6359
Rule IDs
  • SV-6432r4_rule
Without an automatic restart, changes to the virus protection will not be in effect until a reboot of the machine. System Administrator
Checks: C-1058r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of ConfigRestart is 1, this is not a finding.

Fix: F-5885r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of ConfigRestart is 1.

c
The Symantec Antivirus autoprotect parameter is incorrect.
High - V-6360 - SV-6433r5_rule
RMF Control
Severity
High
CCI
Version
DTAS003
Vuln IDs
  • V-6360
Rule IDs
  • SV-6433r5_rule
Without autoprotect, the virus scan is not scanning files as they are being accessed. System Administrator
Checks: C-1059r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of OnOff is 1, this is not a finding.

Fix: F-5886r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of OnOff is 1.

b
The Symantec Antivirus auto protect-All Files configuration is incorrect.
Medium - V-6361 - SV-6434r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS004
Vuln IDs
  • V-6361
Rule IDs
  • SV-6434r5_rule
All files must be included in virus scans for the scans to be effective. System Administrator
Checks: C-1061r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FileType is 0, this is not a finding.

Fix: F-5887r3_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of FileType is 0.

b
The Symantec Antivirus display message parameter is incorrect.
Medium - V-6362 - SV-6435r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS006
Vuln IDs
  • V-6362
Rule IDs
  • SV-6435r4_rule
Without an appropriate message when an infection is found, the user will not know there is a virus. System Administrator
Checks: C-1087r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of MessageBox is 1, this is not a finding.

Fix: F-5888r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of MessageBox is 1.

b
The Symantec Antivirus exclude files configuration is incorrect.
Medium - V-6363 - SV-6436r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS007
Vuln IDs
  • V-6363
Rule IDs
  • SV-6436r3_rule
This ensures no files are excluded from the scan. System Administrator
Checks: C-1090r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of ExcludedByExtensions is 0, this is not a finding.

Fix: F-5889r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of ExcludedByExtensions is 0.

b
The Symantec Antivirus autoprotect read parameter is incorrect.
Medium - V-6368 - SV-6441r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS012
Vuln IDs
  • V-6368
Rule IDs
  • SV-6441r4_rule
Without this parameter files that are accessed by the user will not be checked for viruses. System Administrator
Checks: C-1168r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of Reads is 1, this is not a finding.

Fix: F-5894r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of Reads is 1.

b
The Symantec Antivirus AutoProtect parameter for backup options is incorrect.
Medium - V-6369 - SV-6442r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS013
Vuln IDs
  • V-6369
Rule IDs
  • SV-6442r4_rule
Without setting this parameter, a copy of the file will not be saved before trying to remove the virus. System Administrator
Checks: C-1170r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of BackupToQuarantine is 1, this is not a finding.

Fix: F-5895r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of BackupToQuarantine is 1.

b
The Symantec Antivirus AutoProtect parameter for autoenabler is incorrect.
Medium - V-6370 - SV-6443r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS014
Vuln IDs
  • V-6370
Rule IDs
  • SV-6443r4_rule
If virus checking is turned off, this parameter will turn it back on after 5 minutes. This will ensure the virus checking program will remain on even if the user turns it off. System Administrator
Checks: C-1174r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of APEOn is 1 and the value of APESleep is <=5 , this is not a finding. If APESleep is > 5 or APEOn is not 1, this is a finding.

Fix: F-5896r3_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of APEOn is 1 and the value of APESleep is<=5.

b
The Symantec Antivirus AutoProtect parameter for floppies is incorrect.
Medium - V-6371 - SV-6444r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS015
Vuln IDs
  • V-6371
Rule IDs
  • SV-6444r5_rule
This parameter determines whether floppy disk are checked for viruses. System Administrator
Checks: C-1177r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan Criteria: If the value of ScanFloppyBRonAccess is 1, this is not a finding.

Fix: F-5897r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of ScanFloppyBRonAccess is 1

b
The Symantec Antivirus AutoProtect parameter for Boot virus is incorrect.
Medium - V-6372 - SV-6445r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS016
Vuln IDs
  • V-6372
Rule IDs
  • SV-6445r4_rule
This parameter tell the antivirus program what to do when a boot virus is found. System Administrator
Checks: C-1182r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FloppyBRAction is 5, this is not a finding.

