View STIG - Symantec AntiVirus Managed Client V4R1

b

The Symantec Antivirus is not configured to restart for configuration changes.

Medium - V-6359 - SV-21120r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS002

Vuln IDs

V-6359

Rule IDs

SV-21120r1_rule

Without an automatic restart, changes to the virus protection will not be in effect until a reboot of the machine. System Administrator

Checks: C-23153r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of ConfigRestart is 1, this is not a finding.

Fix: F-19834r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> In the Changes requiring Auto-protect reload area, select “Stop and reload Auto-Protect”.

c

The Symantec Antivirus autoprotect parameter is incorrect.

High - V-6360 - SV-23671r1_rule

RMF Control

Severity

High

CCI

Version

DTAS003

Vuln IDs

V-6360

Rule IDs

SV-23671r1_rule

Without autoprotect, the virus scan is not scanning files as they are being accessed. System Administrator

Checks: C-1059r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of OnOff is 1, this is not a finding.

Fix: F-19835r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> select “Enable Auto-Protect”.

b

The Symantec Antivirus auto protect-All Files configuration is incorrect.

Medium - V-6361 - SV-21118r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS004

Vuln IDs

V-6361

Rule IDs

SV-21118r1_rule

All files must be included in virus scans for the scans to be effective. System Administrator

Checks: C-1061r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FileType is 0, this is not a finding.

Fix: F-19836r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> in the File Types area, select “All Types”.

b

The Symantec Antivirus display message parameter is incorrect.

Medium - V-6362 - SV-21117r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS006

Vuln IDs

V-6362

Rule IDs

SV-21117r1_rule

Without an appropriate message when an infection is found, the user will not know there is a virus. System Administrator

Checks: C-1087r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of MessageBox is 1, this is not a finding.

Fix: F-19837r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Notifications -> Detections Options -> Select “Display notification message on infected computer”.

b

The Symantec Antivirus exclude files configuration is incorrect.

Medium - V-6363 - SV-21116r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS007

Vuln IDs

V-6363

Rule IDs

SV-21116r1_rule

The “Exclude selected files and folders” is used to exclude files and folders from a scan. This requirement maintains that no files or folders are excluded from the scan by ensuring that this attribute is not selected. System Administrator

Checks: C-1090r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of ExcludedByExtensions is 0, this is not a finding.

Fix: F-19838r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> In the Options area, de-select “Exclude selected files and folders”.

b

The Symantec Antivirus autoprotect read parameter is incorrect.

Medium - V-6368 - SV-21121r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS012

Vuln IDs

V-6368

Rule IDs

SV-21121r1_rule

Without this parameter, files that are accessed by the user will not be checked for viruses. System Administrator

Checks: C-1168r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of Reads is 1, this is not a finding.

Fix: F-19839r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> In the Scan files when area, select “Accessed or modified (scan on create, open, move, copy, or run)".

b

The Symantec Antivirus AutoProtect parameter for backup options is incorrect.

Medium - V-6369 - SV-21122r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS013

Vuln IDs

V-6369

Rule IDs

SV-21122r1_rule

Without setting this parameter, a copy of the file will not be saved before trying to remove the virus. System Administrator

Checks: C-1170r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of BackupToQuarantine is 1, this is not a finding.

Fix: F-19840r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> In the Backup Options area, select “Back up file before attempting to repair”.

b

The Symantec Antivirus AutoProtect parameter for autoenabler is incorrect.

Medium - V-6370 - SV-21143r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS014

Vuln IDs

V-6370

Rule IDs

SV-21143r1_rule

If virus checking is turned off, this parameter will turn it back on after 5 minutes. This will ensure the virus checking program will remain on even if the user turns it off. System Administrator

Checks: C-1174r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of APEOn is 1 and the value of APESleep is <=5 , this is not a finding. If APESleep is > 5 or APEOn is not 1, this is a finding.

Fix: F-19907r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> In the Automatic enabler area, select “When Auto-Protect is disabled, enable after:”. Additionally, select minutes must be <= 5.

b

The Symantec Antivirus AutoProtect parameter for floppies is incorrect.

Medium - V-6371 - SV-21123r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS015

Vuln IDs

V-6371

Rule IDs

SV-21123r1_rule

This parameter determines whether floppy disk are checked for viruses. System Administrator

Checks: C-1177r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan Criteria: If the value of ScanFloppyBRonAccess is 1, this is not a finding.

Fix: F-19841r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> Floppies -> In the Floppy settings area, select “Check floppies for boot viruses upon access”.

b

The Symantec Antivirus AutoProtect parameter for Boot virus is incorrect.

Medium - V-6372 - SV-21124r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS016

Vuln IDs

V-6372

Rule IDs

SV-21124r1_rule

This parameter tells the antivirus program what to do when a boot virus is found. System Administrator

Checks: C-1182r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FloppyBRAction is 5, this is not a finding.

Fix: F-19842r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> Floppies -> In the Floppy settings area; select in the When a boot virus is found pull down menu, select “Clean virus from boot record”.

b

The Symantec Antivirus AutoProtect parameter for check floppy at shutdown is incorrect.

