Symantec Endpoint Protection 12.1 Local Client Antivirus STIG

  • Version/Release: V1R4
  • Published: 2015-06-30
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The Symantec Endpoint protection 12.1 Local Client Antivirus STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
c
The Symantec Endpoint Protection clients antivirus signature file age must be no older than 7 days.
SI-3 - High - CCI-001240 - V-42665 - SV-55393r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001240
Version
DTASEP001
Vuln IDs
  • V-42665
Rule IDs
  • SV-55393r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Without current virus definitions the virus scan will not be able to detect new viruses, putting the system and network at risk.
Checks: C-48935r1_chk

Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding. On the machine, locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. Under the Status tab, observe the "Definitions:" area for Virus and Spyware Protection, Proactive Threat Protection, and Network Threat Protection. Criteria: If the "Definitions:" date is older than 7 calendar days from the current date, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate Criteria: If the "LatestVirusDefsDate" is older than 7 calendar days from the current date, this is a finding. Note: If the vendor or trusted site’s files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.

Fix: F-48249r1_fix

Update client machines via the Symantec Enterprise Console. If this fails to update the client, update the antivirus signature files as local process describes (e.g., auto update or LiveUpdate).

b
The Symantec Endpoint Protection client User-defined Exceptions option must not be configured to exclude any files from scanning unless exclusions have been documented with, and approved by, the IAO/IAM.
SI-3 - Medium - CCI-001242 - V-42666 - SV-55394r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP002
Vuln IDs
  • V-42666
Rule IDs
  • SV-55394r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48937r1_chk

On the machine, locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen -> Select "Change Settings" on the left side of the screen -> Select "Configure Settings" for Exceptions -> Ensure there are not any User-defined Exceptions listed that are not documented with, and approved by, the IAO/IAM. Criteria: If any User-defined Exceptions are listed and not documented with, and approved by, the IAO/IAM, this is a finding.

Fix: F-48251r1_fix

On the client machine, locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen -> Select "Change Settings" on the left side of the screen -> Select "Configure Settings" for Exceptions. Remove any User-defined Exceptions that are not documented with, and approved by, the IAO/IAM.

b
The Symantec Endpoint Protection client Global Settings for Log Retention must be enabled and configured to retain logs for 30 days.
SI-3 - Medium - CCI-001242 - V-42667 - SV-55395r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP003
Vuln IDs
  • V-42667
Rule IDs
  • SV-55395r1_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. (FISMA 800-92)
Checks: C-48938r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab, Log Retention -> Ensure "Delete logs older than" is set to 30 days or greater. Criteria: If "Delete logs older than" is not set to 30 day or greater, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV Criteria: If the value data for the LogFileRollOverDays values is not 1e (the hex value for 30) or higher, this is a finding.

Fix: F-48252r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab, Log Retention -> Set "Delete logs older than" to 30 days or greater.

b
The Symantec Endpoint Protection client must be scheduled to auto update.
SI-3 - Medium - CCI-001247 - V-42668 - SV-55396r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001247
Version
DTASEP004
Vuln IDs
  • V-42668
Rule IDs
  • SV-55396r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.
Checks: C-48939r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the LiveUpdate tab -> Ensure "Enable automatic updates" is selected. Criteria: If "Enable automatic updates" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit and 64 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule Criteria: If Enabled is not set to 1, this is a finding.

Fix: F-48253r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the LiveUpdate tab -> Select "Enable automatic updates ".

b
The Symantec Endpoint Protection client Tamper Protection must be configured to block attempts to tamper with or shut down the client.
SI-3 - Medium - CCI-001248 - V-42669 - SV-55397r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001248
Version
DTASEP005
Vuln IDs
  • V-42669
Rule IDs
  • SV-55397r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
Checks: C-48940r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected. Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding.

Fix: F-48254r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the Tamper Protection tab -> Select "Protect Symantec security software from being tampered with or shut down".

c
The Symantec Endpoint Protection client must have the Symantec Client State Plug-in for ePO deployed.
SI-3 - High - CCI-001246 - V-42670 - SV-55398r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001246
Version
DTASEP006
Vuln IDs
  • V-42670
Rule IDs
  • SV-55398r1_rule
All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status in the asset's posture within HBSS is reported, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.
Checks: C-48941r1_chk

Note: This check is N/A for Stand alone systems which are NOT connected to HBSS. On the system to which the Symantec Endpoint Protection has been installed, find the McAfee Agent icon (red shield with white M) in the taskbar. Right-click the icon and choose "About". The dialog box which opens will reflect all installed products being managed by the McAfee agent, as deployed from the McAfee HBSS ePO server. Verify "Symantec Plugin" is listed as an installed product. If the McAfee Agent "About" properties do not include the Symantec Plugin as an installed product, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit and 64 bit: HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins If the subkey "S_SYMC_1000" does not exist, this is a finding.

Fix: F-48255r1_fix

The fix will require the assistance of the HBSS administrator. The HBSS administrator should deploy the Symantec Client State Plugin from the HBSS ePO server and verify the system accurately reflects its installation.

b
The Symantec Endpoint Protection client must be verified as uploading SEP client detail to ePO.
SI-3 - Medium - CCI-001246 - V-42671 - SV-55399r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001246
Version
DTASEP007
Vuln IDs
  • V-42671
Rule IDs
  • SV-55399r1_rule
All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status in the asset's posture within HBSS is reported, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.
Checks: C-48942r1_chk

Note: This check is N/A for Stand alone systems which are NOT connected to HBSS. On the system to which the Symantec Endpoint Protection has been installed, open a Windows Explorer window and navigate to C:\ProgramData\McAfee\Common Framework (on 64-bit systems) or C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework (on 32-bit systems). Find and open with Internet Explorer the file named LastPropsSentToServer.xml. Verify the following information in the file: <LastUpdate> should be recent (current day) SoftwareID="S_SEPEVT1100" Setting name="ProductName">Symantec Endpoint Protection Setting name="szProductVer">12.1.1101.401 If the LastPropsSentToServer.xml does not reflect a current <LastUpdate> date and/or does not include a section for SoftwareID="S_SEPEVT1100", this is a finding.