Fix: F-5898r2_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan so that the value of FloppyBRAction is 5.

b
The Symantec Antivirus AutoProtect parameter for check floppy at shutdown is incorrect.
Medium - V-6374 - SV-6447r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS017
Vuln IDs
  • V-6374
Rule IDs
  • SV-6447r4_rule
This checks floppy drives at shutdown time. System Administrator
Checks: C-1240r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: For Version 9.x If the value of SkipFloppyBRonAccess is 0, this is not a finding. For Version 10.x If the value of SkipShutDownFloppyCheck is 0x0, this is not a finding.

Fix: F-5900r3_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Version 9.x : The value of SkipFloppyBRonAccess is 0. Version 10.x : The value of SkipShutDownFloppyCheck is 0x0.

b
The Symantec Antivirus email parameter for Boot sectors is incorrect.
Medium - V-6375 - SV-6448r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS020
Vuln IDs
  • V-6375
Rule IDs
  • SV-6448r5_rule
This parameter controls if email is scanned. System Administrator
Checks: C-1243r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of OnOff is 1, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-5901r3_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan so that the value of OnOff is 1. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus email client parameter for all files is incorrect.
Medium - V-6376 - SV-6449r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS021
Vuln IDs
  • V-6376
Rule IDs
  • SV-6449r5_rule
This controls if all files are checked for viruses. System Administrator
Checks: C-1248r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of FileType is 0, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-5902r3_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan so that the value of FileType is 0. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus email client parameter for compressed files is incorrect.
Medium - V-6383 - SV-6456r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS029
Vuln IDs
  • V-6383
Rule IDs
  • SV-6456r5_rule
This controls what happens when the program encounters compressed files. System Administrator
Checks: C-1922r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of ZipFile is 1, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-5932r3_fix

Change the registry key HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan so that the value of ZipFile is 1.

b
The Symantec AntiVirus CE History Options parameters are not configured as required.
Medium - V-6384 - SV-6457r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS030
Vuln IDs
  • V-6384
Rule IDs
  • SV-6457r5_rule
This parameter determines the log history of the antivirus program. System Administrator
Checks: C-1924r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion and determine the value data for the LogFileRollOverDays and LogFrequency values. Criteria: If the value data for the LogFileRollOverDays values is not 1e (the hex value for 30) or higher, this is a Finding. If the value data for the LogFrequency value is not 0 (the number zero), this is a Finding. Note: The LogFileRollOverDays and LogFrequency values are not created through a default product installation. The absence of these values is considered a Finding, because it allows the vendor default to be used and that value could be changed through vendor maintenance.

Fix: F-5934r3_fix

Change the registry key HKLM\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion so that the values of LogFileRollOverDays is greather than or equal to 1e (the hex value for 30) and so that LogFrequency is 0. If these values are absent, add them.

b
The Symantec Antivirus is not scheduled to autoupdate.
Medium - V-6385 - SV-6458r7_rule
RMF Control
Severity
Medium
CCI
Version
DTAS031
Vuln IDs
  • V-6385
Rule IDs
  • SV-6458r7_rule
This parameter controls the automation of updates to the signature files System Administrator
Checks: C-1928r3_chk

Procedure: Use the File pull down menu – Schedule Updates dialog to see the frequency of the autoupdates. Criteria: If it is scheduled to run autoupdates on at least a weekly schedule, this is not a finding. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console this is a two part check. From the Symantec Enterprise Server- Symantec System Center Console - System Center Console on the Enterprise Server: System Hierarchy -&gt; select (right click) Primary Server -&gt; All Tasks -&gt; Symantec Antivirus -&gt; Virus Definition Manager -&gt; Configure -&gt; "Schedule for automatic updates" is checked -&gt; Select Schedule: Ensure the update is scheduled on at least a weekly basis. SECOND, the client configuration must be checked. From the System Center Console on the Enterprise Server select System Hierarchy -&gt; select [applicable "Server Group"] -&gt; select [applicable "Client Group"] (right click) -&gt; All Tasks -&gt; Symantec Antivirus -&gt; Virus Definition Manager -&gt; If "Update virus definitions from parent server" is checked the Schedule is not necessary. If “Schedule for automated updates using LiveUpdate" is checked -&gt; select Schedule: Ensure the update is scheduled on at least a weekly basis. Criteria: If the Schedule for Automatic Updates is defined for at least a weekly update this is not a finding.