Medium - V-6374 - SV-21125r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS017

Vuln IDs

V-6374

Rule IDs

SV-21125r1_rule

This checks floppy drives at shutdown time. System Administrator

Checks: C-1240r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: For Version 9.x If the value of SkipFloppyBRonAccess is 0, this is not a finding. For Version 10.x If the value of SkipShutDownFloppyCheck is 0x0, this is not a finding.

Fix: F-19844r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> Floppies -> In the Floppy settings area, de-select (uncheck) “Do not check floppies upon system shutdown”.

b

The Symantec Antivirus email parameter for Boot sectors is incorrect.

Medium - V-6375 - SV-21126r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS020

Vuln IDs

V-6375

Rule IDs

SV-21126r1_rule

This parameter controls whether or not email is scanned. System Administrator

Checks: C-1243r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of OnOff is 1, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-19845r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, or Microsoft Exchange) -> select “Enable “email name” Auto-Protect”.

b

The Symantec Antivirus email client parameter for all files is incorrect.

Medium - V-6376 - SV-21128r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS021

Vuln IDs

V-6376

Rule IDs

SV-21128r1_rule

This controls whether or not files are checked for viruses. System Administrator

Checks: C-1248r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of FileType is 0, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-19846r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, or Microsoft Exchange) -> In the File Types area, select “All types”.

b

The Symantec Antivirus email client parameter for compressed files is incorrect.

Medium - V-6383 - SV-21130r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS029

Vuln IDs

V-6383

Rule IDs

SV-21130r1_rule

This controls what happens when the program encounters compressed files. System Administrator

Checks: C-1922r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of ZipFile is 1, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-19847r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, or Microsoft Exchange) -> Advanced ->In the When scanning inside compressed files area, select “Scan files inside compressed files”.

b

The Symantec AntiVirus CE History Options parameters are not configured as required.

Medium - V-6384 - SV-23672r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS030

Vuln IDs

V-6384

Rule IDs

SV-23672r1_rule

This parameter deteremines the log history of the antivirus program. System Administrator

Checks: C-1924r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion and determine the value data for the LogFileRollOverDays and LogFrequency values. Criteria: If the value data for the LogFileRollOverDays values is not 1e (the hex value for 30) or higher, this is a Finding. If the value data for the LogFrequency value is not 0 (the number zero), this is a Finding. Note: The LogFileRollOverDays and LogFrequency values are not created through a default product installation. The absence of these values is considered a Finding, because it allows the vendor default to be used and that value could be changed through vendor maintenance.

Fix: F-19848r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Configure History ->In the History Options - Delete histories area, select “Delete after” 30 days or longer time period.

b

The Symantec Antivirus is not scheduled to autoupdate.

Medium - V-6385 - SV-23673r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS031

Vuln IDs

V-6385

Rule IDs

SV-23673r1_rule

This parameter controls the automation of updates to the signature files System Administrator

Checks: C-23187r1_chk

This is a two part check.The primary server must be checked to ensure that it is being updated as required. From the Symantec Enterprise Server- Symantec System Center Console - System Center Console on the Enterprise Server: System Hierarchy -> select (right click) Primary Server -> All Tasks -> Symantec Antivirus -> Virus Definition Manager -> Configure -> "Schedule for automatic updates" is checked -> Select Schedule: ensure the update is scheduled on at least a weekly basis. SECOND, the client configuration must be checked. From the System Center Console on the Enterprise Server select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Virus Definition Manager -> If "Update virus definitions from parent server" is checked, the Schedule is not necessary. If “Schedule for automated updates using LiveUpdate" is checked -> select Schedule: ensure the update is scheduled on at least a weekly basis. Criteria: If the Schedule for Automatic Updates is defined for at least a weekly update, this is not a finding.

Fix: F-19849r1_fix

This is a two part check. FIRST, the primary server must be checked to ensure that it is being updated as required. From the Symantec Enterprise Server- Symantec System Center Console - System Center Console on the Enterprise Server: System Hierarchy -> select (right click) Primary Server -> All Tasks -> Symantec Antivirus -> Virus Definition Manager -> Configure -> select "Schedule for automatic updates" -> select Schedule: select the update to be scheduled on at least a weekly basis. SECOND, the client configuration must be checked. From the System Center Console on the Enterprise Server, select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Virus Definition Manager -> If "Update virus definitions from parent server" is checked, checking the Schedule is not necessary. If “Schedule for automated updates using LiveUpdate" is checked -> select Schedule: Ensure the update is scheduled on at least a weekly basis.

b

There is no Symantec Antivirus Scheduled Scans or Startup Scans task configured to scan local drive(s) at least weekly.