Fix: F-48256r1_fix

The fix will require assistance of the HBSS administrator. The HBSS administrator should verify the McAfee Agent is successfully communicating to the ePO server. The HBSS administrator should re-deploy the Symantec Client State Plugin and verify it uploads Symantec client status correctly to the ePO server.

b
The Symantec Endpoint Protection clients File Reputation Data Submission must be disabled from automatically forwarding selected anonymous security information to Symantec.
SI-3 - Medium - CCI-001242 - V-42672 - SV-55400r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP008
Vuln IDs
  • V-42672
Rule IDs
  • SV-55400r1_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since querying the cloud-based database when a file appears to be suspicious provides up-to-the-minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48943r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> under Client Management -> Select Configure Settings -> Under the Submissions tab - > Ensure "Let this computer automatically forward selected anonymous security information to Symantec" is not selected. Criteria: If "Let this computer automatically forward selected anonymous security information to Symantec" is selected, this is a finding.

Fix: F-48257r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> under Client Management -> Select Configure Settings -> Under the Submissions tab - > Ensure "Let this computer automatically forward selected anonymous security information to Symantec" is not selected.

b
The Symantec Endpoint Protection client Insight lookup for threat detection must be enabled.
SI-3 - Medium - CCI-001242 - V-42673 - SV-55401r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP009
Vuln IDs
  • V-42673
Rule IDs
  • SV-55401r2_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since querying the cloud-based database when a file appears to be suspicious provides up-to-the-minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48944r3_chk

Note: This check is Not Applicable for SIPRNet or higher networks. GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to the open Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> under the Global Settings tab, Scan Options -> Ensure "Enable Insight for:" is selected. Criteria: If "Enable Insight for:" is not selected, this is a finding.

Fix: F-48258r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to the open Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> under the Global Settings tab, Scan Options -> Select "Enable Insight for:".

c
The Symantec Endpoint Protection client File System Auto-Protect must be enabled.
SI-3 - High - CCI-001242 - V-42674 - SV-55402r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
DTASEP010
Vuln IDs
  • V-42674
Rule IDs
  • SV-55402r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
Checks: C-48945r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Ensure "Enable File System Auto-Protect" is selected. Criteria: If "Enable File System Auto-Protect" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of APEOff is not 0, this is a finding.

Fix: F-48259r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select "Enable File System Auto-Protect".

b
The Symantec Endpoint Protection client Auto-Protect reload must be configured to stop and reload when the configuration changes.
SI-3 - Medium - CCI-001242 - V-42675 - SV-55403r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP011
Vuln IDs
  • V-42675
Rule IDs
  • SV-55403r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Checks: C-48946r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to the open Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under the Changes requiring Auto-Protect reload -> Ensure "Stop and reload Auto-Protect" is selected. Criteria: If "Stop and reload Auto-Protect" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ConfigRestart is not 1, this is a finding.

Fix: F-48260r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to the open Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under the Changes requiring Auto-Protect reload -> Select "Stop and reload Auto-Protect".

b
The Symantec Endpoint Protection client Auto-Protect File Types options must be configured to scan all files.
SI-3 - Medium - CCI-001242 - V-42676 - SV-55404r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP012
Vuln IDs
  • V-42676
Rule IDs
  • SV-55404r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48947r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab, File Types -> Ensure "All types" is selected. Criteria: If "All types" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow632Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of FileType is not 0, this is a finding.

Fix: F-48261r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab, File Types -> Select "All types".

b
The Symantec Endpoint Protection Auto-Protect client Detection Options must be configured to display a notification to the user when a risk is detected.
SI-3 - Medium - CCI-001242 - V-42677 - SV-55405r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP013
Vuln IDs
  • V-42677
Rule IDs
  • SV-55405r1_rule
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling Having the antivirus software alert a users when a risk is detected will ensure the user is aware of the incident and will make it possible to more closely relate the incident to any action(s) being performed by the user at the time of the detection.
Checks: C-48948r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Notifications -> Under the Detection options -> Ensure "Display a notification message when a risk is detected" is selected. Criteria: If "Display a notification message when a risk is detected" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of MessageBox is not 1, this is a finding.

Fix: F-48262r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Notifications -> Under the Detection options -> Select "Display a notification message when a risk is detected".

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options must be configured to scan files when accessed or modified.
SI-3 - Medium - CCI-001242 - V-42678 - SV-55406r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP014
Vuln IDs
  • V-42678
Rule IDs
  • SV-55406r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. (NIST SP 800-83) The scanning of files when accessed or modified is crucial in preventing these attacks.
Checks: C-48949r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Scan files when -> Ensure "Scan when a file is accessed or modified" is selected. Criteria: If "Scan when a file is accessed or modified" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of Reads is not 1, this is a finding.