Fix: F-5935r3_fix

Open the Symantec Antivirus program. Use the File - Schedule Updates dialog to set the autoupdates to run on at least a weekly schedule. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console this is a two part check. The primary server must be check to ensure that it is being updated as required. From the Symantec Enterprise Server- Symantec System Center Console - System Center Console on the Enterprise Server: System Hierarchy -> select (right click) Primary Server -> All Tasks -> Symantec Antivirus -> Virus Definition Manager -> Configure -> select "Schedule for automatic updates" -> select Schedule: select the update to be scheduled on at least a weekly basis. SECOND, the client configuration must be checked. From the System Center Console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Virus Definition Manager -> If "Update virus definitions from parent server" is checked checking the Schedule is not necessary. If “Schedule for automated updates using LiveUpdate" is checked -> select Schedule: ensure the update is scheduled on at least a weekly basis

b
There is no Symantec Antivirus Scheduled Scans or Startup Scans task configured to scan local drive(s) at least weekly.
Medium - V-6386 - SV-6459r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS032
Vuln IDs
  • V-6386
Rule IDs
  • SV-6459r5_rule
This controls the automatic scan of all local drives. System Administrator
Checks: C-1932r3_chk

Procedure: navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks. Review the TaskPadScheduled and TaskPadStartup keys to determine if a task has been defined in subkey Scan Local HDD. The Scan Local HDD subkey defines a hexadecimal task ID that is the Registry subkey that holds the task settings. Make note of the task ID for the following checks. If there is no Scan Local HDD subkey, it is necessary to review all the defined subkeys in TaskPadScheduled and TaskPadStartup to determine if one identifies a hexadecimal task ID defining a task that conforms to the required settings. Criteria: If a task to scan the local hard drives is not configured to run or if an alternate procedure does not specify the required settings, this is a Finding. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: A determination of the existence of a weekly scan must be made. On the client machine navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans. Review the ClientServerScheduledScan_1\Schedule key. This key contains a value for Type that determines the frequency of the scan. If the value for this key is a 1 or a 2 this is a daily or weekly scan. note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check as each ClientServerScheduledScan_X may have a different frequency. Make note of the ClientServerScheduledScan_X weekly scan key as this will be the key used in following weekly scan checks. Criteria: if the value of Type is 1 or 2 and the value of Enabled is 1, this is not a finding.

Fix: F-6768r2_fix

Create a weekly or startup task to scan for viruses. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: A determination of the existence of a weekly scan must be made. From the System Center Console select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> In the Client Scans area if there are no scans (at least weekly) defined one must be created. Select New -> in the Name: “provide scan name” -> select Enable scan -> select Frequency of at least weekly.

b
The Symantec Antivirus weekly scan parameter for all files is incorrect.
Medium - V-6387 - SV-6460r7_rule
RMF Control
Severity
Medium
CCI
Version
DTAS037
Vuln IDs
  • V-6387
Rule IDs
  • SV-6460r7_rule
This parameter ensures all files are scanned during the weekly scan. System Administrator
Checks: C-1933r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of FileType is 0, this is not a finding. Criteria: If the option “All Types” is selected, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans. Review the ClientServerScheduledScan_1 key: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of FileType is 1, this is not a finding.