Medium - V-6386 - SV-21132r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS032

Vuln IDs

V-6386

Rule IDs

SV-21132r1_rule

This controls the automatic scan of all local drives. System Administrator

Checks: C-23192r1_chk

From the Symantec Enterprise Server, Symantec System Center Console: A determination of the existence of a weekly scan must be made. Select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> In the Client Scans area, if there are no scans (at least weekly) defined, one must be created. To make this determination on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans. Review the ClientServerScheduledScan_1\Schedule key. This key contains a value for Type that determines the frequency of the scan. If the value for this key is a 1 or a 2, this is a daily or a weekly scan. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check as each ClientServerScheduledScan_X may have a different frequency. Make note of the ClientServerScheduledScan_X weekly scan key as this will be the key used in following weekly scan checks. Criteria: If the value of Type is 1 or 2 and the value of Enabled is 1, this is not a finding.

Fix: F-19851r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: A determination of the existence of a weekly scan must be made. Select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> In the Client Scans area, examine the entries in this list. Under the When column, the schedule for each scan can be determined. If no weekly scan exists, one must be created. Select New -> in the Name: “provide scan name” -> select Enable scan -> select Frequency of at least weekly. Criteria: If a weekly scan exists, this is not a finding.

b

The Symantec Antivirus weekly scan parameter for all files is incorrect.

Medium - V-6387 - SV-23675r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS037

Vuln IDs

V-6387

Rule IDs

SV-23675r1_rule

This parameter ensures all files are scanned during the weekly scan. System Administrator

Checks: C-23194r1_chk

From the Symantec Enterprise Server - Symantec System Center Console, review each Scheduled Scan. From the Symantec System Center Console, select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server “weekly scan” -> select Edit -> select Scan Settings -> In the File types area, ensure “All Types” is selected. Criteria: If the option “All Types” is selected, this is not a finding. To make this determination on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans. Review the ClientServerScheduledScan_1 key. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of FileType is 1, this is not a finding.

Fix: F-19852r1_fix

From the Symantec Enterprise Server- Symantec System Center Console, review each Scheduled Scan. Select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server “weekly scan” -> select Edit -> select Scan Settings -> select “All Types”.

b

The Symantec Antivirus weekly scan parameter for memory enabled is incorrect.

Medium - V-6388 - SV-23705r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS040

Vuln IDs

V-6388

Rule IDs

SV-23705r1_rule

This parameter ensures memory is scanned during the weekly scan. System Administrator

Checks: C-23198r1_chk

From the Symantec Enterprise Server- Symantec System Center Console, review each Scheduled Scan. From the Enterprise Console select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server “weekly scan” -> select Edit -> select Scan Settings -> In the Scan settings area, ensure “Memory” is selected. Criteria: If the option “Memory” is selected, this is not a finding. To make this determination on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of ScanProcess is 1, this is not a finding.

Fix: F-19853r1_fix

From the Symantec Enterprise Server- Symantec System Center Console, select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select “Memory”.

b

The Symantec Antivirus weekly scan parameter for messages is incorrect.

Medium - V-6389 - SV-21058r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS041

Vuln IDs

V-6389

Rule IDs

SV-21058r1_rule

This parameter ensures that appropriate messages are displayed if a virus is found. System Administrator

Checks: C-23199r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select Notifications -> Ensure “Display notification message on infected computer” is selected. Criteria: If “Display notification message on infected computer” is selected, this is not a finding. To make this determination on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of MessageBox is 1, this is not a finding.

Fix: F-19854r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select Notifications -> select “Display notification message on infected computer”.

b

The Symantec Antivirus weekly scan parameter for exclude files is incorrect.

Medium - V-6390 - SV-21059r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS042

Vuln IDs

V-6390

Rule IDs

SV-21059r1_rule

This parameter controls which files are excluded from the weekly scan. System Administrator

Checks: C-23200r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Ensure that “Exclude files and folders” is unchecked. Note: If “Exclude files and folders” is checked, select the Exclusions tab File/Folders button and validate that no local drives are being excluded from the scan. Criteria: If the “Exclude files and folders” is not selected, this is not a finding. To make this determination on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of ExcludeByExtensions, HaveExceptionDirs, and HaveExceptionFiles is 0, this is not a finding.

Fix: F-19855r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> check that “Exclude files and folders” is unchecked. Note: If “Exclude files and folders” is checked, select the Exclusions tab File/Folders button and validate that no local drives are being excluded from the scan.

b

The Symantec Antivirus weekly scan parameter for compressed files is incorrect.

Medium - V-6395 - SV-21134r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS047

Vuln IDs

V-6395

Rule IDs

SV-21134r1_rule

This parameter ensures that compressed files are scanned for viruses during the weekly scan. System Administrator

Checks: C-23201r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> Observe that “Scan files inside compressed files” is selected. Criteria: If the option “Scan files inside compressed files” is selected, this is not a finding. To determine this on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of ZipFiles is 1, this is not a finding.

Fix: F-19856r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> select “Scan files inside compressed files”.

b

The Symantec Antivirus weekly scan parameter for backup files is incorrect.