Fix: F-48263r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Scan files when -> Select "Scan when a file is accessed or modified".

b
The Symantec Endpoint Protection client Auto-Protect Backup Option must be disabled to prevent backing up infected files before attempting to repair them.
SI-3 - Medium - CCI-001242 - V-42679 - SV-55407r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP015
Vuln IDs
  • V-42679
Rule IDs
  • SV-55407r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48950r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Backup options -> Ensure "Back up files before attempting to repair them" is not selected. Criteria: If "Back up files before attempting to repair them" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of BackupToQuarantine is not 0, this is a finding.

Fix: F-48264r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Backup options -> Ensure "Back up files before attempting to repair them" is not selected.

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options Automatic enablement setting must be enabled.
SI-3 - Medium - CCI-001242 - V-42680 - SV-55408r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP016
Vuln IDs
  • V-42680
Rule IDs
  • SV-55408r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
Checks: C-48951r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Automatic enablement -> Ensure "When Auto-Protect is disabled, enable after" is selected -> Ensure time limit is set to 5 minutes or less. Criteria: If "When Auto-Protect is disabled, enable after" is not selected, this is a finding. If "When Auto-Protect is disabled, enable after" is selected and the time limit is not set to 5 minutes or less, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of APEOn is not 1 and the value of APESleep is not <= 5, this is a finding. If APESleep is > 5 or APEOn is not 1, this is a finding.

Fix: F-48265r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Automatic enablement -> Select "When Auto-Protect is disabled, enable after" -> Set the time limit to 5 minutes or less.

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be enabled to scan for boot viruses.
SI-3 - Medium - CCI-001242 - V-42681 - SV-55409r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP017
Vuln IDs
  • V-42681
Rule IDs
  • SV-55409r1_rule
Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files, as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk for boot viruses.
Checks: C-48952r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Additional advanced options -> Select Floppies -> Under Floppy settings -> Ensure "Check floppies for boot viruses when accessed" is selected. Criteria: If "Check floppies for boot viruses when accessed" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ScanFloppyBROnAccess is not 1, this is a finding.

Fix: F-48266r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Additional advanced options -> Select Floppies -> Under Floppy settings -> Select "Check floppies for boot viruses when accessed".

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be configured to check floppies when the system shuts down.
SI-3 - Medium - CCI-001242 - V-42682 - SV-55410r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP018
Vuln IDs
  • V-42682
Rule IDs
  • SV-55410r1_rule
Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files, as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk at shutdown.
Checks: C-48953r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Additional advanced options -> Select Floppies -> Under Computer shutdown settings -> Ensure "Check floppies when the computer shuts down" is selected. Criteria: If "Check floppies when the computer shuts down" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of SkipShutDownFloppyCheck is not 0, this is a finding.

Fix: F-48267r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Additional advanced options -> Select Floppies -> Under Computer shutdown settings -> Select "Check floppies when the computer shuts down".

b
The Symantec Endpoint Protection client Auto-Protect option to Scan for Security Risks must be enabled.
SI-3 - Medium - CCI-001242 - V-42683 - SV-55411r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP019
Vuln IDs
  • V-42683
Rule IDs
  • SV-55411r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. The scanning for unknown program viruses will mitigate zero day attacks.
Checks: C-48954r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab, under Options -> Ensure "Scan for security risks" is selected. Criteria: If "Scan for security risks" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of RespondToThreats is not 3, this is a finding.

Fix: F-48268r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab, under Options -> Select "Scan for security risks".

b
The Symantec Endpoint Protection client Auto-Protect option to Delete newly created infected files must be enabled.
SI-3 - Medium - CCI-001242 - V-42684 - SV-55412r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP020
Vuln IDs
  • V-42684
Rule IDs
  • SV-55412r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. The scanning for unknown program viruses will mitigate zero day attacks.
Checks: C-48955r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Other options -> Ensure "Always delete newly created infected files" is selected. Criteria: If "Always delete newly created infected files" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of DeleteInfectedOnCreate is not 1, this is a finding.

Fix: F-48269r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Other options -> Select "Always delete newly created infected files".

b
The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be enabled.
SI-3 - Medium - CCI-001242 - V-42685 - SV-55413r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP021
Vuln IDs
  • V-42685
Rule IDs
  • SV-55413r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. The scanning for unknown program viruses will mitigate zero day attacks.
Checks: C-48956r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Risk Tracer -> Ensure "Enable Risk Tracer" is selected. Criteria: If "Enable Risk Tracer", is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerOnOff is not 1, this is a finding.

Fix: F-48270r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Risk Tracer -> Select "Enable Risk Tracer".

b
The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to resolve source IP address.
SI-3 - Medium - CCI-001242 - V-42686 - SV-55414r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP022
Vuln IDs
  • V-42686
Rule IDs
  • SV-55414r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. The scanning for unknown program viruses will mitigate zero day attacks.
Checks: C-48957r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Risk Tracer -> Ensure "Resolve the source computer IP address", is selected. Criteria: If "Resolve the source computer IP address", is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerResolveIP is not 1, this is a finding.

Fix: F-48271r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Risk Tracer -> Select "Resolve the source computer IP address".

b
The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to poll network sessions.
SI-3 - Medium - CCI-001242 - V-42687 - SV-55415r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP023
Vuln IDs
  • V-42687
Rule IDs
  • SV-55415r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. The scanning for unknown program viruses will mitigate zero day attacks.
Checks: C-48958r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Risk Tracer -> Ensure "Poll for network sessions every:" is selected and set to 10000 milliseconds. Criteria: If "Poll for network sessions every:" is not selected and set to 10000 milliseconds, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerSleepMsecs is not set to 10000 milliseconds, this is a finding.