Fix: F-5937r3_fix

Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of FileType is 0. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: A determination of the existence of a weekly scan must be made. One option is to obtain this information from the System Administrator another option is to review each Scheduled Scan from the console on the Enterprise Server. From the Enterprise Console select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server “weekly scan” -> select Edit -> select Scan Settings -> select “All Types”.

b
The Symantec Antivirus weekly scan parameter for memory enabled is incorrect.
Medium - V-6388 - SV-6461r7_rule
RMF Control
Severity
Medium
CCI
Version
DTAS040
Vuln IDs
  • V-6388
Rule IDs
  • SV-6461r7_rule
This parameter ensures memory is scanned during the weekly scan. System Administrator
Checks: C-1935r5_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: For Version 9.x, if the value of ScanMemory is 1, this is not a finding. For Version 10.x the value of ScanProcesses is 1, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check.

Fix: F-5939r4_fix

For Version 9: Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of ScanMemory is 1. For Version 10: Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of ScanProcesses is 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select “Memory”.

b
The Symantec Antivirus weekly scan parameter for messages is incorrect.
Medium - V-6389 - SV-6462r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS041
Vuln IDs
  • V-6389
Rule IDs
  • SV-6462r5_rule
This parameter ensures that appropriate messages are displayed if a virus is found. System Administrator
Checks: C-1938r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of MessageBox is 1, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of MessageBox is 1, this is not a finding. Criteria: If “Display notification message on infected computer” is selected this is not a finding.

Fix: F-5940r2_fix

Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of MessageBox is 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select Notifications -> select “Display notification message on infected computer”.

b
The Symantec Antivirus weekly scan parameter for exclude files is incorrect.
Medium - V-6390 - SV-6463r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS042
Vuln IDs
  • V-6390
Rule IDs
  • SV-6463r5_rule
This parameter controls which files are excluded from the weekly scan. System Administrator
Checks: C-1941r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of ExcludedByExtensions is 0, this is not a finding. Criteria – If the “Exclude files and folders” is not selected this is not a finding ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of ExcludeByExtensions, HaveExceptionDirs, and HaveExceptionFiles is 0, this is not a finding.

Fix: F-5941r2_fix

Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of ExcludedByExtensions is 0. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> check that “Exclude files and folders” is unchecked. Note: if “Exclude files and folders” is checked select the Exclusions tab File/Folders button and validate that no local drives are being excluded from the scan.

b
The Symantec Antivirus weekly scan parameter for compressed files is incorrect.
Medium - V-6395 - SV-6468r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS047
Vuln IDs
  • V-6395
Rule IDs
  • SV-6468r5_rule
This parameter ensures that compressed files are scanned for viruses during the weekly scan. System Administrator
Checks: C-1954r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of ZipFile is 1, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of ZipFiles is 1, this is not a finding.

Fix: F-5947r2_fix

Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\CustomTasks\{TaskID} so that the value of ZipFile is 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> select “Scan files inside compressed files”.

b
The Symantec Antivirus weekly scan parameter for backup files is incorrect.
Medium - V-6396 - SV-6469r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS048
Vuln IDs
  • V-6396
Rule IDs
  • SV-6469r5_rule
This parameter controls the action of backing up files to a quarantine area during the weekly scan. System Administrator
Checks: C-1956r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of BackupToQuarantine is 1, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of BackupToQuarantine is 1.

Fix: F-5948r2_fix

Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of BackupToQuarantine is 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> Remote Options area, Backup options, select “Backup file before attempting repair.”

b
The Symantec Antivirus weekly scan parameter for scan lock is incorrect.
Medium - V-6397 - SV-6470r6_rule
RMF Control
Severity
Medium
CCI
Version
DTAS050
Vuln IDs
  • V-6397
Rule IDs
  • SV-6470r6_rule
This parameter ensures that users cannot stop the weekly scan. System Administrator
Checks: C-1958r3_chk

Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\CustomTasks\{TaskID} Criteria: If the value ScanLocked is 1, this is not a finding ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of ScanLocked is 1, this is not a finding.