Medium - V-6396 - SV-21554r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS048

Vuln IDs

V-6396

Rule IDs

SV-21554r1_rule

This parameter controls the action of backing up files to a quarantine area during the weekly scan. System Administrator

Checks: C-23202r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> Remote Options area, Backup options, ensure that the option for “Backup file before attempting repair” is selected. Criteria: If the option ““Backup file before attempting repair” is selected, this is not a finding. To evaluate this on the client machine, navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of BackupToQuarantine is 1, this is not a finding.

Fix: F-19857r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> Remote Options area, Backup options, select “Backup file before attempting repair.”

b

The Symantec Antivirus weekly scan parameter for scan lock is incorrect.

Medium - V-6397 - SV-23676r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS050

Vuln IDs

V-6397

Rule IDs

SV-23676r1_rule

This parameter ensures that users cannot stop the weekly scan. System Administrator

Checks: C-23204r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> in Remote Options area, ensure “Allow user to stop scan” is unchecked. Criteria: If the option for “Allow user to stop scan" is not selected, this is not a finding. To evaluate this check on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of ScanLocked is 1, this is not a finding.

Fix: F-19858r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Advanced -> In the Remote Options area, ensure that “Allow user to stop scan” is unchecked.

b

The Symantec Antivirus autoprotect parameter for Block Security Risks is incorrect.

Medium - V-14477 - SV-21062r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS060

Vuln IDs

V-14477

Rule IDs

SV-21062r1_rule

The parameter checks and blocks various types of spyware. Without the correct setting, the program will not block the various types of spyware. System Administrator

Checks: C-12398r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of APBlockingSecurityRisks is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-19859r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> in the Options area, select “Block security risks”.

b

The Symantec Antivirus autoprotect parameter for scan for security risks is incorrect.

Medium - V-14481 - SV-21063r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS061

Vuln IDs

V-14481

Rule IDs

SV-21063r1_rule

The AntiVirus has a security risk policy that can be modified/customized for each site. Without Auto-Protect running, these risk polices cannot be scanned and the risk detected. System Administrator

Checks: C-12405r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of RespondToThreats is 3, this is not a finding. This check applies to version 10.x only.

Fix: F-19860r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> in the Options area, select “Scan for security risks”.

b

The Symantec Antivirus autoprotect parameter for Delete Infected Files on Creation is incorrect.

Medium - V-14482 - SV-21064r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS062

Vuln IDs

V-14482

Rule IDs

SV-21064r1_rule

The Symantec Antivirus autoprotect parameter for Delete Infected Files on Creation is incorrect. System Administrator

Checks: C-12406r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of DeleteInfectedOnCreate is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-19861r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> in the Scan files when area, select “For Leave Alone (Log only), delete infected files on creation”.

b

The Symantec AntiVirus Auto-Protect parameter for Threat Tracer is incorrect.

Medium - V-14591 - SV-21065r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS063

Vuln IDs

V-14591

Rule IDs

SV-21065r1_rule

Threat Tracer, provides insight into a threat source. System Administrator

Checks: C-12540r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerOnOff is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-19862r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> in the Risk Tracer area, select “Enable Risk Tracer”.

b

The Symantec Antivirus autoprotect parameter for Bloodhound technology is incorrect.

Medium - V-14592 - SV-21066r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS064

Vuln IDs

V-14592

Rule IDs

SV-21066r1_rule

Bloodhound Virus detection scans outgoing email messages helps to prevent the spread of threats such as worms that can use email clients to replicate and distribute themselves across a network. System Administrator

Checks: C-12541r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of Heuristics is 1, this is not a finding. This check applies to version 10.x only.

Fix: F-19863r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> in the Additional advanced options area, select Heuristics -> select “Enable Bloodhound™ virus detection technology”.

b

The Symantec Antivirus autoprotect parameter for Heuristics Level is incorrect.

Medium - V-14593 - SV-21135r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS065

Vuln IDs

V-14593

Rule IDs

SV-21135r1_rule

Heuristics analyzes a program's structure, its behavior, and other attributes for virus-like characteristics. In many cases, it can protect against threats such as mass-mailing worms and macro viruses, if you encounter them before updating your virus definitions. Advanced heuristics looks for script-based threats in HTML, VBScript, and JavaScript files. System Administrator

Checks: C-12542r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of HeuristicsLevel is 2 or 3, this is not a finding. This check applies to version 10.x only.

Fix: F-19864r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Advanced -> in the Additional advanced options area, select Heuristics -> select “Default level of protection” or “Maximum level of protection”.

b

The Symantec Antivirus autoprotect parameter for macro virus first action is incorrect.

Medium - V-14594 - SV-23677r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS066

Vuln IDs

V-14594

Rule IDs

SV-23677r1_rule

This setting is required for the Auto-Protect Macro virus First action policy. When a Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. Information Assurance Officer

Checks: C-12543r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FirstMacroAction is 1, 3 or 5, this is not a finding.

Fix: F-19865r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Actions -> Highlight Macro virus: First action:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect parameter for macro virus second action is incorrect.