Fix: F-48272r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Advanced -> Under Risk Tracer -> Select "Poll for network sessions every:" and set it to 10000 milliseconds.

b
The Symantec Endpoint Protection client Global Settings Bloodhound heuristic technology must be enabled.
SI-3 - Medium - CCI-001242 - V-42688 - SV-55416r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP024
Vuln IDs
  • V-42688
Rule IDs
  • SV-55416r1_rule
Bloodhound Virus detection scans of outgoing email messages helps to prevent the spread of threats such as worms that can use email clients to replicate and distribute themselves across a network.
Checks: C-48959r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab -> Under Scan Options -> Ensure "Enable Bloodhound heuristic virus detection" is selected. Criteria: If "Enable Bloodhound heuristic virus detection" is not selected, this is a finding.

Fix: F-48273r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab -> Under Scan Options -> Select "Enable Bloodhound heuristic virus detection".

b
The Symantec Endpoint Protection client Global Scan Heuristics Level must be set to Automatic, at a minimum.
SI-3 - Medium - CCI-001242 - V-42690 - SV-55418r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTASEP026
Vuln IDs
  • V-42690
Rule IDs
  • SV-55418r1_rule
Heuristics analyzes a program's structure, its behavior, and other attributes for virus-like characteristics. In many cases, it can protect against threats such as mass-mailing worms and macro viruses, if they are encountered before virus definitions are updated. Advanced heuristics looks for script-based threats in HTML, VBScript, and JavaScript files.
Checks: C-48961r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab -> Under Scan Options -> Ensure "Enable Bloodhound heuristic virus detection" is set to Automatic at a minimum. Criteria: If "Enable Bloodhound heuristic virus detection" is not set to Automatic at a minimum, this is a finding.

Fix: F-48275r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab -> Under Scan Options -> Set "Enable Bloodhound heuristic virus detection" to Automatic at a minimum.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42692 - SV-55420r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP027
Vuln IDs
  • V-42692
Rule IDs
  • SV-55420r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48963r3_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the of value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48277r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Clean Risk as the first action upon detection.
SI-3 - Medium - CCI-001243 - V-42694 - SV-55422r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP028
Vuln IDs
  • V-42694
Rule IDs
  • SV-55422r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-48965r3_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Malware -> Ensure First action is set to "Clean Risk". Criteria: If First action is not set to "Clean Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding.

Fix: F-48279r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Malware -> Set First action to "Clean Risk".

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42695 - SV-55423r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP029
Vuln IDs
  • V-42695
Rule IDs
  • SV-55423r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-48967r3_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Malware -> Ensure If first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of "SecondAction" is not 3, this is a finding.

Fix: F-48280r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Malware -> Set If first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42696 - SV-55424r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP030
Vuln IDs
  • V-42696
Rule IDs
  • SV-55424r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48968r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48281r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42697 - SV-55425r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP031
Vuln IDs
  • V-42697
Rule IDs
  • SV-55425r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48969r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48282r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42698 - SV-55426r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP032
Vuln IDs
  • V-42698
Rule IDs
  • SV-55426r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48970r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48283r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42699 - SV-55427r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP033
Vuln IDs
  • V-42699
Rule IDs
  • SV-55427r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48971r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48284r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42700 - SV-55428r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP034
Vuln IDs
  • V-42700
Rule IDs
  • SV-55428r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48972r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48285r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42701 - SV-55429r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP035
Vuln IDs
  • V-42701
Rule IDs
  • SV-55429r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48973r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48286r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42737 - SV-55465r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP036
Vuln IDs
  • V-42737
Rule IDs
  • SV-55465r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-49009r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48323r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42738 - SV-55466r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP037
Vuln IDs
  • V-42738
Rule IDs
  • SV-55466r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-49010r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48324r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42739 - SV-55467r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP038
Vuln IDs
  • V-42739
Rule IDs
  • SV-55467r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-49011r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48325r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001243 - V-42740 - SV-55468r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP039
Vuln IDs
  • V-42740
Rule IDs
  • SV-55468r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-49012r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48326r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42741 - SV-55469r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP040
Vuln IDs
  • V-42741
Rule IDs
  • SV-55469r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-49013r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48327r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Delete Risk as the first action upon detection.
SI-3 - Medium - CCI-001243 - V-42775 - SV-55503r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP041
Vuln IDs
  • V-42775
Rule IDs
  • SV-55503r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-49047r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Security Risks -> Ensure First action is set to "Delete Risk". Criteria: If First action is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48361r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Security Risks -> Set first action to "Delete Risk".

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Quarantine Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42776 - SV-55504r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP042
Vuln IDs
  • V-42776
Rule IDs
  • SV-55504r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-49048r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Security Risks -> Ensure If first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48362r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Actions -> Select Security Risks -> Set if first action fails to "Quarantine Risk".

b
The Symantec Endpoint Protection client must be configured with a full scan scheduled to run at least weekly.
SI-3 - Medium - CCI-001241 - V-42777 - SV-55505r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP043
Vuln IDs
  • V-42777
Rule IDs
  • SV-55505r2_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files introduces a higher risk of threats going undetected.
Checks: C-49049r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Under Scans, examine the entries in this list -> Under the When to Scan column -> Ensure there is at least one full scan enabled that is Weekly or Daily. Criteria: If there is no full scan enabled that is Weekly or Daily, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Schedule 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Schedule Criteria: If the value of SelectedScanType is not 2, the value of Type is not 1 or 2, and the value of Enabled is not 1, this is a finding.