Fix: F-5949r2_fix

Change the registry key HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} so that the value of ScanLocked is 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> Remote Options area select “Allow user to stop scan” must be unchecked.

b
The Symantec Antivirus autoprotect parameter for Block Security Risks is incorrect.
Medium - V-14477 - SV-15095r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS060
Vuln IDs
  • V-14477
Rule IDs
  • SV-15095r2_rule
The checks and blocks various types of spyware. Without the correct setting the program will not block the various types of spyware. System Administrator
Checks: C-12398r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of APBlockingSecurityRisks is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-13920r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of APBlockingSecurityRisks to 1. This check applies to version 10.x only.

b
The Symantec Antivirus autoprotect parameter for scan for security risks is incorrect.
Medium - V-14481 - SV-15099r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS061
Vuln IDs
  • V-14481
Rule IDs
  • SV-15099r2_rule
The AntiVirus has a security risk policy that can be modified/customized for each site. Without Auto-Protect running, these risk polices cannot be scanned and the risk detected. System Administrator
Checks: C-12405r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of RespondToThreats is 3, this is not a finding. This check applies to version 10.x only.

Fix: F-13927r2_fix

Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of RespondToThreats to 3. This check applies to version 10.x only.

b
The Symantec Antivirus autoprotect parameter for Delete Infected Files on Creation is incorrect.
Medium - V-14482 - SV-15100r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS062
Vuln IDs
  • V-14482
Rule IDs
  • SV-15100r2_rule
The Symantec Antivirus autoprotect parameter for Delete Infected Files on Creation is incorrect. System Administrator
Checks: C-12406r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of DeleteInfectedOnCreate is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-13928r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan Criteria: Set the value of DeleteInfectedOnCreate to 1. This check applies to version 10.x only.

b
The Symantec Antivirus autoprotect parameter for Threat tracer is incorrect.
Medium - V-14591 - SV-15209r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS063
Vuln IDs
  • V-14591
Rule IDs
  • SV-15209r2_rule
Threat Tracer, provides insight into threat source. System Administrator
Checks: C-12540r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerOnOff is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-14048r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of ThreatTracerOnOff to 1. This check applies to version 10.x only.

b
The Symantec Antivirus autoprotect parameter for Bloodhound technology is incorrect.
Medium - V-14592 - SV-15210r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS064
Vuln IDs
  • V-14592
Rule IDs
  • SV-15210r2_rule
Bloodhound Virus detection scans outgoing email messages helps to prevent the spread of threats such as worms that can use email clients to replicate and distribute themselves across a network. System Administrator
Checks: C-12541r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of Heuristics is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-14049r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of Heuristics to 1. This check applies to version 10.x only.

b
The Symantec Antivirus autoprotect parameter for Heuristics Level is incorrect.
Medium - V-14593 - SV-15211r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS065
Vuln IDs
  • V-14593
Rule IDs
  • SV-15211r2_rule
Heuristics analyzes a program's structure, its behavior, and other attributes for virus-like characteristics. In many cases it can protect against threats such as mass-mailing worms and macro viruses, if you encounter them before updating your virus definitions. Advanced heuristics looks for script-based threats in HTML, VBScript, and JavaScript files. System Administrator
Checks: C-12542r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of HeuristicsLevel is 2 or 3, this is not a finding. This check applies to version 10.x only.

Fix: F-14050r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of HeuristicsLevel to 2 or 3. This check applies to version 10.x only.

b
The Symantec Antivirus autoprotect parameter for macro virus first action is incorrect.
Medium - V-14594 - SV-15212r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS066
Vuln IDs
  • V-14594
Rule IDs
  • SV-15212r5_rule
This setting is required for the Auto-Protect Macro virus First action policy. When a Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12543r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FirstMacroAction is 1, 3 or 5, this is not a finding.

Fix: F-14051r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of FirstMacroAction to 1, 3 or 5.

b
The Symantec Antivirus autoprotect parameter for macro virus second action is incorrect.
Medium - V-14595 - SV-15213r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS067
Vuln IDs
  • V-14595
Rule IDs
  • SV-15213r3_rule
A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents. After the first iteration, the file Book1 is inserted in the Excel Start directory to make sure that any newly opened files become infected. The virus then starts a second iteration through all workbooks and macros. During this second iteration any uninfected files are infected. System Administrator
Checks: C-12544r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of SecondMacroAction is 1,3 or 5, this is not a finding.