Medium - V-14595 - SV-21068r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS067

Vuln IDs

V-14595

Rule IDs

SV-21068r1_rule

A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents. After the first iteration, the file Book1 is inserted in the Excel Start directory to make sure that any newly opened files become infected. The virus then starts a second iteration through all workbooks and macros. During this second iteration any uninfected files are infected. System Administrator

Checks: C-12544r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of SecondMacroAction is 1,3 or 5, this is not a finding.

Fix: F-19869r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Actions -> Highlight Macro virus: If first action fails:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect parameter for non-macro first action virus is incorrect.

Medium - V-14596 - SV-21069r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS068

Vuln IDs

V-14596

Rule IDs

SV-21069r1_rule

A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents. After the first iteration, the file Book1 is inserted in the Excel Start directory to make sure that any newly opened files become infected. The virus then starts a second iteration through all workbooks and macros. During this second iteration any uninfected files are infected. System Administrator

Checks: C-12545r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of FirstAction is 1,3, or 5, this is not a finding

Fix: F-14053r2_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Actions -> Highlight Non-Macro Virus: First Action:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect parameter for check non-macro second action is incorrect.

Medium - V-14597 - SV-21070r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS069

Vuln IDs

V-14597

Rule IDs

SV-21070r1_rule

A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents. After the first iteration, the file Book1 is inserted in the Excel Start directory to make sure that any newly opened files become infected. The virus then starts a second iteration through all workbooks and macros. During this second iteration any uninfected files are infected. System Administrator

Checks: C-12546r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan Criteria: If the value of SecondAction is 1,3, or 5, this is not a finding.

Fix: F-19871r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Actions -> Highlight Non-macro virus: If first action fails:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect parameter for Security Risks first action is incorrect.

Medium - V-14598 - SV-23678r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS070

Vuln IDs

V-14598

Rule IDs

SV-23678r1_rule

This setting is required for the Auto-Protect Security Risks First action policy. When a Security Risk is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-12547r3_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3, then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction value within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-19872r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Actions -> Highlight Security Risks: under the Actions tab First action, select one of the following, “Quarantine risk” or “Delete risk”. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for First action, select Quarantine risk or Delete risk.

b

The Symantec Antivirus autoprotect parameter for Security Risks Second Action is incorrect.

Medium - V-14600 - SV-23680r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS071

Vuln IDs

V-14600

Rule IDs

SV-23680r1_rule

This setting is required for the Auto-Protect Security Risks second ("If first action fails") action policy, When a Security Risk, such as Adware or Dialers, is detected, the second action to be performed must be the option to delete risk or quarantine the risk. System Administrator

Checks: C-12615r3_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-19873r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> File System tab -> Actions -> Highlight Security Risks: under the Actions tab If first action fails: select one of the following “Quarantine risk” or “Delete risk”. If the selection for If first action fails is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for If first action fails, select Quarantine risk or Delete risk.

b

The Symantec Antivirus email client for notification into the email is incorrect.

Medium - V-14601 - SV-23681r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS080

Vuln IDs

V-14601

Rule IDs

SV-23681r1_rule

This setting is required in order for the Symantec Antivirus email client to send an email warning notification of a security risk. The “Insert warning into e-mail message” attribute must be selected. System Administrator

Checks: C-12616r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of InsertWarning is 1, this is not a finding. Note: This check is for Email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed this check is NA.

Fix: F-19874r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, or Microsoft Exchange) -> In the E-mail Messages area, select “Insert warning into e-mail message”.

b

The Symantec Antivirus autoprotect email parameter for macro virus first action is incorrect.

Medium - V-14602 - SV-23687r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS081

Vuln IDs

V-14602

Rule IDs

SV-23687r1_rule

This setting is required for the Auto-Protect email parameter Macro virus First action policy. When an email Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-12617r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of FirstMacroAction is 1, 3 or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-19875r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, and Microsoft Exchange) -> Actions -> Highlight Macro virus: First action:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect email parameter for macro virus second action is incorrect.

Medium - V-14603 - SV-23688r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS082

Vuln IDs

V-14603

Rule IDs

SV-23688r1_rule

This setting is required for the Auto-Protect email parameter Macro virus second action policy. When an email Macro virus is detected, the second action ("If first action fails:") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-12618r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName\RealTimeScan Criteria: If the value of SecondMacroAction is 1,3 or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA. .

Fix: F-19876r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, and Microsoft Exchange) -> Actions -> Highlight Macro virus: If first action fails:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect email parameter for non-macro first action virus is incorrect.

Medium - V-14604 - SV-23689r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS083

Vuln IDs

V-14604

Rule IDs

SV-23689r1_rule

This setting is required for the Auto-Protect email parameter non-Macro virus First action policy. When a non-Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-12619r4_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName\RealTimeScan Criteria: If the value of FirstAction is 1,3, or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-19877r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, and Microsoft Exchange) -> Actions -> Highlight Non-Macro Virus: First Action:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect email parameter for check non-macro second action is incorrect.