Fix: F-48363r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Under Scans, examine the entries in this list -> Under the When to Scan column -> Create a full scan that is enabled and scheduled to run at least weekly.

b
The Symantec Endpoint Protection client scheduled weekly scan must be configured to scan memory.
SI-3 - Medium - CCI-001241 - V-42778 - SV-55506r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP044
Vuln IDs
  • V-42778
Rule IDs
  • SV-55506r2_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files introduces a higher risk of threats going undetected.
Checks: C-49050r3_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options, Scan Enhancements -> Ensure "Memory" is selected. Criteria: If "Memory" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} Criteria: If the value of ScanProcesses is not 1, this is a finding.

Fix: F-48364r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options, Scan Enhancements -> Select "Memory".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan all file types or scan exclude files option must be documented with, and approved by, IAO/IAM.
SI-3 - Medium - CCI-001241 - V-42779 - SV-55507r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP045
Vuln IDs
  • V-42779
Rule IDs
  • SV-55507r2_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-49051r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options, File Types -> Ensure "All types", or if "Selected Extensions:" is selected -> Select Extensions -> Ensure any selected extensions are documented with, and approved by, the IAO/IAM, is selected. Criteria: If "All types", is not selected, or if "Selected Extensions" is selected and the extensions are not documented with, and approved by, the IAO/IAM, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} Criteria: If the value of FileType is not 1, or if the value of "ExcludeByExtension", "HaveExceptionDirs", "HaveExceptionFiles" are 1, and the IAO/IAM has approved the use of exclusions, this is not a finding.

Fix: F-48365r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options, File Types -> Select "All types", or if "Selected Extensions:" is selected -> Select Extensions -> Ensure any selected extensions are documented with, and approved by, the IAO/IAM, is selected.

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to use Insight File Reputation lookup, when scanning, set to a sensitivity level of at least 5 (Typical).
SI-3 - Medium - CCI-001241 - V-42780 - SV-55508r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP046
Vuln IDs
  • V-42780
Rule IDs
  • SV-55508r1_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since querying the cloud-based database when a file appears to be suspicious provides up-to-the-minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-49052r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify the sensitivity level -> Ensure the slider is set to "5 (Typical)" or greater. Criteria: If the slider is not set to "5 (Typical)" or greater, this is a finding.

Fix: F-48366r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify the sensitivity level -> Set the slider to "5 (Typical)" or greater.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Quarantine Risk as first action.
SI-3 - Medium - CCI-001243 - V-42781 - SV-55509r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP047
Vuln IDs
  • V-42781
Rule IDs
  • SV-55509r2_rule
This setting is required for the weekly scan parameter Security Risks First action policy. When a Security Risk is detected, the first action to be performed must be the option to quarantine the risk.
Checks: C-49053r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Ensure first action is set to "Quarantine Risk". Criteria: If First action is not set to "Quarantine Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18 Criteria: If the value of FirstAction is not 1, this is a finding.

Fix: F-48367r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Set first action to "Quarantine Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Leave alone (log only) if first action fails.
SI-3 - Medium - CCI-001243 - V-42782 - SV-55510r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP048
Vuln IDs
  • V-42782
Rule IDs
  • SV-55510r2_rule
This setting is required for the weekly scan parameter Security Risks First action policy. When a Security Risk is detected, if the first action fails the second option must be set to leave alone (log only).
Checks: C-49054r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Ensure If first action fails is set to "Leave alone (log only)". Criteria: If first action fails is not set to "Leave alone (log only)", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18 Criteria: If the value of SecondAction is not 4, this is a finding.

Fix: F-48368r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Set if first action fails to "Leave alone (log only)".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to display a message to the user if a virus is detected.
SI-3 - Medium - CCI-001241 - V-42783 - SV-55511r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP049
Vuln IDs
  • V-42783
Rule IDs
  • SV-55511r2_rule
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling Having the antivirus software alert a users when a risk is detected will ensure the user is aware of the incident and will make it possible to more closely relate the incident to any action(s) being performed by the user at the time of the detection.
Checks: C-49055r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Notifications -> Under Detection options -> Ensure "Display a notification message when a risk is detected", is selected. Criteria: If "Display a notification message when a risk is detected" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} Criteria: If the value MessageBox is not 1, this is a finding.

Fix: F-48369r2_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Notifications -> Under Detection options -> Select "Display a notification message when a risk is detected".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan compressed files.
SI-3 - Medium - CCI-001241 - V-42784 - SV-55512r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP050
Vuln IDs
  • V-42784
Rule IDs
  • SV-55512r2_rule
Malware is often packaged within compressed files. In addition, compressed files might have other compressed files within. Not scanning compressed files introduces the risk of infected files being introduced into the environment.
Checks: C-49056r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Advanced -> Under Compressed files options -> Ensure "Scan files inside compressed files", is selected. Criteria: If "Scan files inside compressed files" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} Criteria: If the value of ZipFile is not 1, this is a finding.

Fix: F-48370r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Advanced -> Under Compressed files options -> Select "Scan files inside compressed files".

b
The Symantec Endpoint Protection client weekly scheduled scan backup option must be disabled to prevent backing up infected files before attempting to repair them.
SI-3 - Medium - CCI-001241 - V-42785 - SV-55513r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP051
Vuln IDs
  • V-42785
Rule IDs
  • SV-55513r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49057r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Advanced -> Under Backup options -> Ensure "Back up files before attempting to repair them", is not selected. Criteria: If "Back up files before attempting to repair them" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} 64 bit: HKLM\SOFTWARE\Wow632Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} Criteria: If the value of BackupToQuarantine is not 0, this is a finding.