Fix: F-14052r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of SecondMacroAction to 1,3 or 5.

b
The Symantec Antivirus autoprotect parameter for non-macro first action virus is incorrect.
Medium - V-14596 - SV-15214r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS068
Vuln IDs
  • V-14596
Rule IDs
  • SV-15214r3_rule
A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents. After the first iteration, the file Book1 is inserted in the Excel Start directory to make sure that any newly opened files become infected. The virus then starts a second iteration through all workbooks and macros. During this second iteration any uninfected files are infected. System Administrator
Checks: C-12545r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FirstAction is 1,3, or 5, this is not a finding

Fix: F-19870r1_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of FirstAction to 1,3, or 5.

b
The Symantec Antivirus autoprotect parameter for check non-macro second action is incorrect.
Medium - V-14597 - SV-15215r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS069
Vuln IDs
  • V-14597
Rule IDs
  • SV-15215r3_rule
A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents. After the first iteration, the file Book1 is inserted in the Excel Start directory to make sure that any newly opened files become infected. The virus then starts a second iteration through all workbooks and macros. During this second iteration any uninfected files are infected. System Administrator
Checks: C-12546r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of SecondAction is 1,3, or 5, this is not a finding.

Fix: F-14054r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: Set the value of SecondAction to 1,3, or 5.

b
The Symantec Antivirus autoprotect parameter for Security Risks first action is incorrect.
Medium - V-14598 - SV-15216r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS070
Vuln IDs
  • V-14598
Rule IDs
  • SV-15216r3_rule
This setting is required for the Auto-Protect Security Risks First action policy. When a Security Risk is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12547r3_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3, then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction value within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-14055r2_fix

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. VL04 Page 31 of 59 https://vms.disa.mil/VL04.aspx 3/26/2009 If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

b
The Symantec Antivirus autoprotect parameter for Security Risks Second Action is incorrect.
Medium - V-14600 - SV-15222r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS071
Vuln IDs
  • V-14600
Rule IDs
  • SV-15222r3_rule
This setting is required for the Auto-Protect Security Risks second ("If first action fails") action policy. When a Security Risk such as Adware or Dialers is detected the second action to be performed must be the option to delete risk, or quarantine the risk. System Administrator
Checks: C-12615r3_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-14061r2_fix

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

b
The Symantec Antivirus email client for notification into the email is incorrect.
Medium - V-14601 - SV-15223r6_rule
RMF Control
Severity
Medium
CCI
Version
DTAS080
Vuln IDs
  • V-14601
Rule IDs
  • SV-15223r6_rule
This setting is required in order for the Symantec Antivirus email client to send an email warning notification of a security risk. The “Insert warning into e-mail message” attribute must be selected. System Administrator
Checks: C-12616r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of InsertWarning is 1, this is not a finding. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed this check is NA.

Fix: F-14062r3_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: Set the value of InsertWarning to 1. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus autoprotect email parameter for macro virus first action is incorrect.
Medium - V-14602 - SV-15224r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS081
Vuln IDs
  • V-14602
Rule IDs
  • SV-15224r5_rule
This setting is required for the Auto-Protect email parameter Macro virus First action policy. When an email Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12617r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of FirstMacroAction is 1, 3 or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-14063r4_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: Set the value of FirstMacroAction to 1, 3 or 5. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus autoprotect email parameter for macro virus second action is incorrect.
Medium - V-14603 - SV-15225r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS082
Vuln IDs
  • V-14603
Rule IDs
  • SV-15225r5_rule
This setting is required for the Auto-Protect email parameter Macro virus second action policy. When an email Macro virus is detected, the second action ("If first action fails:") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12618r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of SecondMacroAction is 1,3 or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA. .