Medium - V-14605 - SV-23691r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS084

Vuln IDs

V-14605

Rule IDs

SV-23691r1_rule

This setting is required for the Auto-Protect email parameter non-Macro virus Second action policy. When a non-Macro virus is detected the Second action ("If first action fails") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-12620r5_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan Criteria: If the value of SecondAction is 1,3, or 5, this is not a finding. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA.

Fix: F-19878r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, and Microsoft Exchange) -> Actions -> Highlight Non-macro virus: If first action fails:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus autoprotect email parameter for Security Risks first action is incorrect.

Medium - V-14606 - SV-23692r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS085

Vuln IDs

V-14606

Rule IDs

SV-23692r1_rule

This setting is required for the Auto-Protect email Security Risks First action policy. When a Security Risk is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-12621r4_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-19879r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, and Microsoft Exchange) -> Actions -> Highlight Security Risks: under the Actions tab First action: select one of the following “Quarantine risk” or “Delete risk”. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk.

b

The Symantec Antivirus Auto-Protect parameter for Email Security Risks Second Action is incorrect.

Medium - V-14607 - SV-23693r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS086

Vuln IDs

V-14607

Rule IDs

SV-23693r1_rule

This setting is required for the Auto-Protect email Security Risks second ("If first action fails") action policy. When a Security Risk such as Adware or Dialers is detected, the second action to be performed must be the option to delete risk, or quarantine the risk. System Administrator

Checks: C-12622r4_chk

Procedure: This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Note: This check is for email clients. Substitute your email application name (InternetMail, LotusNotes, or MicrosoftExchangeClient) into the registry string indicated by EmailName. If email client is not installed, this check is NA. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\ Storages\EmailName \RealTimeScan\Expanded Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3 then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\ INTEL\LANDesk\VirusProtect6 \CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\EmailName \RealTimeScan\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-19880r1_fix

From the Symantec Enterprise Server, Symantec System Center Console: select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Client Auto-Protect Options -> email name tab (where “email name” is the email client type; options are Internet E-mail, Lotus Notes, and Microsoft Exchange) -> Actions -> Highlight Security Risks: under the Actions tab If first action fails: select one of the following “Quarantine risk” or “Delete risk”. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk.

b

The Symantec Antivirus weekly scan parameter for scanning load points is incorrect.

Medium - V-14609 - SV-23694r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS091

Vuln IDs

V-14609

Rule IDs

SV-23694r1_rule

This setting is required to configure the scanning of load points. "Load points" are defined by Symantec AV as "Common Infection locations". System Administrator

Checks: C-23234r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Observe that “Common infection locations (load points)” is selected. Criteria: If the option “Common infection locations (load points)” is selected, this not a finding. To evaluate this check from a client machine, navigate to the registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of ScanLoadPoints is 1, this not a finding.

Fix: F-20041r1_fix

From the ePO server console, select Systems tab, select the asset to be checked, select the Policies tab, select from the product pull down list VirusScan Enterprise 8.7.0. Locate in the Category column the On-Access General Policies. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Select the "Block the connection when a threatened file is detected in a shared folder" option.

b

The Symantec Antivirus weekly scan parameter for well knowns before others is incorrect.

Medium - V-14610 - SV-23695r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS092

Vuln IDs

V-14610

Rule IDs

SV-23695r1_rule

This setting is required to configure scanning locations of well-known vuruses and security risks. System Administrator

Checks: C-23235r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings ->Observe that “Locations of well known viruses and security risks” is selected. Criteria: If the option “Locations of well known viruses and security risks” is selected, this not a finding. To evaluate this check on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of ScanERASERDEFS is 1, this is not a finding.

Fix: F-19883r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> select “Locations of well known viruses and security risks”.

b

The Symantec Antivirus weekly scan parameter for macro virus first action is incorrect.

Medium - V-14611 - SV-23701r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS093

Vuln IDs

V-14611

Rule IDs

SV-23701r1_rule

This setting is required for the weekly scan Macro virus First action policy. When a Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-23236r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Macro virus -> Ensure for First action: Clean risk, Quarantine risk, or Delete risk is selected. Criteria: If the options selected for Macro virus First action are Clean risk, Quarantine risk, or Delete risk, this is not a finding. To evaluate this check on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of FirstMacroAction is 1, 3, or 5, this is not a finding.

Fix: F-19884r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Setings -> Actions -> Highlight Macro virus: First action:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus weekly scan parameter for macro virus second action is incorrect.

Medium - V-14612 - SV-23696r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS094

Vuln IDs

V-14612

Rule IDs

SV-23696r1_rule

This setting is required for the weekly scan parameter Macro virus Second action policy. When a non-Macro virus is detected, the Second action ("If first action fails") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-23237r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Macro virus: Ensure for If first action fails: Clean risk, Quarantine risk, or Delete risk is selected. Criteria: If the options selected for Macro virus If first action fails are Clean risk, Quarantine risk, or Delete risk, this is not a finding. To evaluate this check on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: in the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of SeconMacroAction is 1, 3, or 5, this is not a finding.

Fix: F-19885r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Macro virus: If first action fails:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus weekly scan parameter for non-macro first action virus is incorrect.