Fix: F-48371r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Advanced -> Under Backup options -> Ensure "Back up files before attempting to repair them", is not selected.

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning load points.
SI-3 - Medium - CCI-001241 - V-42786 - SV-55514r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP053
Vuln IDs
  • V-42786
Rule IDs
  • SV-55514r2_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-49058r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Under Scan Enhancements -> Ensure "Common infection locations", is selected. Criteria: If "Common infection locations" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} Criteria: If the value of ScanLoadPoints is not 1, this is a finding.

Fix: F-48372r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Enhancements -> Select "Common infection locations".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning well-known viruses and security risks.
SI-3 - Medium - CCI-001241 - V-42787 - SV-55515r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTASEP054
Vuln IDs
  • V-42787
Rule IDs
  • SV-55515r2_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-49059r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Under Scan Enhancements -> Ensure "Well-known virus and security risk locations", is selected. Criteria: If "Well-known virus and security risk locations" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID} Criteria: If the value of ScanERASERDefs is not 1, this is a finding.

Fix: F-48373r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Enhancements -> Select "Well-known virus and security risk locations".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling malware upon detection must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42788 - SV-55516r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP055
Vuln IDs
  • V-42788
Rule IDs
  • SV-55516r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49060r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48374r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Clean Risk as first action.
SI-3 - Medium - CCI-001243 - V-42789 - SV-55517r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP056
Vuln IDs
  • V-42789
Rule IDs
  • SV-55517r2_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware does is not introduced onto the system or network.
Checks: C-49061r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Malware -> Ensure first action is set to "Clean risk". Criteria: If first action is not set to "Clean risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding.

Fix: F-48375r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Malware -> Set first action to "Clean risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42790 - SV-55518r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP057
Vuln IDs
  • V-42790
Rule IDs
  • SV-55518r2_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware does is not introduced onto the system or network.
Checks: C-49062r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Malware -> Ensure if first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware Criteria: If the value of "SecondAction" is not 3, this is a finding.

Fix: F-48376r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Malware -> Set if first action fails is to "Delete Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42791 - SV-55519r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP058
Vuln IDs
  • V-42791
Rule IDs
  • SV-55519r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49063r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48377r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42792 - SV-55520r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP059
Vuln IDs
  • V-42792
Rule IDs
  • SV-55520r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49064r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48378r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42793 - SV-55521r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP060
Vuln IDs
  • V-42793
Rule IDs
  • SV-55521r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49065r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48379r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42794 - SV-55522r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP061
Vuln IDs
  • V-42794
Rule IDs
  • SV-55522r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49066r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48380r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42795 - SV-55523r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP062
Vuln IDs
  • V-42795
Rule IDs
  • SV-55523r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49067r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48381r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42796 - SV-55524r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP063
Vuln IDs
  • V-42796
Rule IDs
  • SV-55524r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49068r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48382r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42797 - SV-55525r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP064
Vuln IDs
  • V-42797
Rule IDs
  • SV-55525r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49069r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48383r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42798 - SV-55526r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP065
Vuln IDs
  • V-42798
Rule IDs
  • SV-55526r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49070r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48384r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42799 - SV-55527r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP066
Vuln IDs
  • V-42799
Rule IDs
  • SV-55527r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49071r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48385r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001243 - V-42800 - SV-55528r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP067
Vuln IDs
  • V-42800
Rule IDs
  • SV-55528r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49072r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48386r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42801 - SV-55529r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP068
Vuln IDs
  • V-42801
Rule IDs
  • SV-55529r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-49073r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48387r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when a Security Risk has been detected must be configured to Delete risk as first action.
SI-3 - Medium - CCI-001243 - V-42802 - SV-55530r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP069
Vuln IDs
  • V-42802
Rule IDs
  • SV-55530r2_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware does is not introduced onto the system or network.
Checks: C-49074r3_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Security Risk -> Ensure first action is set to "Delete Risk". Criteria: If first action is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48388r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Security Risk -> Set first action to "Delete Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when a Security Risk has been detected must be configured to Quarantine risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42803 - SV-55531r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP070
Vuln IDs
  • V-42803
Rule IDs
  • SV-55531r2_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware does is not introduced onto the system or network.
Checks: C-49075r2_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Security Risk -> Ensure if first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48389r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Security Risk -> Set if first action fails to "Quarantine Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect client must be enabled.
SI-3 - Medium - CCI-001668 - V-42804 - SV-55532r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP071
Vuln IDs
  • V-42804
Rule IDs
  • SV-55532r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49076r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Ensure "Enable Microsoft Outlook Auto-Protect" is selected. Criteria: If "Enable Microsoft Outlook Auto-Protect" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of OnOff is not 1, this is a finding.

Fix: F-48390r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select "Enable Microsoft Outlook Auto-Protect".

b
The Symantec Endpoint Protection client Outlook Auto-Protect client must be configured to scan all file types.
SI-3 - Medium - CCI-001668 - V-42805 - SV-55533r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP072
Vuln IDs
  • V-42805
Rule IDs
  • SV-55533r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49077r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under File Types -> Ensure "All types" is selected. Criteria: If "All types" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of FileType is not 0, this is a finding.

Fix: F-48391r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under File Types -> Select "All types".

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to scan inside zipped files.
SI-3 - Medium - CCI-001668 - V-42806 - SV-55534r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP073
Vuln IDs
  • V-42806
Rule IDs
  • SV-55534r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49078r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select Advanced -> Under Compressed files options -> Ensure "Scan files inside compressed files" is selected. Criteria: If "Scan files inside compressed files" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of ZipFile is not 1, this is a finding.