Fix: F-14064r3_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: Set the value of SecondMacroAction to 1,3 or 5. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus autoprotect email parameter for non-macro first action virus is incorrect.
Medium - V-14604 - SV-15226r5_rule
RMF Control
Severity
Medium
CCI
Version
DTAS083
Vuln IDs
  • V-14604
Rule IDs
  • SV-15226r5_rule
This setting is required for the Auto-Protect email parameter non-Macro virus First action policy. When a non-Macro virus is detected the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12619r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName\RealTimeScan Criteria: If the value of FirstAction is 1,3, or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-14065r3_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: Set the value of FirstAction to 1,3, or 5. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus autoprotect email parameter for check non-macro second action is incorrect.
Medium - V-14605 - SV-15227r6_rule
RMF Control
Severity
Medium
CCI
Version
DTAS084
Vuln IDs
  • V-14605
Rule IDs
  • SV-15227r6_rule
This setting is required for the Auto-Protect email parameter non-Macro virus Second action policy. When a non-Macro virus is detected the Second action ("If first action fails") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12620r5_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan Criteria: If the value of SecondAction is 1,3, or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-14066r4_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan Criteria: Set the value of SecondAction to 1,3, or 5. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName.

b
The Symantec Antivirus Auto-Protect email parameter for Security Risks first action is incorrect.
Medium - V-14606 - SV-15228r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS085
Vuln IDs
  • V-14606
Rule IDs
  • SV-15228r4_rule
This setting is required for the Auto-Protect email Security Risks First action policy. When a Security Risk is detected the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12621r4_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-14067r3_fix

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

b
The Symantec Antivirus autoprotect parameter for Email Security Risks Second Action is incorrect.
Medium - V-14607 - SV-15229r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS086
Vuln IDs
  • V-14607
Rule IDs
  • SV-15229r4_rule
This setting is required for the Auto-Protect email Security Risks second ("If first action fails") action policy. When a Security Risk such as Adware or Dialers is detected, the second action to be performed must be the option to delete risk, or quarantine the risk. System Administrator
Checks: C-12622r4_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-14068r3_fix

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

b
The Symantec Antivirus weekly scan parameter for scanning load points is incorrect.
Medium - V-14609 - SV-15231r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS091
Vuln IDs
  • V-14609
Rule IDs
  • SV-15231r4_rule
This setting is required to configure the scanning of load points. "Load points" are defined by Symantec AV as "Common Infection locations". System Administrator
Checks: C-12624r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of ScanLoadpoints is 1, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of ScanLoadPoints is 1, this not a finding.

Fix: F-14070r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: Set the value of ScanLoadpoints to 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select “Common infection locations (load points)”.

b
The Symantec Antivirus weekly scan parameter for well knowns before others is incorrect.
Medium - V-14610 - SV-15232r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS092
Vuln IDs
  • V-14610
Rule IDs
  • SV-15232r4_rule
This setting is required to configure scanning locations of well-known vuruses and security risks. System Administrator
Checks: C-12625r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of ScanERASERDEFS is 1, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of ScanERASERDEFS is 1, this is not a finding.

Fix: F-14071r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: Set the value of ScanERASERDEFS to 1. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select “Locations of well known viruses and security risks”.

b
The Symantec Antivirus weekly scan parameter for macro virus first action is incorrect.
Medium - V-14611 - SV-15233r2_rule
RMF Control
Severity
Medium
CCI
Version
DTAS093
Vuln IDs
  • V-14611
Rule IDs
  • SV-15233r2_rule
This setting is required for the weekly scan Macro virus First action policy. When a Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12626r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of FirstMacroAction is 1, 3 or 5, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of FirstMacroAction is 1, 3, or 5, this is not a finding.

Fix: F-14072r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: Set the value of FirstMacroAction to 1, 3 or 5. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Setings -> Actions -> Highlight Macro virus: First action: Clean risk, Quarantine risk, or Delete risk.

b
The Symantec Antivirus weekly scan parameter for macro virus second action is incorrect.
Medium - V-14612 - SV-15234r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS094
Vuln IDs
  • V-14612
Rule IDs
  • SV-15234r4_rule
This setting is required for the weekly scan parameter Macro virus Second action policy. When a non-Macro virus is detected, the Second action ("If first action fails") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12627r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of SecondMacroAction is 1,3 or 5, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of SeconMacroAction is 1, 3, or 5, this is not a finding..