Medium - V-14613 - SV-23697r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS095

Vuln IDs

V-14613

Rule IDs

SV-23697r1_rule

This setting is required for the weekly scan parameter non-Macro virus First action policy. When a non-Macro virus is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-23238r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Non-Macro Virus: Ensure for First Action: Clean risk, Quarantine risk, or Delete risk is selected. Criteria: If the options selected for Non-Macro virus First action are Clean risk, Quarantine risk, or Delete risk, this is not a finding. To evaluate this check on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of FirstAction is 1, 3, or 5, this is not a finding.

Fix: F-19886r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Non-Macro Virus: First Action:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus Auto-Protect parameter for check non-macro second action is incorrect.

Medium - V-14615 - SV-23698r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS096

Vuln IDs

V-14615

Rule IDs

SV-23698r1_rule

This setting is required for the Auto-Protect parameter non-Macro virus second action policy. When an email Macro virus is detected, the second action ("If first action fails:") to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-23239r1_chk

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Non-macro virus: Ensure for If first action fails: Clean risk, Quarantine risk, or Delete risk is selected. Criteria: If the options selected for Non-Macro virus If first action fails are Clean risk, Quarantine risk, or Delete risk, this is not a finding. To evaluate this check on the client machine, navigate to the following registry key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of SecondAction is 1, 3, or 5, this is not a finding.

Fix: F-19887r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Non-macro virus: If first action fails:, select "Clean risk, Quarantine risk, or Delete risk".

b

The Symantec Antivirus weekly scan parameter for Security Risks first action is incorrect.

Medium - V-14616 - SV-23699r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS097

Vuln IDs

V-14616

Rule IDs

SV-23699r1_rule

This setting is required for the weekly scan parameter Security Risks First action policy. When a Security Risk is detected, the first action to be performed must be the option to delete risk, clean risk, or quarantine the risk. System Administrator

Checks: C-23240r1_chk

Procedure: This is a multiple step process. Non-compliance points are identified throughout the procedures. From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> highlight Security Risks: observe option for First action. Criteria: If the option selected for Security Risks First action is not “Quarantine risk” or “Delete risk”, this is a finding. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. B. Highlight Dialers If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. C. Highlight Hack Tools If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. D. Highlight Joke Programs If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. E. Highlight Other If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. F. Highlight Remote Access If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. G. Highlight Spyware If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. H. Highlight Trackware If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for First action if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. To evaluate this check on the client machine, perform the following procedures. This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of FirstAction is not 1 or 3, this is a finding. If the value FirstAction is 1 or 3, then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the FirstAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-19888r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Security Risks: under the Actions tab First action: select one of the following “Quarantine risk” or “Delete risk”. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for First action: select Quarantine risk or Delete risk.

b

The Symantec Antivirus weekly scan parameter for Security Risks second action is incorrect.

Medium - V-14617 - SV-23700r1_rule

RMF Control

Severity

Medium

CCI

Version

DTAS098

Vuln IDs

V-14617

Rule IDs

SV-23700r1_rule

This setting is required for the weekly scan parameter Security Risks second ("If first action fails") action policy. When a Security Risk, such as Adware or Dialers, is detected, the second action to be performed must be the option to delete risk, or quarantine the risk. System Administrator

Checks: C-23241r1_chk

Procedure: This is a multiple step process. Non-compliance points are identified throughout the procedures. From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> highlight Security Risks: observe option for If first action fails. Criteria: If the option selected for Security Risks If first action fails is not “Quarantine risk” or “Delete risk”, this is a finding. If the selection for If first action fails is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. B. Highlight Dialers If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. C. Highlight Hack Tools If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. D. Highlight Joke Programs If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. E. Highlight Other If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. F. Highlight Remote Access If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. G. Highlight Spyware If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. H. Highlight Trackware If Override actions configured for Security Risks is not checked, this part is compliant. If Override actions configured for Security Risks is checked: for If first action fails if Quarantine risk or Delete risk are selected, this is compliant, otherwise this is a finding. To evaluate this check on the client machine, perform the following procedures. This is a multiple step process to ensure compliance. Non-compliance points are identified throughout the procedures. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded. Note: In the key ClientServerScheduledScan_1, the 1 indicates the entry number for the scan. It may be necessary to review all ClientServerScheduledScan_X keys in the LocalScans branch to evaluate this check. Criteria: If the value of SecondAction is not 1 or 3, this is a finding. If the value SecondAction is 1 or 3, then check each of the following steps. Each of the 8 parts (A-H) must be in compliance for the vulnerability to be considered not a finding. A - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-10 If the value is 1 or 3, this is compliant, otherwise this is a finding. B - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-11 If the value is 1 or 3, this is compliant, otherwise this is a finding. C - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-4 If the value is 1 or 3, this is compliant, otherwise this is a finding. D - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-5 If the value is 1 or 3, this is compliant, otherwise this is a finding. E - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-6 If the value is 1 or 3, this is compliant, otherwise this is a finding. F - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-7 If the value is 1 or 3, this is compliant, otherwise this is a finding. G - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-8 If the value is 1 or 3, this is compliant, otherwise this is a finding. H - If the value of OverrideDefaultActions within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 0 or the value is not there, this part is compliant. If the value is 1, then check the SecondAction within HKLM\Software\Intel\Landesk\VirusProtect6\CurrentVersion\LocalScans\ClientServerScheduledScan_1\Expanded\TCID-9 If the value is 1 or 3, this is compliant, otherwise this is a finding.