Fix: F-48392r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select Advanced -> Under Compressed files options -> Select "Scan files inside compressed files".

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SI-3 - Medium - CCI-001668 - V-42807 - SV-55535r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP074
Vuln IDs
  • V-42807
Rule IDs
  • SV-55535r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49079r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under Email Messages -> Ensure "Insert a warning into the email message" is selected. Criteria: If "Insert a warning into the email message" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of InsertWarning is not 1, this is a finding.

Fix: F-48393r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under Email Messages -> Select "Insert a warning into the email message".

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SI-3 - Medium - CCI-001668 - V-42808 - SV-55536r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP075
Vuln IDs
  • V-42808
Rule IDs
  • SV-55536r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49080r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under Email Messages -> Ensure "Send email to the sender" is NOT selected. Criteria: If "Send email to the sender" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of NotifySender is not 0, this is a finding.

Fix: F-48394r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under Email Messages -> Ensure "Send email to the sender" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SI-3 - Medium - CCI-001668 - V-42809 - SV-55537r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP076
Vuln IDs
  • V-42809
Rule IDs
  • SV-55537r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49081r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under Email Messages -> Ensure "Send email to others" is selected -> Select Others -> Ensure the IAO, IAM, and/or ePO administrator are listed. Criteria: If "Send email to others" is not selected, this is a finding. If "Send email to others" is selected and the IAO, IAM, and/ or the ePO administrator email addresses are not listed, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of NotifySelected is not 1, this is a finding.

Fix: F-48395r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab, under Email Messages -> Select "Send email to others" -> Select Others -> Add the IAO, IAM, and/or ePO administrator email addresses.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42810 - SV-55538r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP077
Vuln IDs
  • V-42810
Rule IDs
  • SV-55538r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49082r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48396r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
SI-3 - Medium - CCI-001243 - V-42811 - SV-55539r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP078
Vuln IDs
  • V-42811
Rule IDs
  • SV-55539r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49083r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Ensure first action is set to "Clean Risk". Criteria: If first action is not set to "Clean Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of "FirstAction" is 5, this is not a finding.

Fix: F-48397r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Set first action to "Clean Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42812 - SV-55540r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP079
Vuln IDs
  • V-42812
Rule IDs
  • SV-55540r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49084r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Ensure If first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of "SecondAction" is 3, this is not a finding.

Fix: F-48398r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Set if first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42813 - SV-55541r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP080
Vuln IDs
  • V-42813
Rule IDs
  • SV-55541r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49085r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48399r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42814 - SV-55542r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP081
Vuln IDs
  • V-42814
Rule IDs
  • SV-55542r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49086r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48400r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42815 - SV-55543r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP082
Vuln IDs
  • V-42815
Rule IDs
  • SV-55543r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49087r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48401r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42816 - SV-55544r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP083
Vuln IDs
  • V-42816
Rule IDs
  • SV-55544r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49088r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48402r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42817 - SV-55545r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP084
Vuln IDs
  • V-42817
Rule IDs
  • SV-55545r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49089r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48403r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42818 - SV-55546r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP085
Vuln IDs
  • V-42818
Rule IDs
  • SV-55546r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49090r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48404r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42819 - SV-55547r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP086
Vuln IDs
  • V-42819
Rule IDs
  • SV-55547r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49091r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48405r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42820 - SV-55548r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP087
Vuln IDs
  • V-42820
Rule IDs
  • SV-55548r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49092r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48406r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42821 - SV-55549r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP088
Vuln IDs
  • V-42821
Rule IDs
  • SV-55549r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49093r3_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48407r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-levels.
SI-3 - Medium - CCI-001243 - V-42822 - SV-55550r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP089
Vuln IDs
  • V-42822
Rule IDs
  • SV-55550r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49094r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48408r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42823 - SV-55551r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP090
Vuln IDs
  • V-42823
Rule IDs
  • SV-55551r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49095r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48409r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Delete Risk as first action.
SI-3 - Medium - CCI-001243 - V-42824 - SV-55552r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP091
Vuln IDs
  • V-42824
Rule IDs
  • SV-55552r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49096r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Ensure first action is set to "Delete Risk". Criteria: If first action is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48410r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Set first action to "Delete Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42825 - SV-55553r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP092
Vuln IDs
  • V-42825
Rule IDs
  • SV-55553r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49097r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Ensure if first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48411r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Set if first action fails to "Quarantine Risk".

b
The Symantec Endpoint Protection Internet Email Auto-Protect must be enabled.
SI-3 - Medium - CCI-001668 - V-42826 - SV-55554r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP093
Vuln IDs
  • V-42826
Rule IDs
  • SV-55554r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49098r3_chk

Note: This check is Not Applicable to 64-bit system running SEP 12. GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Ensure "Enable Internet Email Auto-Protect" is selected. Criteria: If "Enable Internet Email Auto-Protect" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of "OnOff" is not "1", this is a finding.

Fix: F-48412r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select "Enable Internet Email Auto-Protect".

b
The Symantec Endpoint Protection Internet email Auto-Protect client must be configured to scan all file types.
SI-3 - Medium - CCI-001668 - V-42827 - SV-55555r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP094
Vuln IDs
  • V-42827
Rule IDs
  • SV-55555r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49099r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under File Types -> Ensure "All types" is selected. Criteria: If "All types" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of FileType is not 0, this is a finding.