Fix: F-14073r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: Set the value of SecondMacroAction to 1,3 or 5. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Macro virus: If first action fails: Clean risk, Quarantine risk, or Delete risk.

b
The Symantec Antivirus weekly scan parameter for non-macro first action virus is incorrect.
Medium - V-14613 - SV-15235r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS095
Vuln IDs
  • V-14613
Rule IDs
  • SV-15235r4_rule
This setting is required for the weekly scan parameter non-Macro virus First action policy. When a non-Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12628r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: If the value of FirstAction is 1,3, or 5, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of FirstAction is 1, 3, or 5, this is not a finding.

Fix: F-14074r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID} Criteria: Set the value of FirstAction to 1,3, or 5. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Non-Macro Virus: First Action: Clean risk, Quarantine risk, or Delete risk

b
The Symantec Antivirus autoprotect parameter for check non-macro second action is incorrect.
Medium - V-14615 - SV-15240r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS096
Vuln IDs
  • V-14615
Rule IDs
  • SV-15240r4_rule
This setting is required for the Auto-Protect parameter non-Macro virus second action policy. When an email Macro virus is detected, the second action ("If first action fails:") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-13712r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{T askID} Criteria: If the value of SecondAction is 1,3, or 5, this is not a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: if the value of SecondAction is 1, 3, or 5, this is not a finding.

Fix: F-14077r2_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{T askID} Criteria: Set the value of SecondAction to 1,3, or 5. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Non-macro virus: If first action fails: Clean risk, Quarantine risk, or Delete risk

b
The Symantec Antivirus weekly scan parameter for Security Risks first action is incorrect.
Medium - V-14616 - SV-15241r3_rule
RMF Control
Severity
Medium
CCI
Version
DTAS097
Vuln IDs
  • V-14616
Rule IDs
  • SV-15241r3_rule
This setting is required for the weekly scan parameter Security Risks First action policy. When a Security Risk is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator
Checks: C-12632r2_chk

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID}\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. This key will indicate the weekly scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-14078r2_fix

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID}\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 1 or 3, this is compliant. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Security Risks: under the Actions tab First action: select one of the following “Quarantine risk” or “Delete risk”. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk.

b
The Symantec Antivirus weekly scan parameter for Security Risks second action is incorrect.
Medium - V-14617 - SV-15242r4_rule
RMF Control
Severity
Medium
CCI
Version
DTAS098
Vuln IDs
  • V-14617
Rule IDs
  • SV-15242r4_rule
This setting is required for the weekly scan parameter Security Risks second ("If first action fails") action policy. When a Security Risk, such as Adware or Dialers, is detected, the second action to be performed must be the option to delete risk, or quarantine the risk. System Administrator
Checks: C-12633r2_chk

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID}\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding. ** For clients managed by a Symantec Enterprise Server: navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1: note: in the key ClientServerScheduledScan_1 the 1 indicates the entry number for the scan. This key will indicate the weekly scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-14079r2_fix

Procedure: This is a multiple step process to ensure compliance. Non-Compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\{TaskID}\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKCU\Software\Intel\Landesk\VirusProtect6 \CurrentVersion\Custom Tasks\{TaskID}\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding. ** For clients managed by a Symantec Enterprise Server, Symantec System Center Console: From the console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Security Risks: under the Actions tab If first action fails: select one of the following “Quarantine risk” or “Delete risk”. If the selection for If first action fails is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk.

c
The antivirus signature file age exceeds 7 days.
High - V-19910 - SV-22086r1_rule
RMF Control
Severity
High
CCI
Version
DTAG008
Vuln IDs
  • V-19910
Rule IDs
  • SV-22086r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Note: If the vendor or trusted site’s files match the date of the signature files on the machine, this is not a finding. System Administrator
Checks: C-25626r1_chk

Locate Symantec AntiVirus icon in system tray. Click icon to open Symantec AntiVirus configuration screen. Observe "Virus Definitions File" area. Criteria: If the "Version:" date is older than 7 calendar Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.

Fix: F-20638r1_fix

Update antivirus signature file as your local process describes e.g autoupdate or LiveUpdate.