Fix: F-19889r1_fix

From the Symantec Enterprise Server- Symantec System Center Console - select System Hierarchy -> select [applicable "Server Group"] -> select [applicable "Client Group"] (right click) -> All Tasks -> Symantec Antivirus -> Scheduled Scans -> Highlight the client server weekly scan -> select Edit -> select Scan Settings -> Actions -> Highlight Security Risks: under the Actions tab If first action fails: select one of the following “Quarantine risk” or “Delete risk”. If the selection for First action is “Quarantine risk” or “Delete risk”, continue with each of the following steps. Each of the 8 parts (A – H) must be in compliance for the vulnerability to be considered not a finding. A. Highlight Adware - if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. B. Highlight Dialers - if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. C. Highlight Hack Tools – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. D. Highlight Joke Programs – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. E. Highlight Other – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. F. Highlight Remote Access – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. G. Highlight Spyware – if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk. H. Highlight Trackware - if Override actions configured for Security Risks is checked, for If first action fails: select Quarantine risk or Delete risk.

c

The antivirus signature file age exceeds 7 days.

High - V-19910 - SV-22091r1_rule

RMF Control

Severity

High

CCI

Version

DTAG008

Vuln IDs

V-19910

Rule IDs

SV-22091r1_rule

Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Note: If the vendor or trusted site’s files match the date of the signature files on the machine, this is not a finding. System Administrator

Checks: C-25631r1_chk

On the client machine, locate Symantec AntiVirus icon in the system tray. Click icon to open Symantec AntiVirus configuration screen. Observe "Virus Definitions File" area. Criteria: If the "Version:" date is older than 7 calendar days from the current date, this is a finding. Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.

Fix: F-20652r1_fix

Update client machines via the Symantec Enterprise Console. If this fails to update the client, update antivirus signature file as your local process describes (e.g. autoupdate or LiveUpdate).

Symantec AntiVirus Managed Client

Compare

View

Checks: C-23153r1_chk

Fix: F-19834r1_fix

Generate Mitigation Statement:

Checks: C-1059r2_chk

Fix: F-19835r1_fix

Generate Mitigation Statement:

Checks: C-1061r3_chk

Fix: F-19836r1_fix

Generate Mitigation Statement:

Checks: C-1087r2_chk

Fix: F-19837r1_fix

Generate Mitigation Statement:

Checks: C-1090r2_chk

Fix: F-19838r1_fix

Generate Mitigation Statement:

Checks: C-1168r2_chk

Fix: F-19839r1_fix

Generate Mitigation Statement:

Checks: C-1170r2_chk

Fix: F-19840r1_fix

Generate Mitigation Statement:

Checks: C-1174r4_chk

Fix: F-19907r1_fix

Generate Mitigation Statement:

Checks: C-1177r3_chk

Fix: F-19841r1_fix

Generate Mitigation Statement:

Checks: C-1182r2_chk

Fix: F-19842r1_fix

Generate Mitigation Statement:

Checks: C-1240r3_chk

Fix: F-19844r1_fix

Generate Mitigation Statement:

Checks: C-1243r4_chk

Fix: F-19845r1_fix

Generate Mitigation Statement:

Checks: C-1248r4_chk

Fix: F-19846r1_fix

Generate Mitigation Statement:

Checks: C-1922r4_chk

Fix: F-19847r1_fix

Generate Mitigation Statement:

Checks: C-1924r4_chk

Fix: F-19848r1_fix

Generate Mitigation Statement:

Checks: C-23187r1_chk

Fix: F-19849r1_fix

Generate Mitigation Statement:

Checks: C-23192r1_chk

Fix: F-19851r1_fix

Generate Mitigation Statement:

Checks: C-23194r1_chk

Fix: F-19852r1_fix

Generate Mitigation Statement:

Checks: C-23198r1_chk

Fix: F-19853r1_fix

Generate Mitigation Statement:

Checks: C-23199r1_chk

Fix: F-19854r1_fix

Generate Mitigation Statement:

Checks: C-23200r1_chk

Fix: F-19855r1_fix

Generate Mitigation Statement:

Checks: C-23201r1_chk

Fix: F-19856r1_fix

Generate Mitigation Statement:

Checks: C-23202r1_chk

Fix: F-19857r1_fix

Generate Mitigation Statement:

Checks: C-23204r1_chk

Fix: F-19858r1_fix

Generate Mitigation Statement:

Checks: C-12398r2_chk

Fix: F-19859r1_fix

Generate Mitigation Statement:

Checks: C-12405r2_chk

Fix: F-19860r1_fix