Fix: F-48413r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under File Types -> Select "All types".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to scan inside zipped files.
SI-3 - Medium - CCI-001668 - V-42828 - SV-55556r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP095
Vuln IDs
  • V-42828
Rule IDs
  • SV-55556r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49100r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select Advanced -> Under Compressed files options -> Ensure "Scan files inside compressed files" is selected. Criteria: If "Scan files inside compressed files" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of ZipFile is not 1, this is a finding.

Fix: F-48414r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select Advanced -> Under Compressed files options -> Select "Scan files inside compressed files" .

b
The Symantec Endpoint Protection client Internet Email Auto-Protect for notification must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SI-3 - Medium - CCI-001668 - V-42829 - SV-55557r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP096
Vuln IDs
  • V-42829
Rule IDs
  • SV-55557r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49101r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Ensure "Insert a warning into the email message" is selected. Criteria: If "Insert a warning into the email message" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of InsertWarning is not 1, this is a finding.

Fix: F-48415r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Select "Insert a warning into the email message".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SI-3 - Medium - CCI-001668 - V-42830 - SV-55558r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP097
Vuln IDs
  • V-42830
Rule IDs
  • SV-55558r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49102r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Ensure "Send email to the sender" is NOT selected. Criteria: If "Send email to the sender" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of NotifySender is not 0, this is a finding.

Fix: F-48416r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Ensure "Send email to the sender" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SI-3 - Medium - CCI-001668 - V-42831 - SV-55559r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP098
Vuln IDs
  • V-42831
Rule IDs
  • SV-55559r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49103r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Ensure "Send email to others" is selected -> Select Others -> Ensure the IAO, IAM, and/or ePO administrator are listed. Criteria: If "Send email to others" is not selected, this is a finding. If "Send email to others" is selected and the IAO, IAM, and/ or the ePO administrator email addresses are not listed, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of NotifySelected is not 1, this is a finding.

Fix: F-48417r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Select "Send email to others" -> Select Others -> Add the IAO, IAM, and/or ePO administrator email addresses.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SI-3 - Medium - CCI-001668 - V-42832 - SV-55560r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001668
Version
DTASEP098
Vuln IDs
  • V-42832
Rule IDs
  • SV-55560r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49104r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Ensure "Send email to others" is selected -> Select Others -> Ensure the IAO, IAM, and/or ePO administrator are listed. Criteria: If "Send email to others" is not selected, this is a finding. If "Send email to others" is selected and the IAO, IAM, and/ or the ePO administrator email addresses are not listed, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of NotifySelected is not 1, this is a finding.

Fix: F-48418r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab, under Email Messages -> Select "Send email to others" -> Select Others -> Add the IAO, IAM, and/or ePO administrator email addresses.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42833 - SV-55561r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP099
Vuln IDs
  • V-42833
Rule IDs
  • SV-55561r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49105r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48419r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
SI-3 - Medium - CCI-001243 - V-42834 - SV-55562r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP100
Vuln IDs
  • V-42834
Rule IDs
  • SV-55562r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49106r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Select Malware -> Ensure first action is set to "Clean Risk". Criteria: If first action is not set to "Clean Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 Bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding.

Fix: F-48420r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Select Malware -> Set first action to "Clean Risk".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42835 - SV-55563r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP101
Vuln IDs
  • V-42835
Rule IDs
  • SV-55563r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49107r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Select Malware -> Ensure if first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 Bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of "SecondAction" is not 3, this is a finding.

Fix: F-48421r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Select Malware -> Set if first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42836 - SV-55564r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP102
Vuln IDs
  • V-42836
Rule IDs
  • SV-55564r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49108r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48422r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42837 - SV-55565r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP103
Vuln IDs
  • V-42837
Rule IDs
  • SV-55565r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49109r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48423r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42838 - SV-55566r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP104
Vuln IDs
  • V-42838
Rule IDs
  • SV-55566r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49110r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48424r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42839 - SV-55567r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP105
Vuln IDs
  • V-42839
Rule IDs
  • SV-55567r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49111r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48425r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42840 - SV-55568r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP106
Vuln IDs
  • V-42840
Rule IDs
  • SV-55568r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49112r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48426r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42841 - SV-55569r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP107
Vuln IDs
  • V-42841
Rule IDs
  • SV-55569r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49113r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48427r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42842 - SV-55570r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP108
Vuln IDs
  • V-42842
Rule IDs
  • SV-55570r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49114r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48428r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42843 - SV-55571r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP109
Vuln IDs
  • V-42843
Rule IDs
  • SV-55571r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49115r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48429r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42844 - SV-55572r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP110
Vuln IDs
  • V-42844
Rule IDs
  • SV-55572r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49117r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48430r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001243 - V-42845 - SV-55573r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP111
Vuln IDs
  • V-42845
Rule IDs
  • SV-55573r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49118r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48431r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42846 - SV-55574r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP112
Vuln IDs
  • V-42846
Rule IDs
  • SV-55574r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49119r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48432r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Email Auto-Protect tab -> Select the Actions tab -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a Security Risk has been detected must be configured to Delete Risk as first action.
SI-3 - Medium - CCI-001243 - V-42847 - SV-55575r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP113
Vuln IDs
  • V-42847
Rule IDs
  • SV-55575r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49120r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Ensure first action is set to "Delete Risk". Criteria: If first action is not set to "Delete Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48433r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Set first action to "Delete Risk".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42848 - SV-55576r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTASEP114
Vuln IDs
  • V-42848
Rule IDs
  • SV-55576r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49121r1_chk

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Ensure if first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48434r1_fix

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Internet Auto-Protect tab -> Select the Actions tab -> Select Security Risks -> Set if first action fails to "Quarantine Risk".